Auto-commit: 2025-10-31 08:59:02

2025-10-31 08:59:02 +01:00
parent d3b18d8b45
commit 851c85ec3d
30 changed files with 3734 additions and 6 deletions
--- a/Packages/RegistryOnHKLM/DisableWPAD.ps1
+++ b/Packages/RegistryOnHKLM/DisableWPAD.ps1
@@ -0,0 +1,22 @@
+$ErrorActionPreference = 'Stop'
+
+$isOS64   = [Environment]::Is64BitOperatingSystem
+$isProc64 = [Environment]::Is64BitProcess
+
+$KeyPS  = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp'
+$KeyRel = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp'
+$Name   = 'DisableWpad'
+
+if ($isOS64 -and -not $isProc64) {
+    # 32-bit PowerShell on 64-bit OS -> write to 64-bit registry view
+    $bk = [Microsoft.Win32.RegistryKey]::OpenBaseKey(
+        [Microsoft.Win32.RegistryHive]::LocalMachine,
+        [Microsoft.Win32.RegistryView]::Registry64
+    )
+    $k = $bk.CreateSubKey($KeyRel)
+    $k.SetValue($Name, 1, [Microsoft.Win32.RegistryValueKind]::DWord)
+    $k.Close()
+} else {
+    if (-not (Test-Path -LiteralPath $KeyPS)) { New-Item -Path $KeyPS -Force | Out-Null }
+    New-ItemProperty -Path $KeyPS -Name $Name -Value 1 -PropertyType DWord -Force | Out-Null
+}
--- a/Packages/RegistryOnHKLM/readme.md
+++ b/Packages/RegistryOnHKLM/readme.md
@@ -0,0 +1,10 @@
+# 🧩 HKLM Registry Write (64-bit)
+
+## 🔧 What it does
+- Opens **HKLM** in the **64-bit registry view**.  
+- Creates/opens subkey
+- Sets value
+
+## ✅ Prerequisites
+- Run as **Administrator**.    
+- Writes to the **64-bit** hive; use `Registry32` if you need the 32-bit view.
--- a/Packages/shutdown.ps1
+++ b/Packages/shutdown.ps1
@@ -0,0 +1,37 @@
+#requires -version 5.1
+# Forced shutdown in 30 seconds with on-screen message.
+# Works from 32-bit PowerShell on 64-bit Windows. Run as Administrator.
+
+$Message        = 'Shutdown by Tanium'
+$TimeoutSeconds = 30
+
+# Admin check
+$principal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
+if (-not $principal.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)) {
+    Write-Error 'Run this script as Administrator.'
+    exit 1
+}
+
+# Pick correct shutdown.exe (Sysnative when 32-bit PS on 64-bit OS)
+function Get-ShutdownExePath {
+    $sysnative = Join-Path $env:WINDIR 'Sysnative\shutdown.exe'
+    $system32  = Join-Path $env:WINDIR 'System32\shutdown.exe'
+    if ([Environment]::Is64BitOperatingSystem -and -not [Environment]::Is64BitProcess -and (Test-Path $sysnative)) { 
+        return $sysnative 
+    } else { 
+        return $system32 
+    }
+}
+$exe = Get-ShutdownExePath
+
+# Optional trace in Event Log
+try {
+    $src = 'Tanium-Shutdown-PS'
+    if (-not [System.Diagnostics.EventLog]::SourceExists($src)) {
+        New-EventLog -LogName Application -Source $src -ErrorAction SilentlyContinue
+    }
+    Write-EventLog -LogName Application -Source $src -EntryType Information -EventId 10011 -Message $Message
+} catch {}
+
+# Schedule forced shutdown with 30s countdown and message
+& $exe /s /f /t $TimeoutSeconds /c $Message