reset-logging.ps1
<#
.SYNOPSIS
Resets logging on a Windows computer to defaults.
.DESCRIPTION
Resets logging on a Windows computer to defaults.
There is a companion script get-loggingReport.ps1 that reads these settings and offers recommendations.
To turn off or change a setting either edit the settings below or comment them out.
.EXAMPLE
PS>.\reset-logging.ps1
.NOTES
Author: Tom Willett
Date: 8/17/2016
Ver 1.0
#>
# This script resets logging on a windows computer to defaults -- comment out what you don't want changed.
#log sizes
set-itemproperty hklm:\system\currentcontrolset\services\eventlog\Application -name maxsize -value 20971520
set-itemproperty hklm:\system\currentcontrolset\services\eventlog\System -name maxsize -value 20971520
set-itemproperty hklm:\system\currentcontrolset\services\eventlog\Security -name maxsize -value 20971520
#set audit policy on registry keys
auditpol.exe /set /subcategory:'Registry' /success:disable /failure:disable
#$rule = $acl.getauditrules($true,$true, [System.Security.Principal.NTAccount] )
#HKLM Run key
$acl = get-acl hklm:\software\microsoft\windows\currentversion\run -audit
$rule = New-Object System.Security.AccessControl.RegistryAuditRule ("everyone","ReadPermissions","none","none","success")
$acl.removeauditrule($rule)
$rule = New-Object System.Security.AccessControl.RegistryAuditRule ("everyone","ReadPermissions","none","none","failure")
$acl.removeauditrule($rule)
$acl | set-acl hklm:\software\microsoft\windows\currentversion\run
#HKLM RunOnce Key
$acl = get-acl hklm:\software\microsoft\windows\currentversion\runonce -audit
$rule = New-Object System.Security.AccessControl.RegistryAuditRule ("everyone","ReadPermissions","none","none","success")
$acl.removeauditrule($rule)
$rule = New-Object System.Security.AccessControl.RegistryAuditRule ("everyone","ReadPermissions","none","none","failure")
$acl.removeauditrule($rule)
$acl | set-acl hklm:\software\microsoft\windows\currentversion\runonce
#HKCU Run Key
$acl = get-acl hkcu:\software\microsoft\windows\currentversion\run -audit
$rule = New-Object System.Security.AccessControl.RegistryAuditRule ("everyone","ReadPermissions","none","none","success")
$acl.removeauditrule($rule)
$rule = New-Object System.Security.AccessControl.RegistryAuditRule ("everyone","ReadPermissions","none","none","failure")
$acl.removeauditrule($rule)
$acl | set-acl hkcu:\software\microsoft\windows\currentversion\run
#HKCU RunOnce
$acl = get-acl hklm:\software\microsoft\windows\currentversion\runonce -audit
$rule = New-Object System.Security.AccessControl.RegistryAuditRule ("everyone","ReadPermissions","none","none","success")
$acl.removeauditrule($rule)
$rule = New-Object System.Security.AccessControl.RegistryAuditRule ("everyone","ReadPermissions","none","none","failure")
$acl.removeauditrule($rule)
$acl | set-acl hkcu:\software\microsoft\windows\currentversion\runonce
#Logon/Logoff Logging
auditpol.exe /set /subcategory:'Logon' /success:enable /failure:disable
#Computer Account Changes Logging
auditpol.exe /set /subcategory:'computer account management' /success:disable /failure:disable
#Security Group changes Logging
auditpol.exe /set /subcategory:'security group management' /success:enable /failure:disable
#User Account Changes Logging
auditpol.exe /set /subcategory:'user account management' /success:enable /failure:disable
#Firewall Events Logging
auditpol.exe /set /subcategory:'Filtering Platform Connection' /success:disable /failure:disable
#Process Creation Logging
auditpol.exe /set /subcategory:'Process Creation' /success:disable /failure:disable
#Process Termination Logging
auditpol.exe /set /subcategory:'Process Termination' /success:disable
#Powershell Script Block Logging
Remove-Item HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -Force -Recurse -erroraction silentlycontinue
#Audit policy logging
auditpol.exe /set /subcategory:'Audit Policy Change' /success:enable /failure:disable