Watch Demo×
×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

Back to results
  • Windows

How to Enable the Fix for CVE-2023-32019 with PowerShell

  • Last updated March 13, 2024

Microsoft’s June 2023 Patch Tuesday updates included a fix for an important Windows Kernel vulnerability — but it’s disabled by default. Here’s everything you need to know, plus a script to help you enable the patch across various Windows versions.

What is CVE-2023-32019?

Microsoft characterizes CVE-2023-32019 as a Windows Kernel information disclosure vulnerability impacting several Windows versions, including the latest Windows 10, Windows Server, and Windows 11 releases.

Successful exploitation could allow an attacker to view heap memory from a privileged process running on a server, and it does not require admin or other elevated privileges to trigger. It does, however, require an attacker to coordinate the attack with another privileged process run by another user on the system.

Despite a relatively modest CVSS base score of 4.7 / 10, Microsoft has flagged the vulnerability as important severity. Yet, the fix included in the June 2023 updates requires an additional step to actually enable it. What gives?

Why is the fix for CVE-2023-32019 disabled by default?

While Microsoft’s support documentation is light on details, the company does explain that mitigating this vulnerability  introduces a “potential breaking change.” Hence, they’re leaving it to users to manually enable the resolution in test environments and encouraging them to closely monitor for disruption before rolling out the fix more widely.

Microsoft also goes on to say that, “in a future release, this resolution will be enabled by default. We recommend that you validate this resolution in your environment. Then, as soon as it is validated, enable the resolution as soon as possible.”

How to enable the fix for CVE-2023-32019 using PowerShell

Mitigating the vulnerability requires users to set a registry key value based on the version of Windows they’re running (each version requires a different key value). Suffice it to say this additional step has sparked complaints.

To help make things easier, our Software Product Engineer Kyle Bohlander has created the following script that will check the OS and apply the correct registry change, accordingly.

Note: This script isn’t limited to just NinjaOne users. It can be used by anyone. As Microsoft advises, however, this fix should be deployed on test machines prior to wider deployment, and per usual, if you choose to run it it’s at your own risk.

 

Script author: Kyle Bohlander, Software Product Engineer at NinjaOne

#Requires -Version 5.1

<#
.SYNOPSIS
    This script will apply the registry fix suggested by microsoft for CVE-2023-32019 for the particular OS the computer is run on. Please note not all OS's have a fix to apply!
    https://support.microsoft.com/en-au/topic/kb5028407-how-to-manage-the-vulnerability-associated-with-cve-2023-32019-bd6ed35f-48b1-41f6-bd19-d2d97270f080
.DESCRIPTION
    This script will apply the registry fix suggested by microsoft for CVE-2023-32019 for the particular OS the computer is run on. Please note not all OS's have a fix to apply!
    https://support.microsoft.com/en-au/topic/kb5028407-how-to-manage-the-vulnerability-associated-with-cve-2023-32019-bd6ed35f-48b1-41f6-bd19-d2d97270f080
.EXAMPLE
    (No Parameters)

    Checking Windows Version....
    Desktop Windows Detected!
    Windows 10 identified!
    22H2 Detected!
    Set Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides4103588492 to 1
    Successfully set registry key!

PARAMETER: -Undo
    Removes the registry key set for this fix. Script will error out if that registry key is not present.
.EXAMPLE
    -Undo
    
    Checking Windows Version....
    Desktop Windows Detected!
    Windows 10 identified!
    22H2 Detected!
    Undoing registry fix...
    Successfully removed registry fix!

.OUTPUTS
    None
.NOTES
    Release: Initial Release (6/15/2023)
    General notes
#>

[CmdletBinding()]
param (
    [Parameter()]
    [switch]$Undo
)

begin {
    # Tests that the script is elevated
    function Test-IsElevated {
        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
        $p = New-Object System.Security.Principal.WindowsPrincipal($id)
        $p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
    }

    # We want the script to check if its running on a workstation or something else
    function Test-IsWorkstation {
        $OS = Get-CimInstance -ClassName Win32_OperatingSystem
        return $OS.ProductType -eq 1
    }

    # This will set the registry key and any preceding keys needed
    function Set-RegKey {
        param (
            $Path,
            $Name,
            $Value,
            [ValidateSet("DWord", "QWord", "String", "ExpandedString", "Binary", "MultiString", "Unknown")]
            $PropertyType = "DWord"
        )
        if (-not $(Test-Path -Path $Path)) {
            # Check if path does not exist and create the path
            New-Item -Path $Path -Force | Out-Null
        }
        if ((Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore)) {
            # Update property and print out what it was changed from and changed to
            $CurrentValue = (Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore).$Name
            try {
                Set-ItemProperty -Path $Path -Name $Name -Value $Value -Force -Confirm:$false -ErrorAction Stop | Out-Null
            }
            catch {
                Write-Error "[Error] Unable to Set registry key for $Name please see below error!"
                Write-Error $_
                exit 1
            }
            Write-Host "$Path$Name changed from $CurrentValue to $($(Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore).$Name)"
        }
        else {
            # Create property with value
            try {
                New-ItemProperty -Path $Path -Name $Name -Value $Value -PropertyType $PropertyType -Force -Confirm:$false -ErrorAction Stop | Out-Null
            }
            catch {
                Write-Error "[Error] Unable to Set registry key for $Name please see below error!"
                Write-Error $_
                exit 1
            }
            Write-Host "Set $Path$Name to $($(Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore).$Name)"
        }
    }

    # Is it Windows 10 or 11 or something else?
    $WindowsVersion = [System.Environment]::OSVersion.Version.Major

    # Current Build Number
    $BuildNumber = [System.Environment]::OSVersion.Version.Build

    # If Script Forms are used grab the input
    if($env:Undo){$Undo = $env:Undo}
}
process {

    # If not elevated error out. Admin priveledges are required to create HKLM registry keys
    if (-not (Test-IsElevated)) {
        Write-Error -Message "Access Denied. Please run with Administrator privileges."
        exit 1
    }

    # Keeping the end user updated on the status
    Write-Host "Checking Windows Version...."
    if (Test-IsWorkstation) {
        Write-Host "Desktop Windows Detected!"
        # Depending on the version we'll want to check on a different set of build numbers
        switch ($WindowsVersion) {
            "10" {
                switch ($BuildNumber) {
                    "22621" {
                        Write-Host "Windows 11 identified!"
                        Write-Host "22H2 Detected!"
                        $key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides"
                        $name = "4237806220"
                        $value = "1"
                    }
                    "22000" {
                        Write-Host "Windows 11 identified!"
                        Write-Host "21H2 Detected!"
                        $key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides"
                        $name = "4204251788"
                        $value = "1"
                    }
                    "19045" {
                        # This sets us up to set the registry key depending on the current build and version.
                        Write-Host "Windows 10 identified!"
                        Write-Host "22H2 Detected!"
                        $key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides"
                        $name = "4103588492"
                        $value = "1"
                    }
                    "19044" {
                        Write-Host "Windows 10 identified!"
                        Write-Host "21H2 Detected!"
                        $key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides"
                        $name = "4103588492"
                        $value = "1"
                    }
                    "19042" {
                        Write-Host "Windows 10 identified!"
                        Write-Host "20H2 Detected!"
                        $key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides"
                        $name = "4103588492"
                        $value = "1"
                    }
                    "17763" {
                        Write-Host "Windows 10 identified!"
                        Write-Host "1809 Detected!"
                        $key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerConfiguration Manager"
                        $name = "LazyRetryOnCommitFailure"
                        $value = "0"
                    }
                    "14393" {
                        Write-Host "Windows 10 identified!"
                        Write-Host "1607 Detected!"
                        $key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerConfiguration Manager"
                        $name = "LazyRetryOnCommitFailure"
                        $value = "0"
                    }
                    default {
                        Write-Warning "Looks like you're either on an unsupported windows build or one not supported by this script? (Only Win 11 22H2 and 21H1 and Win 10 22H2,21H2,21H1,20H2,1809 and 1607 has a fix out!)" 
                        Write-Warning "https://en.wikipedia.org/wiki/Windows_10_version_history"
                        Write-Warning "https://en.wikipedia.org/wiki/Windows_11_version_history"
                        Write-Error "[Error] This version of windows cannot be remediated by this script? Please verify this https://support.microsoft.com/en-au/topic/kb5028407-how-to-manage-the-vulnerability-associated-with-cve-2023-32019-bd6ed35f-48b1-41f6-bd19-d2d97270f080"
                        exit 1
                    }
                }
            }
            default {
                Write-Warning "Looks like you're on a version of windows not supported by this script? (Only Windows 10 and 11 have a fix out!)"
                Write-Error "[Error] This version of windows appears to not be applicable or cannot be remediated by this script? Please verify this https://support.microsoft.com/en-au/topic/kb5028407-how-to-manage-the-vulnerability-associated-with-cve-2023-32019-bd6ed35f-48b1-41f6-bd19-d2d97270f080"
                exit 1
            }
        }
    }
    else {
        Write-Host "Windows Server Detected!"
        if (Get-ComputerInfo | Select-Object OSName | Where-Object { $_.OSName -like "*2022*" }) {
            $key = "Registry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides"
            $name = "4137142924"
            $value = "1"
        }
        else {
            Write-Warning "Looks like you're on a version of windows not supported by this script? (Only Server 2022 has a fix out!)"
            Write-Error "[Error] This version of windows appears to not be applicable or cannot be remediated by this script? Please verify this https://support.microsoft.com/en-au/topic/kb5028407-how-to-manage-the-vulnerability-associated-with-cve-2023-32019-bd6ed35f-48b1-41f6-bd19-d2d97270f080"
            exit 1
        }
    }

    if ($key -and -not $Undo) {
        Set-RegKey -Path $key -Name $name -Value $value -PropertyType DWord
        if ((Get-ItemPropertyValue -Path $key -Name $name -ErrorAction Ignore) -ne $value) {
            Write-Error "[Error] Unable to set registry key? Is something blocking the script?"
            exit 1
        }
        else {
            Write-Host "Successfully set registry key!"
            exit 0
        }
    }
    elseif ($Undo) {
        if (Get-ItemProperty -Path $key -ErrorAction Ignore) {
            Write-Host "Undoing registry fix..."
            Remove-ItemProperty -Path $key -Name $name
            if (Get-ItemProperty -Path $key -ErrorAction Ignore) {
                Write-Error "[Error] Unable to undo registry fix!"
                exit 1
            }
            else {
                Write-Host "Successfully removed registry fix!"
                exit 0
            }
        }
        else {
            Write-Error "[Error] Registry Key not found? Did you already undo it?"
            exit 1
        }
    }else{
        Write-Error "[Error] Unable to find registry key to set!"
        exit 1
    }
}
end {
    $ScriptName = "CVE-2023-32019 Remediation"
    $ScriptVariables = @(
        [PSCustomObject]@{
            name           = "Undo"
            calculatedName = "undo"
            required       = $false
            defaultValue   = $false
            valueType      = "CHECKBOX"
            valueList      = $null
            description    = "Whether or not to undo the registry fix."
        }
    )
}

 

Next Steps

Building an efficient and effective IT team requires a centralized solution that acts as your core service deliver tool. NinjaOne enables IT teams to monitor, manage, secure, and support all their devices, wherever they are, without the need for complex on-premises infrastructure.

Learn more about NinjaOne Remote Script Deployment, check out a live tour, or start your free trial of the NinjaOne platform.

Start your Free Trial

Categories:

  • Maintenance

You might also like

PowerShell Script Guide: Detecting Locked Accounts in Windows

Mastering Certificate Expiration Alerts with PowerShell for Enhanced IT Security

A Comprehensive Guide to Automating ConnectWise Installation on macOS

Streamline System Management: BGInfo PowerShell Deployment Script

Automate Inactive User Account Detection with PowerShell

Optimize Your IT Management: Mastering Hyper-V Replication Monitoring with PowerShell

Download the script

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
I Accept