/build/static/layout/Breadcrumb_cap_w.png

Powershell Script Successful but not working

I have set up a Script to run a Powershell Script to fix an Unquoted Windows Service Path vulnerability.  I have run .ps1 script manually and I know it does what it needs to.  I have set up the following in my K1000 system Script area:

The Entire Parameters Section is:  -nologo -executionpolicy bypass -WindowStyle hidden -file $(KACE_DEPENDENCY_DIR)\Windows_Path_Enumerate.ps1


I will run it against a machine or two for testing, and the results will be Successful (I have masked the Domain and User):


Output Log

Running with credntials provided: domain [xxxxx] user [xxxxx]
Launched Process: powershell.exe

Activity Log

verify - on_verify_success
verify - on_verify_failure
verify - launch_program
Launching program: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' '-nologo -executionpolicy bypass -WindowStyle hidden -file C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\95\Windows_Path_Enumerate.ps1' wait='false'

Debug Log

Running kbot: runkbot 95 1551803362
KBotScript::LogScriptInfo - Start
id=95 name=Copy of Windows Enumerate version=1551803362 type=policy
execute disconnected=false logged_off=true
execute events
KBotScript::LogScriptInfo - Finish
KBotScript::LogScriptInfo - Start
id=95 name=Copy of Windows Enumerate version=1551803362 type=policy
execute disconnected=false logged_off=true
execute events
KBotScript::LogScriptInfo - Finish
KBotScriptManager::CleanupDependencies - clean up dependencies in kbot directory C:\ProgramData\Dell\KACE\kbots_cache\\packages\kbots\95\
CleanupDependencies: file Windows_Path_Enumerate.ps1 is part of the dependency list, keep the file
runkbot    ----- launching [path='C:\Windows\System32\WindowsPowerShell\v1.0' program='powershell.exe' parms='-nologo -executionpolicy bypass -WindowStyle hidden -file C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\95\Windows_Path_Enumerate.ps1' wait='false'] -----
runkbot    ----- completed [exitCode=0] -----

However, when I check the registry of the machine I've run this on, it is still unquoted, hence the vulnerability remains.  If I run it manually on the PC, it works.  I have 200 PCs I need to do this on, so it would be a blessing if I can get this to work.  It seems it is not taking the ExecutionPolicy setting, but it is not failing, so I can't be sure.  Does anyone have any ideas about how to get this to work?  Thanks for any help anyone can provide

Asked 5 years ago 1150 views
0 Comments   [ + ] Show comments

Answers (1)

Posted by: SMal.tmcc 5 years ago
Red Belt
3

You are running into the 32 bit client restrictions.  I bet the change is going to wow6432node keys under the HKLM\software\ instead of in HKLM\software.

Nate shared this PS code on Kace slack with everyone

# Relaunch in x64 powershell if not already

if ($PSHOME -like "*syswow64*") {

   Write-Output 'Relaunching as x64'

   & (Join-Path ($PSHOME -replace 'syswow64', 'sysnative') powershell.exe) `

       -File $Script:MyInvocation.MyCommand.Path `

       @args

   Exit

}


Comments:
  • https://gist.github.com/ArtisanByteCrafter/91167d5178a13f7c038236a5d7881ca7 - SMal.tmcc 5 years ago
    • Thank you for the reply. The problem is, these are 32-Bit OS machines. When I added the lines to switch to 64 Bit, it threw an error. Once I removed the lines, it worked properly - Thutter 5 years ago
      • my bad assumed 64bit have not been around a 32bit machine in years - SMal.tmcc 5 years ago
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ