Worklets - CVE-2022-30190 (msdt registry key export and delete, and reimport)

Hi all,

Here’s the worklet for https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ to check if the registry key exists, and export/delete if it does.

Evaluation Code:

# Check if the registry key exists.
Get-ItemProperty "Registry::HKEY_CLASSES_ROOT\ms-msdt"

# If Get-ItemProperty returned without error, then the registry key exists.
if ($?) {

    $response = 'Registry Key HKEY_CLASSES_ROOT\ms-msdt present'

    Write-Output $response

    exit 1

} else {

    $response = 'Registry Key HKEY_CLASSES_ROOT\ms-msdt not present'

    Write-Output $response

    exit 0
}

Remediation Code:

# https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
reg export HKEY_CLASSES_ROOT\ms-msdt "C:\Windows\temp\hkey_classes_root_ms_msdt"
reg delete HKEY_CLASSES_ROOT\ms-msdt /f

Likewise you can reuse the above to import the registry key if it’s not already present; just flip the exit codes. This assumes you previously exported the registry key in “C:\Windows\temp\hkey_classes_root_ms_msdt”

Evaluation Code:

# Check if the registry key exists.
Get-ItemProperty "Registry::HKEY_CLASSES_ROOT\ms-msdt"

# If Get-ItemProperty returned without error, then the registry key exists.
if ($?) {

    $response = 'Registry Key HKEY_CLASSES_ROOT\ms-msdt present'

    Write-Output $response

    exit 0

} else {

    $response = 'Registry Key HKEY_CLASSES_ROOT\ms-msdt not present'

    Write-Output $response

    exit 1
}

Remediation Code:

reg import HKEY_CLASSES_ROOT\ms-msdt "C:\Windows\temp\hkey_classes_root_ms_msdt"

Hope this helps!

Be the first to reply!

Reply

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded