Open pldmgg opened 6 years ago
markekraus
commented
6 years ago This looks like a bug in the NTFSSecurity module. It looks like the author meant to add the aliases IdentityReference and ID, but instead added the alias (singular) IdentityReference, ID which is then causing the proxy creation to fail.
pldmgg
commented
6 years ago Just discovered the same thing happens with the PSPKI Module. In the end, after all of those errors related to aliases are thrown, only a handful of commands from either module are available:
PS C:\Users\zeroadmin> $(Get-Module NTFSSecurity).ExportedCommands
Key Value
--- -----
Clear-NTFSAccess Clear-NTFSAccess
Clear-NTFSAudit Clear-NTFSAudit
Copy-Item2 Copy-Item2
Disable-NTFSAccessInheritance Disable-NTFSAccessInheritance
Disable-NTFSAuditInheritance Disable-NTFSAuditInheritance
Disable-Privileges Disable-Privileges
Enable-NTFSAccessInheritance Enable-NTFSAccessInheritance
Enable-NTFSAuditInheritance Enable-NTFSAuditInheritance
Enable-Privileges Enable-Privileges
Get-ChildItem2 Get-ChildItem2
Get-DiskSpace Get-DiskSpace
Get-FileHash2 Get-FileHash2
Get-Item2 Get-Item2
Get-NTFSEffectiveAccess Get-NTFSEffectiveAccess
Get-NTFSHardLink Get-NTFSHardLink
Get-NTFSInheritance Get-NTFSInheritance
Get-NTFSOwner Get-NTFSOwner
Get-NTFSSecurityDescriptor Get-NTFSSecurityDescriptor
Get-Privileges Get-Privileges
Move-Item2 Move-Item2
New-NTFSHardLink New-NTFSHardLink
New-NTFSSymbolicLink New-NTFSSymbolicLink
Remove-Item2 Remove-Item2
Set-NTFSInheritance Set-NTFSInheritance
Set-NTFSOwner Set-NTFSOwner
Set-NTFSSecurityDescriptor Set-NTFSSecurityDescriptor
Test-Path2 Test-Path2
del2 del2
dir2 dir2
gi2 gi2
rm2 rm2
PS C:\Users\pddomain> $(Get-Module PSPKI).ExportedCommands
Key Value
--- -----
Add-AIA Add-AIA
Add-CAACL Add-CAACL
Add-CDP Add-CDP
Connect-CA Connect-CA
Convert-PemToPfx Convert-PemToPfx
Convert-PfxToPem Convert-PfxToPem
Disable-CRLFlag Disable-CRLFlag
Disable-KRAFlag Disable-KRAFlag
Enable-CRLFlag Enable-CRLFlag
Enable-KRAFlag Enable-KRAFlag
Get-AIA Get-AIA
Get-CA Get-CA
Get-CAACL Get-CAACL
Get-CDP Get-CDP
Get-CertificateContextProperty Get-CertificateContextProperty
Get-CertificateRequest Get-CertificateRequest
Get-CertificateRevocationList Get-CertificateRevocationList
Get-CertificateTrustList Get-CertificateTrustList
Get-CRLFlag Get-CRLFlag
Get-CryptographicServiceProvider Get-CryptographicServiceProvider
Get-EnrollmentPolicyServerClient Get-EnrollmentPolicyServerClient
Get-ErrorMessage Get-ErrorMessage
Get-KRAFlag Get-KRAFlag
Get-ObjectIdentifier Get-ObjectIdentifier
Get-ObjectIdentifierEx Get-ObjectIdentifierEx
New-SelfSignedCertificateEx New-SelfSignedCertificateEx
Ping-ICertInterface Ping-ICertInterface
Receive-Certificate Receive-Certificate
Register-ObjectIdentifier Register-ObjectIdentifier
Remove-AIA Remove-AIA
Remove-CAACL Remove-CAACL
Remove-CDP Remove-CDP
Remove-Request Remove-Request
Restore-CRLFlagDefault Restore-CRLFlagDefault
Restore-KRAFlagDefault Restore-KRAFlagDefault
Set-CAACL Set-CAACL
Set-CDP Set-CDP
Show-Certificate Show-Certificate
Show-CertificateRevocationList Show-CertificateRevocationList
Show-CertificateTrustList Show-CertificateTrustList
Start-PsFCIV Start-PsFCIV
Submit-CertificateRequest Submit-CertificateRequest
Test-WebServerSSL Test-WebServerSSL
Unregister-ObjectIdentifier Unregister-ObjectIdentifier
Get-CRL Get-CRL
Get-CTL Get-CTL
oid oid
oid2 oid2
Show-CRL Show-CRL
Show-CTL Show-CTLCan we do an all-or-nothing failure for Import-WinModule? The fact that only some commands from a module get exported complicates things...it makes it harder to try/catch module import, etc
BrucePay
commented
6 years ago The NTFSSecurity module definitely has a problem with bad aliases but I don't see any errors when I load pspki. Can you show us the errors you are getting? And wrt behaviour - would you rather have the import fail completely or import what it can and then throw an error? Or set $? == false.
markekraus
commented
6 years ago @BrucePay I had a discussion with @pldmgg and he would like for it to fail completely (with cleanup probably), but, for my own desires I would like to be able to import what I can from modules that might have this kind of issue. I see value in providing both behaviors.
FWIW Import-WinModule NTFSSecurity -ErrorAction Stop does result in a single error and the module not being imported.
Also, from remoting proxy command creation in general... I'd like this to be configurable (separate issue for the PowerShell repo). Because a malformed alias should just be skipped in my opinion rather than being imported or resulting in the failing to import the command.
pldmgg
commented
6 years ago @markekraus After working with the Windows Compatibility Module for a few more days, I agree with what you wrote, i.e. " import what I can from modules" - especially if -ErrorAction Stop results in the Module not being imported.
Maybe we can have some warnings (as opposed to errors) about commands not exported or aliases that are an issue? And I guess best practice would be to double check that the cmdlets/functions you plan to use from a given module are actually available after import - which I think should just be a best practice in general.
markekraus
commented
6 years ago Generally, warnings are a bad idea as they are not often captured like errors are form headless environments. I think Errors are appropriate.. they did fail to import, after all. That is an error condition IMO. If I tell a command to do something and it fails to do it that is an error. If I tell a command to do something and it thinks what I'm trying to do is a bad idea, that is a warning.
AspenForester
commented
5 years ago Instead of [Alias("IdentityReference, ID")] , would this [Alias("IdentityReference", "ID")] be correct? I don't know much about C#, but if that's all it takes to correct that error in NTFSSecurity, I think I can manage to submit that PR.
Looking to figure out what the root cause is for this so that I can anticipate problems with other modules.
Using parameters
-NoClobberand/or-Forceyields same results.