search

raandree / NTFSSecurity

Managing permissions with PowerShell is only a bit easier than in VBS or the command line as there are no cmdlets for most day-to-day tasks like getting a permission report or adding permission to an item. PowerShell only offers Get-Acl and Set-Acl but everything in between getting and setting the ACL is missing. This module closes the gap.
MIT License
431 stars 61 forks source link

Problem with Get-NTFSEffectiveAccess after KB5026370 (Windows Server 2022) #85

Closed FluffyBeaver closed 1 year ago

FluffyBeaver commented 1 year ago

Description

The Get-NTFSEffectiveAccess cmdlet seems to be broken after KB5026370 update. It worked fine before update and works fine when this update is uninstalled.

Steps to reproduce

I used 'NT AUTHORITY\SYSTEM' just as an example. You can use any other acount.

Import-Module -Name 'NTFSSecurity'

Remove-Item -Path 'C:\tmp\' -Force -Recurse
New-Item -Path 'C:\tmp' -ItemType Directory
$Path = 'C:\tmp\'
$Account = 'S-1-5-18'

Get-NTFSEffectiveAccess -Path $Path -Account $Account -Verbose

Expected behavior

Output like this:

VERBOSE: EnablePrivileges enabled in PrivateDate

    Path: C:\tmp (Inheritance disabled)

Account                             Access Rights                        Applies to                Type                                 IsInherited                          InheritedFrom
-------                             -------------                        ----------                ----                                 -----------                          -------------
NT AUTHORITY\SYSTEM                 FullControl                          ThisFolderOnly            Allow                                False
VERBOSE: EnablePrivileges enabled in PrivateDate
VERBOSE: Disabeling all 0 enabled privileges...
VERBOSE: ...finished

Actual behavior

It is just sticking like that:

PS C:\> Get-NTFSEffectiveAccess -Path $Path -Account $Account -Verbose
VERBOSE: EnablePrivileges enabled in PrivateDate

I waited about 8 hours - nothing happened. PowerShell totally utilizate one CPU core during this process.

If I run it with the -Debug parameter, it goes until "DEBUG: The privilege Security is disabled...":

PS C:\Windows\system32> Get-NTFSEffectiveAccess -Path $Path -Account $Account -Debug
VERBOSE: EnablePrivileges enabled in PrivateDate

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): A
DEBUG: The privilege TakeOwnership is disabled...

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): Y
DEBUG: ..enabled

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): Y
DEBUG: The privilege Restore is disabled...

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): Y
DEBUG: ..enabled

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): Y
DEBUG: The privilege Backup is disabled...

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): Y
DEBUG: ..enabled

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): Y
DEBUG: The privilege Security is disabled...

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): Y
DEBUG: ..enabled

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): Y

Environment data


PS C:\> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.20348.1366
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.20348.1366
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

PS C:\> Get-Module -Name 'NTFSSecurity'

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     4.2.6      NTFSSecurity                        {Add-NTFSAccess, Add-NTFSAudit, Clear-NTFSAccess, Clear-NT...
andreashaerter commented 1 year ago

I guess this is not related to Get-NTFSEffectiveAccess but the Windows Update itself (also on Win11 and Windows Explorer), cf.

KB5027303 seems to fix this.

FluffyBeaver commented 1 year ago

@andreashaerter , thank you.