Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: PSFramework Configuration Persists Between Hawk Sessions Causing Path Conflicts #211

Closed
jonnybottles opened this issue Dec 22, 2024 · 0 comments
Closed

Bug: PSFramework Configuration Persists Between Hawk Sessions Causing Path Conflicts #211

jonnybottles opened this issue Dec 22, 2024 · 0 comments
Assignees
@jonnybottles
Labels
status/backlog In backlog / validated type/bug Non-urgent code defect
Milestone
Phase 1: Design/F...

Comments

@jonnybottles
Copy link
Collaborator

What happened?

PSFramework configurations for Hawk are persisting between sessions when they should be cleared. This causes particular issues with the FilePath configuration, where new investigation folders are created with incorrect timestamps based on stale configuration data instead of fresh initialization.

Steps to Reproduce

  1. Run any Hawk investigation command (e.g., Start-HawkUserInvestigation).
  2. Complete the investigation.
  3. Run Get-PSFConfig -Module Hawk.
  4. Observe configurations persist, particularly Hawk.FilePath.
  5. Run another investigation.
  6. Observe folder creation uses stale path information.

Hawk Version

3.2.3

Technical Analysis

Root Causes:

  • PSFramework configurations are registered but never unregistered between sessions.
  • Initialize-HawkGlobalObject assumes a clean state but doesn't enforce it.

Configurations Currently Handled:

  • Hawk.DaysToLookBack
  • Hawk.FilePath
  • Hawk.Import.DoDotSource
  • Hawk.Import.IndividualFiles

These persist in PSFramework's configuration system between PowerShell sessions when they should be temporary for each Hawk run.

Implementation Plan

Implementation Plan

Create New Function to Handle Configuration Cleanup:

function Reset-HawkConfiguration {
    # Unregister all Hawk configurations
    Get-PSFConfig -Module Hawk | ForEach-Object {
        Unregister-PSFConfig -FullName $_.FullName
    }
}

**Modify Initialize-HawkGlobalObject:**

function Initialize-HawkGlobalObject {
    [CmdletBinding()]
    param()
    
    BEGIN {
        # Clear any existing Hawk configurations
        Reset-HawkConfiguration
    }
    
    PROCESS {
        # Existing initialization code
    }
}

**Add Configuration Cleanup to Module Import:**

# In Hawk.psm1
$ExecutionContext.SessionState.Module.OnRemove = {
    Reset-HawkConfiguration
}

**Update Configuration Usage to Ensure Proper Scoping:**
# Use -Temporary flag when appropriate
Set-PSFConfig -Module 'Hawk' -Name 'FilePath' -Value $Path -Temporary




### Acceptance Criteria

Running Get-PSFConfig -Module Hawk after closing PowerShell shows no persisted Hawk configurations.
Each new Hawk investigation:
Creates fresh configuration.
Generates correct timestamp-based folder names.
Doesn't use stale path information.
Multiple investigations can be run sequentially without configuration interference.
Module removal triggers configuration cleanup.
No impact to current session functionality.
All Hawk commands work correctly with temporary configurations.
Documentation updated to reflect configuration behavior.
@jonnybottles jonnybottles added type/bug Non-urgent code defect status/backlog In backlog / validated labels Dec 22, 2024
@jonnybottles jonnybottles self-assigned this Dec 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jonnybottles jonnybottles

Labels
status/backlog In backlog / validated type/bug Non-urgent code defect
Projects
None yet
Milestone
Phase 1: Design/Foundational (Weeks 1...
Development

No branches or pull requests
1 participant
@jonnybottles