Working command in a plain PowerShell prompt gives 'Access denied' in a PSSession
This is not a question about not being able to start a PSSession, rather about apparently different access rights when in a PSSession.
Following set of commands work
- Start a PowerShell prompt
- Run
cmd /c sc queryex WerSvc
The following set of commands don't work
- Start a PowerShell prompt
- Run
Enter-PSSession localhost - Run
cmd /c sc queryex WerSvc
My user has the right to execute sc queryex, but apparently not when in a PSSession. Where should I start checking access rights?
Kudos to PetSerAl
Below is the output of whoami /all in the standard PowerShell prompt and in the PSSession.
PS C:\Users\xxxxxxxx> whoami /all
USER INFORMATION
----------------
User Name SID
================== ===============================================
corporate\xxxxxxxx S-1-5-21-3650376746-1030869643-1781887868-23610
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ =============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxx User S-1-5-21-348289982-344025507-1237804090-35554 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxxxxxxxxxxxxxxxx_RDP Alias S-1-5-21-3650376746-1030869643-1781887868-21634 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
PS C:\Users\xxxxxxxx> enter-pssession localhost
[localhost]: PS C:\Users\xxxxxxxx\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
================== ===============================================
corporate\xxxxxxxx S-1-5-21-3650376746-1030869643-1781887868-23610
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ =============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxx User S-1-5-21-348289982-344025507-1237804090-35554 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxxxxxxxxxxxxxxxx_RDP Alias S-1-5-21-3650376746-1030869643-1781887868-21634 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
Solution
The whoami /all output shows that you use an interactive logon to run PowerShell, while PowerShell remoting uses network logon by default, when creating a session. You can use -EnableNetworkAccess parameter to use an existing interactive session instead of creating a new network logon.
If you look at the WerSvc service security descriptor (you can do so with the sc.exe sdshow WerSvc command), then you can see that it gives permissions to access the service to an interactive logon and not give such permissions for a network logon. Thus you see a difference in behavior.
- VS Code - Error: EPERM: operation not permitted
- Why cannot assign a window title to a background python process
- How can I convert a windows path to posix path using node path
- I can't run geckodriver, python selenium ; [WinError 216]
- Can Windows' built-in ZIP compression be scripted?
- How to make a batch file execute a reg file
- Set DNS with PowerShell
- How to configure docker CLI to access docker server from minikube on Git-Bash?
- Developing Windows applications on Linux?
- Adding a directory to the PATH environment variable in Windows
- how to delete only empty directories from a batch file
- How to fix 'Waiting for Target Device to Come Online'?
- Boot a native OS on a hard disk as a virtual machine
- Java Process.waitFor() does not wait
- WinUI 3 Share Window failing with COMException "This method cannot be called while the app is in the background"
- Is there any way to detect the monitor state in Windows (on or off)?
- What is the difference between \ and \\ in file path
- How to git pull for multiple repos on windows?
- How to enable Windows console QuickEdit Mode from python?
- Remove Old NTAuth CA
- PowerShell folder permission error - Some or all identity references could not be translated
- How can I sort files based on their last updated time using "dir" command in Windows
- Sort files by Custom Timestamp with the Windows DIR command
- Shadow space example
- How to properly enable mod_status on an apache server?
- R install package globally
- How to flush cin including all occurrences of newline
- Batch changing titles of mkv files in multiple directories
- How to get the Process Environment Block (PEB) address using assembler (x64 OS)?
- How to install a particular .NET Framework version SDK using winget?