Finding Service Privileges

Get-Service can provide basic information about Windows services but won’t list the required privileges. Here is a small PowerShell function that accepts a service name and returns the service privileges:

function Get-ServicePrivilege
{
    
    param
    (
        [Parameter(Mandatory)]
        [string]
        $ServiceName
    )
    
    # find the service
    $Service = @(Get-Service -Name $ServiceName -ErrorAction Silent)
    # bail out if there is no such service
    if ($Service.Count -ne 1) 
    { 
        Write-Warning "$ServiceName unknown."
        return
    }
    
    # read the service privileges from registry
    $Path = 'HKLM:SYSTEMCurrentControlSetServices' +  $service.Name
    $Privs = Get-ItemProperty -Path $Path -Name RequiredPrivileges

    # output in custom object
    [PSCustomObject]@{
        ServiceName = $Service.Name
        DisplayName = $Service.DisplayName
        Privileges = $privs.RequiredPrivileges
    }
}
 
PS C:> Get-ServicePrivilege spooler

ServiceName DisplayName        Privileges                                                                            
----------- -----------        ----------                                                                            
spooler     Druckwarteschlange {SeTcbPrivilege, SeImpersonatePrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege...}



PS C:> Get-ServicePrivilege XboxGipSvc

ServiceName DisplayName                       Privileges                                                                                
----------- -----------                       ----------                                                                                
XboxGipSvc  Xbox Accessory Management Service {SeTcbPrivilege, SeImpersonatePrivilege, SeChangeNotifyPrivilege, SeCreateGlobalPrivilege} 
 

psconf.eu – PowerShell Conference EU 2019 – June 4-7, Hannover Germany – visit www.psconf.eu There aren’t too many trainings around for experienced PowerShell scripters where you really still learn something new. But there’s one place you don’t want to miss: PowerShell Conference EU – with 40 renown international speakers including PowerShell team members and MVPs, plus 350 professional and creative PowerShell scripters. Registration is open at www.psconf.eu, and the full 3-track 4-days agenda becomes available soon. Once a year it’s just a smart move to come together, update know-how, learn about security and mitigations, and bring home fresh ideas and authoritative guidance. We’d sure love to see and hear from you!

Twitter This Tip! ReTweet this Tip!

Using Variable Breakpoints (Part 2)

In the previous tip we examined Set-PSBreakpoint to create dynamic variable breakpoints in PowerShell. We showed how a breakpoint can trigger when a variable changes.

However, what if you want to monitor the change of object properties? Let’s assume you want to monitor the size of an array, and break into the debugger when it grows too large.

In this scenario, the PowerShell variable never changes. It is the object inside the variable that changes. Which is why you need a “Read” mode breakpoint rather than a “Write” mode breakpoint:

# break when $array’s length is greater than 10
Set-PSBreakpoint -Variable array -Action { if ($array.Length -gt 10) { break }} -Mode Read -Script $PSCommandPath

$array = @()
do
{
    $number = Get-Random -Minimum -20 -Maximum 20
    "Adding $number to $($array.count) elements"
    $array += $number
    
} while ($true)

This script breaks into the debugger once the array in $array has more than 10 elements. Don’t forget to press SHIFT+F5 to exit the debugger.


psconf.eu – PowerShell Conference EU 2019 – June 4-7, Hannover Germany – visit www.psconf.eu There aren’t too many trainings around for experienced PowerShell scripters where you really still learn something new. But there’s one place you don’t want to miss: PowerShell Conference EU – with 40 renown international speakers including PowerShell team members and MVPs, plus 350 professional and creative PowerShell scripters. Registration is open at www.psconf.eu, and the full 3-track 4-days agenda becomes available soon. Once a year it’s just a smart move to come together, update know-how, learn about security and mitigations, and bring home fresh ideas and authoritative guidance. We’d sure love to see and hear from you!

Twitter This Tip! ReTweet this Tip!

Using Variable Breakpoints (Part 1)

For debugging, variable breakpoints can be of invaluable help. They break into the debugger once a variable changes. If you know that a variable hits a certain value (or a NULL value) when bad things happen, you can make sure the debugger kicks in just then.

The example below illustrates how to use variable breakpoints. It is best to define them at the top of your script because that way you can use $PSCommandPath to find out the actual script file path that is required for breakpoints to work:

# initialize variable breakpoints (once)
# break when $a is greater than 10
Set-PSBreakpoint -Variable a -Action { if ($a -gt 10) { break }} -Mode Write -Script $PSCommandPath

# run the code to debug
do
{
    $a = Get-Random -Minimum -20 -Maximum 20
    "Drawing: $a"
} while ($true)

Make sure you save the code to a script file before you execute it: debugging always requires a physical file.

As you’ll see, the debugger kicks in whenever $a receives a value greater than 10. You can continue with the command “exit”, view all debugger options with “?”, and stop by pressing SHIFT+F4.

To remove all breakpoints, run this:

 
PS C:> Get-PSBreakpoint | Remove-PSBreakpoint
 

psconf.eu – PowerShell Conference EU 2019 – June 4-7, Hannover Germany – visit www.psconf.eu There aren’t too many trainings around for experienced PowerShell scripters where you really still learn something new. But there’s one place you don’t want to miss: PowerShell Conference EU – with 40 renown international speakers including PowerShell team members and MVPs, plus 350 professional and creative PowerShell scripters. Registration is open at www.psconf.eu, and the full 3-track 4-days agenda becomes available soon. Once a year it’s just a smart move to come together, update know-how, learn about security and mitigations, and bring home fresh ideas and authoritative guidance. We’d sure love to see and hear from you!

Twitter This Tip! ReTweet this Tip!

Hiding Properties in Return Results

By default, PowerShell shrink-fits most objects and shows only the most important properties by default:

 
PS C:> Get-WmiObject -Class Win32_BIOS


SMBIOSBIOSVersion : 1.9.0
Manufacturer      : Dell Inc.
Name              : 1.9.0
SerialNumber      : DLGQD72
Version           : DELL   - 1072009
 

To see the real information, users would need to use Select-Object and request all information explicitly:

 
PS C:> Get-WmiObject -Class Win32_BIOS | Select-Object -Property *


PSComputerName                 : DESKTOP-7AAMJLF
Status                         : OK
Name                           : 1.9.0
Caption                        : 1.9.0
SMBIOSPresent                  : True
__GENUS                        : 2
__CLASS                        : Win32_BIOS
__SUPERCLASS                   : CIM_BIOSElement
__DYNASTY                      : CIM_ManagedSystemElement
__RELPATH                      : Win32_BIOS.Name="1.9.0",SoftwareElementID="1.9.0",SoftwareElementState=3,TargetOperatingSystem=0,Version="DELL   - 1072009"
__PROPERTY_COUNT               : 31
__DERIVATION                   : {CIM_BIOSElement, CIM_SoftwareElement, CIM_LogicalElement, CIM_ManagedSystemElement}
__SERVER                       : DESKTOP-7AAMJLF
__NAMESPACE                    : rootcimv2
__PATH                         : \DESKTOP-7AAMJLFrootcimv2:Win32_BIOS.Name="1.9.0",SoftwareElementID="1.9.0",SoftwareElementState=3,TargetOperatingSystem=0,Version="D
                                 ELL   - 1072009"
BiosCharacteristics            : {7, 9, 11, 12...}
BIOSVersion                    : {DELL   - 1072009, 1.9.0, American Megatrends - 5000B}
BuildNumber                    : 
CodeSet                        : 
…
ClassPath                      : \DESKTOP-7AAMJLFrootcimv2:Win32_BIOS
Properties                     : {BiosCharacteristics, BIOSVersion, BuildNumber, Caption...}
SystemProperties               : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY...}
Qualifiers                     : {dynamic, Locale, provider, UUID}
Site                           : 
Container                      : 
 

How can you achieve the same when you write your own PowerShell functions and return your own custom objects?

Simply tell PowerShell the names of the most important properties that should be visible by default. Below is an example. The function Get-Info creates a custom object with five properties. Before the function returns this object, it tags the object with some PowerShell wizardry and lists the default properties:

function Get-Info
{
  
  # prepare the object returned by the function
  $result = [PSCustomObject]@{
    Name = $env:username
    Date = Get-Date
    BIOS = Get-WmiObject -Class Win32_BIOS | Select-Object -ExpandProperty SMBIOSBIOSVersion
    Computername = $env:COMPUTERNAME
    Random = Get-Date
  }
  
  #region Define the VISIBLE properties
  # this is the list of properties visible by default
  [string[]]$visible = 'Name','BIOS','Random'
  $typ = 'DefaultDisplayPropertySet'
  [Management.Automation.PSMemberInfo[]]$info =
  New-Object System.Management.Automation.PSPropertySet($typ,$visible)
  
  # add the information about the visible properties to the return value
  Add-Member -MemberType MemberSet -Name PSStandardMembers -Value $info -InputObject $result
  #endregion


  # return the result object
  return $result
}

This is the result:

 
PS C:> Get-Info

Name  BIOS  Random             
----  ----  ------             
tobwe 1.9.0 01.04.2019 19:32:44



PS C:> Get-Info | Select-Object -Property *


Name         : tobwe
Date         : 01.04.2019 19:32:50
BIOS         : 1.9.0
Computername : DESKTOP-7AAMJLF
Random       : 01.04.2019 19:32:50
 

psconf.eu – PowerShell Conference EU 2019 – June 4-7, Hannover Germany – visit www.psconf.eu There aren’t too many trainings around for experienced PowerShell scripters where you really still learn something new. But there’s one place you don’t want to miss: PowerShell Conference EU – with 40 renown international speakers including PowerShell team members and MVPs, plus 350 professional and creative PowerShell scripters. Registration is open at www.psconf.eu, and the full 3-track 4-days agenda becomes available soon. Once a year it’s just a smart move to come together, update know-how, learn about security and mitigations, and bring home fresh ideas and authoritative guidance. We’d sure love to see and hear from you!

Twitter This Tip! ReTweet this Tip!