search

PowerShell / PSDscResources

MIT License
129 stars 53 forks source link

Script: Script code fails in first run with an execption. #177

Open HenryHerman opened 4 years ago

HenryHerman commented 4 years ago

Details of the scenario you tried and the problem that is occurring

Code is necessary due to missing permission (Trusted installer is owner and SYSTEM has only read permission) This code in a script resource fails at the first run (Start-DscConfiguration -UseExisting -Wait -Verbose) with access denied on $key. Second run works without issue. When not using a script resource, but an ordinary script block, this code works in first run: -------------------- Code ------------------------------------------------------- $definition = @" using System; using System.Runtime.InteropServices; 

        namespace Win32Api
        {

            public class NtDll
            {
            [DllImport("ntdll.dll", EntryPoint="RtlAdjustPrivilege")]
            public static extern int RtlAdjustPrivilege(ulong Privilege, bool Enable, bool CurrentThread, ref bool Enabled);
            }
        }

"@

        Add-Type -TypeDefinition $definition -PassThru | Out-Null

        # Enable SeTakeOwnershipPrivilege
        $bEnabled = $false
        $res = [Win32Api.NtDll]::RtlAdjustPrivilege(9, $true, $false, [ref]$bEnabled)

        # Create Accessrule with full control for SYSTEM
        $idRef = [System.Security.Principal.NTAccount]("SYSTEM")
        $regRights = [System.Security.AccessControl.RegistryRights]::FullControl
        $inhFlags = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
        $prFlags = [System.Security.AccessControl.PropagationFlags]::None
        $acType = [System.Security.AccessControl.AccessControlType]::Allow
        $rule = New-Object System.Security.AccessControl.RegistryAccessRule ($idRef, $regRights, $inhFlags, $prFlags, $acType)

        # Set permission on registry key  
        $key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)

--------------- End of Code ------------------------------------------------------------

Verbose logs showing the problem

        'Exception: PowerShell DSC resource MSFT_ScriptResource  failed to execute Set-TargetResource functionality with error message: System.InvalidOperationException: The set script threw an error. ---> System.Management.Automation.MethodInvocationException: Except
        ion calling "OpenSubKey" with "3" argument(s): "Requested registry access is not allowed." ---> System.Security.SecurityException: Requested registry access is not allowed.'

Suggested solution to the issue

Code should work in first run with: Start-DscConfiguration -UseExisting -Wait -Verbose

The DSC configuration that is used to reproduce the issue (as detailed as possible)


# insert configuration here
```powershell 5.1, Windows server 2019, Script resource from PSDResources ver. 2.12

#### The operating system the target node is running
<!--
    Please provide as much as possible about the target node, for example
    edition, version, build and language.
    On OS with WMF 5.1 the following command can help get this information.

    Get-ComputerInfo -Property @(
        'OsName',Microsoft Windows Server 2019 Standard
        'OsOperatingSystemSKU', StandardServerEdition
        'OSArchitecture',64-bit
        'WindowsVersion', 1809
        'WindowsBuildLabEx', 17763.1.amd64fre.rs5_release.180914-1434
        'OsLanguage', en-US
        'OsMuiLanguages') {en-US}
-->

#### Version and build of PowerShell the target node is running
<!--
    To help with this information, please run this command:
    $PSVersionTable
PSVersion                      5.1.17763.771                                                                                                                                                                                                            
PSEdition                      Desktop                                                                                                                                                                                                                  
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                                                                                  
BuildVersion                   10.0.17763.771                                                                                                                                                                                                           
CLRVersion                     4.0.30319.42000                                                                                                                                                                                                          
WSManStackVersion              3.0                                                                                                                                                                                                                      
PSRemotingProtocolVersion      2.3                                                                                                                                                                                                                      
SerializationVersion           1.1.0.1   
-->

#### Version of the DSC module that was used ('dev' if using current dev branch)
2.12