Jump to content

Using {} characters in powershell based role definitions

Recommended Posts

Edit: @DarrenWhite99 pointed out that what I thought was pipe not working was actually an error in the testing logic, so I removed the stuff about pipe.  The curly braces part is still accurate.

When creating role definitions that use powershell, you can't directly use the curly brace characters {} in them.  That makes them annoying to write at times, since you can't use loops, have to put everything into variables rather than piping between commands, etc.

To work around that, it's possible to instead build out the command you want to run as a string and then execute it with invoke-expression.  The downside to this is your security monitoring software probably hates invoke-expression and you might blow up your alerts by using it in a role definition.


Here's an example from a script where we needed to check all the users under HKEY_USERS to see if there was a particular IE registry key set


New-PSDrive HKU Registry HKEY_USERS *>$null;
$HKEYUsers = Get-ChildItem 'HKU:\';
$IEPath = 'SOFTWARE\Microsoft\Internet Explorer\Main';
$IEHKLMPath = 'HKLM:\' + $IEPath;
$IEPasswordManager = 'FormSuggest Passwords';
$IEValue = 'no';
$hklmresults = Get-ItemPropertyValue -Path $IEHKLMPath -name $IEPasswordManager ;
$detected = '';
$hku = 'HKU:\';
$slash = '\';
$left = [char]0x7B;
$right = [char]0x7D;
$expression = 'ForEach ($User in $HKEYUsers) ' + $left + '$UserPath = $User.Name.SubString(11);$FullPath = $hku + $UserPath + $slash + $IEPath;$IEPWManagerCheck = Get-ItemProperty -path $FullPath -Name $IEPasswordManager; If (($IEPWManagerCheck)) ' + $left + ' $detected = $true ' + $right + $right + ';  if ($hklmresults -ne $IEValue -or ([string]::IsNullOrEmpty($hklmresults))) ' + $left + ' $detected = $true ' + $right ;
Invoke-Expression $expression;
$detected -like $true;


Variables for the left and right braces are set via their hex values, then a string is built with the ForEach command we want to run using them in place of the brace characters.  The \ character also caused issues when I used it while building the string, for some reason, so anything with that in it also was put into a variable ahead of time.  Once the expression is built, you run it with invoke-expression and can do whatever processing you want with the results.


The above PS turns into the following role definition:

{%@powershell.exe -nologo -noprofile -command "$ErrorActionPreference='SilentlyContinue';New-PSDrive HKU Registry HKEY_USERS *>$null;$HKEYUsers = Get-ChildItem 'HKU:\';$IEPath = 'SOFTWARE\Microsoft\Internet Explorer\Main';$IEHKLMPath = 'HKLM:\' + $IEPath;$IEPasswordManager = 'FormSuggest Passwords';$IEValue = 'no';$hklmresults = Get-ItemPropertyValue -Path $IEHKLMPath -name $IEPasswordManager ;$detected = '';$hku = 'HKU:\';$slash = '\';$left = [char]0x7B;$right = [char]0x7D;$expression = 'ForEach ($User in $HKEYUsers) ' + $left + '$UserPath = $User.Name.SubString(11);$FullPath = $hku + $UserPath + $slash + $IEPath;$IEPWManagerCheck = Get-ItemProperty -path $FullPath -Name $IEPasswordManager; If (($IEPWManagerCheck)) ' + $left + ' $detected = $true ' + $right + $right + ';  if ($hklmresults -ne $IEValue -or ([string]::IsNullOrEmpty($hklmresults))) ' + $left + ' $detected = $true ' + $right ;Invoke-Expression $expression;$detected -like $true;"@%}

And here's a screenshot of it being manually run via remote command prompt on a machine:

Edited by davidmazur
  • Thanks 1
Link to post
Share on other sites
  • davidmazur changed the title to Using {} characters in powershell based role definitions

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...