Skip to content
This repository has been archived by the owner on Jun 14, 2024. It is now read-only.

Script: Script code fails in first run with an execption. #177

Open
HenryHerman opened this issue Dec 30, 2019 · 0 comments
Open

Script: Script code fails in first run with an execption. #177

HenryHerman opened this issue Dec 30, 2019 · 0 comments
Labels
help wanted The issue is up for grabs for anyone in the community. needs investigation The issue needs to be investigated by the maintainers or/and the community.

Comments

@HenryHerman
Copy link

Details of the scenario you tried and the problem that is occurring

Code is necessary due to missing permission (Trusted installer is owner and SYSTEM has only read permission)
This code in a script resource fails at the first run (Start-DscConfiguration -UseExisting -Wait -Verbose) with access denied on $key. Second run works without issue. When not using a script resource, but an ordinary script block, this code works in first run:
-------------------- Code -------------------------------------------------------
$definition = @"
using System;
using System.Runtime.InteropServices;

        namespace Win32Api
        {

            public class NtDll
            {
            [DllImport("ntdll.dll", EntryPoint="RtlAdjustPrivilege")]
            public static extern int RtlAdjustPrivilege(ulong Privilege, bool Enable, bool CurrentThread, ref bool Enabled);
            }
        }

"@

        Add-Type -TypeDefinition $definition -PassThru | Out-Null

        # Enable SeTakeOwnershipPrivilege
        $bEnabled = $false
        $res = [Win32Api.NtDll]::RtlAdjustPrivilege(9, $true, $false, [ref]$bEnabled)

        # Create Accessrule with full control for SYSTEM
        $idRef = [System.Security.Principal.NTAccount]("SYSTEM")
        $regRights = [System.Security.AccessControl.RegistryRights]::FullControl
        $inhFlags = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
        $prFlags = [System.Security.AccessControl.PropagationFlags]::None
        $acType = [System.Security.AccessControl.AccessControlType]::Allow
        $rule = New-Object System.Security.AccessControl.RegistryAccessRule ($idRef, $regRights, $inhFlags, $prFlags, $acType)

        # Set permission on registry key  
        $key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SOFTWARE\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)

--------------- End of Code ------------------------------------------------------------

Verbose logs showing the problem

        'Exception: PowerShell DSC resource MSFT_ScriptResource  failed to execute Set-TargetResource functionality with error message: System.InvalidOperationException: The set script threw an error. ---> System.Management.Automation.MethodInvocationException: Except
        ion calling "OpenSubKey" with "3" argument(s): "Requested registry access is not allowed." ---> System.Security.SecurityException: Requested registry access is not allowed.'

Suggested solution to the issue

Code should work in first run with: Start-DscConfiguration -UseExisting -Wait -Verbose

The DSC configuration that is used to reproduce the issue (as detailed as possible)

# insert configuration here
```powershell 5.1, Windows server 2019, Script resource from PSDResources ver. 2.12

#### The operating system the target node is running
<!--
    Please provide as much as possible about the target node, for example
    edition, version, build and language.
    On OS with WMF 5.1 the following command can help get this information.

    Get-ComputerInfo -Property @(
        'OsName',Microsoft Windows Server 2019 Standard
        'OsOperatingSystemSKU', StandardServerEdition
        'OSArchitecture',64-bit
        'WindowsVersion', 1809
        'WindowsBuildLabEx', 17763.1.amd64fre.rs5_release.180914-1434
        'OsLanguage', en-US
        'OsMuiLanguages') {en-US}
-->

#### Version and build of PowerShell the target node is running
<!--
    To help with this information, please run this command:
    $PSVersionTable
PSVersion                      5.1.17763.771                                                                                                                                                                                                            
PSEdition                      Desktop                                                                                                                                                                                                                  
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                                                                                  
BuildVersion                   10.0.17763.771                                                                                                                                                                                                           
CLRVersion                     4.0.30319.42000                                                                                                                                                                                                          
WSManStackVersion              3.0                                                                                                                                                                                                                      
PSRemotingProtocolVersion      2.3                                                                                                                                                                                                                      
SerializationVersion           1.1.0.1   
-->

#### Version of the DSC module that was used ('dev' if using current dev branch)
2.12
@PlagueHO PlagueHO added help wanted The issue is up for grabs for anyone in the community. needs investigation The issue needs to be investigated by the maintainers or/and the community. labels Jan 8, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
help wanted The issue is up for grabs for anyone in the community. needs investigation The issue needs to be investigated by the maintainers or/and the community.
Projects
None yet
Development

No branches or pull requests

2 participants