CODEWITHSUNDEEP
windowspowershellsecuritypowershell-remoting
Lieven Keersmaekers
Lieven Keersmaekers

Reputation: 58431

Working command in a plain Powershell prompt gives Access denied in a PSSession

This is not a question about not being able to start a PSSession, rather about apparently different access rights when in a PSSession.

Following set of commands work

  1. Start a Powershell prompt
  2. Run cmd /c sc queryex WerSvc

Following set of commands don't work

  1. Start a Powershell prompt
  2. Run Enter-PSSession localhost
  3. Run cmd /c sc queryex WerSvc

My user has the right to execute sc queryex but apparantly not when in a PSSession. Does anyone have any idea where I should start checking access rights?

Works in prompt, not in PSSession

Edit cudo's to PetSerAl

Below the output of whoami /all in the standard powershell prompt and in the PSSession.

PS C:\Users\xxxxxxxx> whoami /all

USER INFORMATION
----------------

User Name          SID
================== ===============================================
corporate\xxxxxxxx S-1-5-21-3650376746-1030869643-1781887868-23610


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                             Attributes
========================================== ================ =============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                         Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                    Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users               Alias            S-1-5-32-555                                    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON      Well-known group S-1-5-14                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                        Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0                                         Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxx                         User             S-1-5-21-348289982-344025507-1237804090-35554   Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                        Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxxxxxxxxxxxxxxxx_RDP       Alias            S-1-5-21-3650376746-1030869643-1781887868-21634 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
PS C:\Users\xxxxxxxx> enter-pssession localhost

[localhost]: PS C:\Users\xxxxxxxx\Documents> whoami /all

USER INFORMATION
----------------

User Name          SID
================== ===============================================
corporate\xxxxxxxx S-1-5-21-3650376746-1030869643-1781887868-23610


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                             Attributes
========================================== ================ =============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                         Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                    Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users               Alias            S-1-5-32-555                                    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                        Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxx                         User             S-1-5-21-348289982-344025507-1237804090-35554   Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                        Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxxxxxxxxxxxxxxxx_RDP       Alias            S-1-5-21-3650376746-1030869643-1781887868-21634 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

Upvotes: 1

Views: 1038

Answers (2)

TimPe
TimPe

Reputation: 44

May it be possible, that you start a elevated Powershell and after Enter-PSSession you end up in a less privileged shell?

Try to check with this line:

[bool]$isElavated = (New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

Upvotes: 0

user4003407
user4003407

Reputation: 22102

whoami /all output shows that you use interactive logon to run PowerShell, while PowerShell remoting use network logon by default, when creating session. You can use -EnableNetworkAccess parameter to use existing interactive session instead of creating new network logon.

If you look at WerSvc service security descriptor (you can do so with sc.exe sdshow WerSvc command), than you can see that it give permissions to access service to interactive logon and not give such permissions for network logon. Thus you see difference in behavior.

Upvotes: 4

Related Questions