Hello Steven,
If you do not have the Wintrust key, then you will need to create it, plus Config underneath it, plus a new string value called EnableCertPaddingCheck with a value of 1, in order for Rapid7 to consider the vulnerability remediated. If you are hoping to import a REG file, then it will look like this:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"
or, if performing it through PowerShell:
if ($(Test-Path HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config) -ne $true)
{
Write-Output "HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config does not exist...creating it"
New-Item HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config -Force
}
New-ItemProperty -Path HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config -Name EnableCertPaddingCheck -PropertyType String -Value 1 -Force
if ($(Test-Path HKLM:\Software\Microsoft\Cryptography\Wintrust\Config) -ne $true)
{
Write-Output "HKLM:\Software\Microsoft\Cryptography\Wintrust\Config does not exist...creating it"
New-Item HKLM:\Software\Microsoft\Cryptography\Wintrust\Config -Force
}
New-ItemProperty -Path HKLM:\Software\Microsoft\Cryptography\Wintrust\Config -Name EnableCertPaddingCheck -PropertyType String -Value 1
There’s a few different ways to skin this cat; hopefully this provides you with the needed guidance.