CODEWITHSUNDEEP
powershellpowershell-remoting
Seva Alekseyev
Seva Alekseyev

Reputation: 61341

Get-WinEvent via Powershell remoting

I have a non-admin access to a server. I'm allowed to connect via RDP, and to use PowerShell remoting. When I invoke the following PowerShell command from an RDP session:

Get-WinEvent -MaxEvents 100 -Provider Microsoft-Windows-TaskScheduler

I get 100 records, as expected.

When I do the same via PowerShell remoting, by invoking the following from my local machine:

invoke-command -ComputerName myserver {Get-WinEvent -MaxEvents 100 -Provider Microsoft-Windows-TaskScheduler }

I get an error:

No events were found that match the specified selection criteria.

  • CategoryInfo : ObjectNotFound: (:) [Get-WinEvent], Exception
  • FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand

Any idea why? The remote PowerShell session should be running under identical credentials, right?

EDIT: whoami does show a difference in the security context between RDP logon and PowerShell remoting - the group set is different. In the RDP logon session, there are the following groups in the token:

while in the remoted one, there's

That could account for the discrepancy in rights...

EDIT: from the registry, it looks like the task scheduler log somehow is a part of the System log. According to MS KB article Q323076, the security descriptor for the System log can be found under HKLM\SYSTEM\CurrentControlSet\Services\EventLog\System, value CustomSD. I can't check the server in question, but on another server where I'm an admin, there's no CustomSD under that key. Under HKLM\SYSTEM\CurrentControlSet\Services\EventLog\System\Microsoft-Windows-TaskScheduler, neither. Only the Security log gets a CustomSD. The next question is, where's the default SD?

Permissions on the actual log file at C:\Windows\System32\winevt\LogsMicrosoft-Windows-TaskScheduler%4Operational.evtx are irrelevant, the access is being mediated by the EventLog service anyway.

Upvotes: 3

Views: 5023

Answers (4)

Patrick E
Patrick E

Reputation: 1

I had the weirdest variation of this problem, was driving me nuts !
Remoting from a server W2008r2 (logged on as domain admin, inside interactive powershell session) to workstation Win7 to get logon/logoff events :

invoke-command -computername $pc {Get-WinEvent -FilterHashtable @{logname='
Security';Id=@(4624,4634)}}
-> No events were found that match the specified selection criteria.

But it does work when outputting an empty string in the scriptblock before the Get-Winevent :

invoke-command -computername $pc {"";Get-WinEvent -FilterHashtable @{lognam
e='Security';Id=@(4624,4634)}}


TimeCreated             ProviderName                                 Id Message                 PSComputerName
-----------             ------------                                 -- -------                 --------------
19/03/2018 11:51:41     Microsoft-Windows-Se...                    4624 An account was succe... b25_x64
19/03/2018 11:51:41     Microsoft-Windows-Se...                    4624 An account was succe... b25_x64

Stumbled upon this fix after trying everything: Enter-Pssession, New-Pssession, using -credential parameter to pass a predefined credential to invoke-command, to get-winevent, to both. Nothing worked, gave "No events..." in every combination.
Then I inserted a $cred inside the scriptblock to show the passed on credential for debugging, and suddenly I got the events I was looking for...

Upvotes: 0

Dave
Dave

Reputation: 364

You need local admin rights to open a powershell session.

But there is a workaround/alterative here:

https://4sysops.com/archives/powershell-remoting-without-administrator-rights/

Upvotes: 0

Seva Alekseyev
Seva Alekseyev

Reputation: 61341

According to Default ACLs on Windows Event Logs @ MSDN blog, in Windows Server 2003+, the default ACL for the System log goes:

O:BAG:SYD:
 *(D;;0xf0007;;;AN)  // (Deny) Anonymous:All Access
 *(D;;0xf0007;;;BG)  // (Deny) Guests:All Access
  (A;;0xf0007;;;SY)  // LocalSystem:Full
  (A;;0x7;;;BA)      // Administrators:Read,Write,Clear
  (A;;0x5;;;SO)      // Server Operators:Read,Clear
  (A;;0x1;;;IU)      // INTERACTIVE LOGON:Read   <===================
  (A;;0x1;;;SU)      // SERVICES LOGON:Read
  (A;;0x1;;;S-1-5-3) // BATCH LOGON:Read
  (A;;0x2;;;LS)      // LocalService:Write
  (A;;0x2;;;NS)      // NetworkService:Write

Does NT AUTHORITY\INTERACTIVE LOGON include RDP logon? I've found a forum message that says so, but I'd better find a doc to that effect...

The article claims this ACE comes "straight from the source code". So it's hard-coded in the service, with a chance to change via the registry.

Upvotes: 0

Kai Zhao
Kai Zhao

Reputation: 1015

If you are not an administrator on the remote computer, and invoke-command -ComputerName myserver {whoami /all} tells you are who you expected to be.

You will need to be part of Event Log Reader group on the remote computer.

As well as Remote Management Users group, which I believe you already are.

If you need to read security logs, you will also need Manage auditing and security log under Local Security Policy -> Security Settings -> Local Policies -> User Rights Assignment

Upvotes: 2

Related Questions