Retrieve Certificate from Event log binary data

As I was looking into some errors in my event log I found that I had a number of certificate errors in the event log. In order to investigate this further I wanted to take a look at the certificate in the event log. There are a number of tools available to extract this from the event log but I wanted to be able to automate this in the future so I settled on writing this in PowerShell.

I had the following events in my system event log:

Event

The interesting portion is what is stored in the XML, specifically EventData – Binary:

XMLView

In order to retrieve this event using PowerShell we can run the following code:

1
Get-WinEvent -FilterHashtable @{'Logname' = 'System' ; 'Id' = 36882} -MaxEvents 1

Get-WinEvent

In order to retrieve the binary data we can run the following code:

1
2
3
4
5
([xml](Get-WinEvent -FilterHashtable @{
        'Logname' = 'System'
        'Id' = 36882
    } -MaxEvents 1).ToXml()
).Event.Eventdata.Binary

The binary data is encoded as pairs of hexadecimal numbers, so this needs to be converted before we can write this to disk. In order to do this we split the string into pairs of two and then do a conversion using the ToByte method of the System.Convert class:

1
2
3
4
5
6
7
8
9
10
(
    ([xml](Get-WinEvent -FilterHashtable @{
            'Logname' = 'System'
            'Id'      = 36882
        } -MaxEvents 1).ToXml()
    ).Event.Eventdata.Binary -split '(..)' |
    Where-Object {$_} | ForEach-Object {
        [system.convert]::ToByte($_,16)
    }
)

Now that we have PowerShell output an array of bytes we are ready to write the output of the event log to file. Because we know this should be a certificate all we have to do is write this to a .cer file and we will have a working certificate:

1
2
3
4
5
6
7
8
9
10
11
12
13
[System.IO.File]::WriteAllBytes("$env:USERPROFILE\desktop\EventCert.cer",
    (
        (
            [xml](Get-WinEvent -FilterHashtable @{
                'Logname' = 'System'
                'Id'      = 36882
            } -MaxEvents 1).ToXml()
        ).Event.Eventdata.Binary -split '(..)' |
        Where-Object {$_} | ForEach-Object {
            [system.convert]::ToByte($_,16)
        }
    )
)

Now the following functional certificate will be available on the desktop:

EventCert

So there we have it, in this article we have identified the event that contains a certificate that. Afterwards we went into the xml of this event and retrieved the binary eventdata, converted this to a byte array and then wrote this to file.

TwitterLinkedInFacebookGoogle+RedditWordPressEmailTumblrPinterestHacker NewsShare

QuickTip: Get Domain Name of Computer

In PowerShell it is relatively trivial to retrieve the domain for the logged in user, as this is stored in the environment variable. In multi-domain environments it is often the case that the user account is a member of the same domain as the computer account. To retrieve the domain name of the current computer the following command can be executed:

1
[System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties()

ComputerDomainName

To only retrieve the Domain Name the following command can be used:

1
[System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties().DomainName

For more information about the GetIPGlobalProperties method and the IPGlobalProperties class please refer to the following article:
MSDN – IPGlobalProperties

Quickly and securely storing your credentials – PowerShell

During the last PowerShell event I quickly demo’ed the Export-CliXml functionality to quickly, easily, and most importantly, securely store credentials to a file. In this article I will describe the following three steps:

  • Store credentials in a variable
  • Export the variable to a file
  • Import the credential object from the file into a variable

To get a credential object we can either manually create one or use the Get-Credential cmdlet to prompt for the account details:

1
$Credential = Get-Credential

To store the credentials into a .cred file:

1
$Credential | Export-CliXml -Path "${env:\userprofile}\Jaap.Cred"

And to load the credentials from the file and back into a variable:

1
2
$Credential = Import-CliXml -Path "${env:\userprofile}\Jaap.Cred"
Invoke-Command -Computername 'Server01' -Credential $Credential {whoami}

StoreCredentials

The advantage of this methodology is that you can leverage the versitility of PowerShell to ensure that the data is not only exported, but also stored in a secure manner using secure strings. It should be noted that these credential files that are created can only be opened by the same user on the same system. It can be used to store any type of credentials, both local accounts and domain accounts can be saved in this manner.

Note that you are not limited to storing a single set of credentials in this manner, you could use any number of accounts, for example the following example will prompt for 3 different sets and store them in a hash table. This can then be exported/imported in a similar manner:

1
2
3
4
5
6
7
8
9
10
$Hash = @{
    'Admin'      = Get-Credential -Message 'Please enter administrative credentials'
    'RemoteUser' = Get-Credential -Message 'Please enter remote user credentials'
    'User'       = Get-Credential -Message 'Please enter user credentials'
}
$Hash | Export-Clixml -Path "${env:\userprofile}\Hash.Cred"
$Hash = Import-CliXml -Path "${env:\userprofile}\Hash.Cred"
Invoke-Command -ComputerName Server01 -Credential $Hash.Admin -ScriptBlock {whoami}
Invoke-Command -ComputerName Server01 -Credential $Hash.RemoteUser -ScriptBlock {whoami}
Invoke-Command -ComputerName Server01 -Credential $Hash.User -ScriptBlock {whoami}

Recap of first DuPSUG – PowerShell Saturday

Last weekend as DuPSUG we organized the first Dutch PowerShell Saturday. Within three days we had to instate a waiting list for attendees to sign up on, as we had run out of tickets. To meet the demand for this unique events, we were lucky enough to be sponsored by the following four companies: Platani, Sapien Technologies, PowerTheShell and Manning Publications.

During the event we had the following sessions and speakers:

Furthermore there was the PowerQuiz, a twenty-one question quiz to encourage team work and to put some energy back into the room after lunch. The questions and answers are available here:

PowerQuiz – PowerShell Quiz

PowerQuiz

For more information in regards to PowerShell Saturdays or if you are interested in hosting a similar event locally feel free to reach out as I am always happy to share out lessons learned from organizing this event.

For more information about the topics in this article please visit the links below:

Links in this article
PowerShell DSC and Windows Containers, the Perfect Match – GitHub
Lock down your System, no more Admins – GitHub
PowerQuiz – PowerShell Quiz
Dutch PowerShell User Group – DuPSUG

PowerShell Fundamentals May 2016 – Experts Live on Tour

Today I was invited by Experts Live to take a group of enthusiastic IT professionals through the basics of PowerShell and give them some guidance on the how, what and why of PowerShell. In the last six months this is the third time I have presented or taught a group of IT pros with Experts Live. Today I presented the PowerShell portion of the day and Bert Wolters represented Experts Live in order to increase the engagement in technical communities.

Today I walked the group through the following subjects in an interactive demo based program:

  • PowerShell fundamentals
  • Using variables and working with Objects
  • Loops, operators and flow control
  • PowerShell modules, snap-ins and functions
  • PowerShell tips from the field

During the day I mentioned a number of learning resources to, some of the topics I mentioned are listed below:

I have posted the assignments, slides and supporting documentation to GitHub, to view the files click here:

If you attended the session today and a feedback form will be filled out soon, if you have any suggestions for this session or any potential follow up sessions you would be interested in be sure to fill out the form. As I mentioned today if you have any questions in regards to the content we discussed today, feel free to reach out to me directly.

For more information about the topics in this article please visit the links below:

Links in this article
How to learn PowerShell
PowerShell Fundamentals – Course materials – GitHub
Experts Live on Tour