Closed exploide closed 1 year ago
Does the error occur only once (or just a couple of times) during each check, or do you get a long list of errors? In the first case, there is probably an issue with a specific service that has an unrecognized (or null) type. In the second case, well, this would be a bit more problematic... :/
Thanks for the fast reply. The error occurs exactly once per check listed above (when running Invoke-Privesccheck with -ErrorAction Continue
).
Ok, so I think my guess was correct. Do you think you would have time for a simple debug? It's totally ok if not, of course.
Here is the procedure, just in case.
02_Helpers.ps1
, edit the code of Get-ServiceList
as follows.Build.ps1
, to generate an updated version of PrivescCheck.ps1
.Get-ServiceList
in verbose mode: Get-ServiceList -Verbose
(no need to run the script entirely).try {
$TypeMask = $ServiceTypeEnum::Win32OwnProcess -bor $ServiceTypeEnum::Win32ShareProcess -bor $ServiceTypeEnum::InteractiveProcess
if (($ServiceItem.Type -band $TypeMask) -gt 0) {
# FilterLevel = 2 - Add the service to the list if it's not a driver
if ($FilterLevel -le 2) { $ServiceItem; continue }
if (-not (Test-IsKnownService -Service $ServiceItem)) {
# FilterLevel = 3 - Add the service if it's not a built-in Windows service
if ($FilterLevel -le 3) { $ServiceItem; continue }
}
}
} catch {
Write-Verbose $ServiceItem.Name
}
I needed to supply 3 as the filter level value, and now it hit something:
VERBOSE: WindowsAzureTelemetryService
Nice, thank you. Yes, I forgot about the filter level, sorry.
Is it possible to get the service's detail from the registry?
The path should be HKLM\SYSTEM\CurrentControlSet\Services\WindowsAzureTelemetryService
.
My work day is over now, but I might get a chance to access the system on Monday again. I'll try to collect the information.
It seems there aren't many registry entries within that service. This is all:
Ok, I see.... All the usual service settings are missing, so the Type is null, hence the cast error. This was my initial guess. It's really weird, first time I see this. :thinking: Anyway, thank you very much for taking the time to check. :) The fix will be pretty simple.
Services without an explicit type are now ignored.
I got some of the following errors on a Microsoft Windows Server 2019 Datacenter.
This happens during multiple checks:
Running as admin doesn't change this. I tried adding
-Verbose
but no interesting information was shown to narrow down the issue.Does this make sense for you? I probably have access to this particular system for only one day. So if this isn't enough information, we may close this until it is clearly reproducible. But feel free to tell me which information might be helpful.