PowerShell Invocation Fails

[Neo23x0]

VSCode runs the following command when activating the PowerShell console in the tool:

ParentImage: C:\Program Files\Raccine\Raccine.exe
ParentCommandLine: "C:\Program Files\Raccine\Raccine.exe" C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command "Import-Module 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\modules\PowerShellEditorServices\PowerShellEditorServices.psd1'; Start-EditorServices -HostName 'Visual Studio Code Host' -HostProfileId 'Microsoft.VSCode' -HostVersion '2020.6.0' -AdditionalModules @('PowerShellEditorServices.VSCode') -BundledModulesPath 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\modules' -EnableConsoleRepl -StartupBanner \"=====> PowerShell Integrated Console v2020.6.0 <=====
\" -LogLevel 'Normal' -LogPath 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\logs\1603817771-53060d3f-4aaa-471a-b244-75ec384fd3381603817770136\EditorServices.log' -SessionDetailsPath 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\sessions\PSES-VSCode-9564-717768' -FeatureFlags @() "

Note that there's a line break after -StartupBanner \"=====> PowerShell Integrated Console v2020.6.0 <===== and before \" -LogLevel 'Normal', which is very strange.

I can also see this line break when I run it without Raccine intercepting (uninstalled Raccine) but in this case the invocation doesn't fail.

OriginalFileName: PowerShell.EXE
CommandLine: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command "Import-Module 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\modules\PowerShellEditorServices\PowerShellEditorServices.psd1'; Start-EditorServices -HostName 'Visual Studio Code Host' -HostProfileId 'Microsoft.VSCode' -HostVersion '2020.6.0' -AdditionalModules @('PowerShellEditorServices.VSCode') -BundledModulesPath 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\modules' -EnableConsoleRepl -StartupBanner \"=====> PowerShell Integrated Console v2020.6.0 <=====
\" -LogLevel 'Normal' -LogPath 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\logs\1603818394-dddb2ceb-023c-4862-b7c2-d3695d91c4691603818393174\EditorServices.log' -SessionDetailsPath 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\sessions\PSES-VSCode-12880-355229' -FeatureFlags @() "

This seems to be something to report to the VSCode team as well. @JohnLaTwC

[JohnLaTwC]

Can you share the 4688 event for the powershell process in the case where raccine is installed?

[Neo23x0]

Here you go - the line break is exactly as it appears in the eventlog.

Process Information:
    New Process ID:     0x2b7c
    New Process Name:   C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Token Elevation Type:   %%1938
    Mandatory Label:        Mandatory Label\Medium Mandatory Level
    Creator Process ID: 0x5308
    Creator Process Name:   C:\Program Files\Raccine\Raccine.exe
    Process Command Line:   C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command Import-Module 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\modules\PowerShellEditorServices\PowerShellEditorServices.psd1'; Start-EditorServices -HostName 'Visual Studio Code Host' -HostProfileId 'Microsoft.VSCode' -HostVersion '2020.6.0' -AdditionalModules @('PowerShellEditorServices.VSCode') -BundledModulesPath 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\modules' -EnableConsoleRepl -StartupBanner "=====> PowerShell Integrated Console v2020.6.0 <=====
" -LogLevel 'Normal' -LogPath 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\logs\1603822235-155ded5b-78c1-49bf-ba2f-955970d83b161603822222793\EditorServices.log' -SessionDetailsPath 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\sessions\PSES-VSCode-24232-573280' -FeatureFlags @()  

[Neo23x0]

Ah, sorry - you asked for the log before that line. One moment. It includes the line break.

Process Information:
    New Process ID:     0x5308
    New Process Name:   C:\Program Files\Raccine\Raccine.exe
    Token Elevation Type:   %%1938
    Mandatory Label:        Mandatory Label\Medium Mandatory Level
    Creator Process ID: 0x5200
    Creator Process Name:   C:\Users\venom\AppData\Local\Programs\Microsoft VS Code\Code.exe
    Process Command Line:   "C:\Program Files\Raccine\Raccine.exe" C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command "Import-Module 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\modules\PowerShellEditorServices\PowerShellEditorServices.psd1'; Start-EditorServices -HostName 'Visual Studio Code Host' -HostProfileId 'Microsoft.VSCode' -HostVersion '2020.6.0' -AdditionalModules @('PowerShellEditorServices.VSCode') -BundledModulesPath 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\modules' -EnableConsoleRepl -StartupBanner \"=====> PowerShell Integrated Console v2020.6.0 <=====
\" -LogLevel 'Normal' -LogPath 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\logs\1603822235-155ded5b-78c1-49bf-ba2f-955970d83b161603822222793\EditorServices.log' -SessionDetailsPath 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\sessions\PSES-VSCode-24232-573280' -FeatureFlags @() "

The strange thing is, that I cannot see that line break in the XML view.

[Neo23x0]

I've been experimenting a bit with that command line. I tried to run it exactly as it is shown in the 4688 eventlog and got an error. The error seems to be related to the < symbol within the Startup banner in that expression.

[Neo23x0]

Well, with the latest changes in https://github.com/Neo23x0/Raccine/pull/79, it starts at least, although I don't know if it is fully functional.

Without Raccine:

With Raccine:

[JohnLaTwC]

I see VS Code launch powershell, but it does not have the command line you describe. Do you have a way to repro?

[Neo23x0]

Did you set the values to include all command line parameters?

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f

Do you see that banner ====> Powershell Integrated Console ... in your lower console section in VSCode? That banner is passed via command line params. That's why I ask.

[JohnLaTwC]

yes it is:

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit ProcessCreationIncludeCmdLine_Enabled REG_DWORD 0x1

[JohnLaTwC]

With no raccine this is what I see:

[JohnLaTwC]

VSCode version info:

Version: 1.50.1 (user setup)
Commit: d2e414d9e4239a252d1ab117bd7067f125afd80a
Date: 2020-10-13T15:06:15.712Z (2 wks ago)
Electron: 9.2.1
Chrome: 83.0.4103.122
Node.js: 12.14.1
V8: 8.3.110.13-electron.0

[Neo23x0]

Strange ... I have this standard extension installed

Ah, maybe is caused by this dropdown - but I didn't select one of these consoles deliberately. There is "powershell" and "Powershell Integrated Console".

[Neo23x0]

Well, I don't see this as a no-go for a new version 1.1 BETA. I have written more robot tests and most of them work as expected in the Github workflows. They'll help us see missing blocks, suspended processes or similar issues directly in future pull requests.

[JohnLaTwC]

I found the extension. Now, I see it. Let me take a look.

[Neo23x0]

I'd say, it is a parser bug in the DLL that translates the EventData field into a valid Windows event message. It has a problem with the < character in the command line params and somehow inserts a new line character when parsing the XML structure.

I'd say that this is only indirectly a Raccine problem. There shouldn't be many new lines in command line parameter fields.

[JohnLaTwC]

Try the drop I just emailed you.

[Neo23x0]

🤔