windowspowershellsecuritypowershell-remoting

Working command in a plain PowerShell prompt gives 'Access denied' in a PSSession


This is not a question about not being able to start a PSSession, rather about apparently different access rights when in a PSSession.

Following set of commands work

  1. Start a PowerShell prompt
  2. Run cmd /c sc queryex WerSvc

The following set of commands don't work

  1. Start a PowerShell prompt
  2. Run Enter-PSSession localhost
  3. Run cmd /c sc queryex WerSvc

My user has the right to execute sc queryex, but apparently not when in a PSSession. Where should I start checking access rights?

Works in prompt, not in PSSession

Kudos to PetSerAl

Below is the output of whoami /all in the standard PowerShell prompt and in the PSSession.

PS C:\Users\xxxxxxxx> whoami /all

USER INFORMATION
----------------

User Name          SID
================== ===============================================
corporate\xxxxxxxx S-1-5-21-3650376746-1030869643-1781887868-23610


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                             Attributes
========================================== ================ =============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                         Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                    Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users               Alias            S-1-5-32-555                                    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON      Well-known group S-1-5-14                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                        Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0                                         Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxx                         User             S-1-5-21-348289982-344025507-1237804090-35554   Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                        Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxxxxxxxxxxxxxxxx_RDP       Alias            S-1-5-21-3650376746-1030869643-1781887868-21634 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
PS C:\Users\xxxxxxxx> enter-pssession localhost

[localhost]: PS C:\Users\xxxxxxxx\Documents> whoami /all

USER INFORMATION
----------------

User Name          SID
================== ===============================================
corporate\xxxxxxxx S-1-5-21-3650376746-1030869643-1781887868-23610


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                             Attributes
========================================== ================ =============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                         Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                    Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users               Alias            S-1-5-32-555                                    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                        Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxx                         User             S-1-5-21-348289982-344025507-1237804090-35554   Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                        Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxxxxxxxxxxxxxxxx_RDP       Alias            S-1-5-21-3650376746-1030869643-1781887868-21634 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

Solution

  • The whoami /all output shows that you use an interactive logon to run PowerShell, while PowerShell remoting uses network logon by default, when creating a session. You can use -EnableNetworkAccess parameter to use an existing interactive session instead of creating a new network logon.

    If you look at the WerSvc service security descriptor (you can do so with the sc.exe sdshow WerSvc command), then you can see that it gives permissions to access the service to an interactive logon and not give such permissions for a network logon. Thus you see a difference in behavior.