kaltokri
commented
1 year ago Running Main.ps1 -Verbose give this feedback in the log:
------------------------------------
[2023-03-13 04:36:57] [INFO] Start Step Registry Permissions
[2023-03-13 04:36:57] [INFO] Start validating Registry Permissions
[2023-03-13 04:36:57] [VERBOSE] Get Name value for SID: S-1-5-32-544
[2023-03-13 04:36:57] [VERBOSE] SID name is: BUILTIN\Administrators
[2023-03-13 04:36:57] [DEBUG] Check user permissions: 'FullControl' on path: 'HKLM:\System\CurrentControlSet\Control\SecurePipeServers\Winreg' to user\group: 'BUILTIN\Administrators'
[2023-03-13 04:36:57] [VERBOSE] Current permissions on path: 'HKLM:\System\CurrentControlSet\Control\SecurePipeServers\Winreg':
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winr
eg
Owner : NT AUTHORITY\SYSTEM
Group : NT AUTHORITY\SYSTEM
Access : CREATOR OWNER Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
Audit :
Sddl : O:SYG:SYD:PAI(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KA;;;BA)
[2023-03-13 04:36:57] [INFO] Finish validating Registry Permissions
[2023-03-13 04:36:57] [INFO] Finished Step Registry Permissions
[2023-03-13 04:36:57] [DEBUG] Registry Permissions (Warning)So the Script is not able to check it the right way. It still give the warning from UnXQglez's comment.
Summary
When executing the script in PVWA, one of the warnings you can get is: PVWA Warning BUILTIN\Administrators does not have required rights (Allow - FullControl) to HKLM:\System\CurrentControlSet\Control\SecurePipeServers\Winreg
Steps to Reproduce
It appears to be a "false positive". It is not possible to add the "builtin\administrator" group to give permissions on this registry key.