3

I have a non-admin access to a server. I'm allowed to connect via RDP, and to use PowerShell remoting. When I invoke the following PowerShell command from an RDP session:

Get-WinEvent -MaxEvents 100 -Provider Microsoft-Windows-TaskScheduler

I get 100 records, as expected.

When I do the same via PowerShell remoting, by invoking the following from my local machine:

invoke-command -ComputerName myserver {Get-WinEvent -MaxEvents 100 -Provider Microsoft-Windows-TaskScheduler }

I get an error:

No events were found that match the specified selection criteria.

  • CategoryInfo : ObjectNotFound: (:) [Get-WinEvent], Exception
  • FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand

Any idea why? The remote PowerShell session should be running under identical credentials, right?

EDIT: whoami does show a difference in the security context between RDP logon and PowerShell remoting - the group set is different. In the RDP logon session, there are the following groups in the token:

  • BUILTIN\Remote Desktop Users
  • NT AUTHORITY\REMOTE INTERACTIVE LOGON

while in the remoted one, there's

  • CONSOLE LOGON

That could account for the discrepancy in rights...

EDIT: from the registry, it looks like the task scheduler log somehow is a part of the System log. According to MS KB article Q323076, the security descriptor for the System log can be found under HKLM\SYSTEM\CurrentControlSet\Services\EventLog\System, value CustomSD. I can't check the server in question, but on another server where I'm an admin, there's no CustomSD under that key. Under HKLM\SYSTEM\CurrentControlSet\Services\EventLog\System\Microsoft-Windows-TaskScheduler, neither. Only the Security log gets a CustomSD. The next question is, where's the default SD?

Permissions on the actual log file at C:\Windows\System32\winevt\LogsMicrosoft-Windows-TaskScheduler%4Operational.evtx are irrelevant, the access is being mediated by the EventLog service anyway.

Community
  • 1
  • 1
Seva Alekseyev
  • 59,826
  • 25
  • 160
  • 281
  • That command works for me when specifying a server where I have admin privs... – Tony Hinkle May 13 '16 at 18:12
  • I also had no issues running both commands. What version of PowerShell are you using? Does any get-WinEvent command running under invoke work? – smwk May 13 '16 at 20:45
  • Over remoting? It doesn't, not even against the application log. Looks like the sticky point is being a nonadmin... – Seva Alekseyev May 18 '16 at 17:43

4 Answers4

2

If you are not an administrator on the remote computer, and invoke-command -ComputerName myserver {whoami /all} tells you are who you expected to be.

You will need to be part of Event Log Reader group on the remote computer.

As well as Remote Management Users group, which I believe you already are.

If you need to read security logs, you will also need Manage auditing and security log under Local Security Policy -> Security Settings -> Local Policies -> User Rights Assignment

Kai Zhao
  • 995
  • 7
  • 14
  • Whoami confirms I'm connected as my primary account, no surprises there :) I can read the logs fine when connected via RDP with the same account. Why would the security context of my remoted PowerShell session be any different from an RDP logon? – Seva Alekseyev May 13 '16 at 20:01
  • Good question, I was able to reproduce this scenario. As a local User, logged on the computer, unless it is explicitly denied, you have read/write access to eventlogs (not create/delete). However, I suspect this access does not extend remotely, attempt to load event log on remote PC with this level of access all failed with access denied. On the other hand, you only need to be part of `Event Log Readers` and `Remote Management Users` group to be able to read logs remotely, no local user access is needed, but this does not offer you write access. – Kai Zhao May 13 '16 at 21:05
  • Isn't log reading cmdlet running as a local process on the target machine, as opposed to using the remote Event Log service? The whole idea was to use powershell remoting as the network transport so that local permissions apply, as opposed to event log's own network transport. Also, technically, RDP is remote, too. That's what "R" stands for :) – Seva Alekseyev May 13 '16 at 21:48
  • `Get-Winevent` is, but source of `Invoke-command -computer` is [remote](https://technet.microsoft.com/en-us/library/hh847900.aspx). It doesn't seem the user privilege works locally would always have same level of access when issued remotely. I tried `get-windowsfeature` and `get-service`, where former worked, and later failed with insufficiently access. My assumption is although the user is giving remote management access, which is allowed to read wmi-objects, but some of the wmi-objects is protected and require higher level of access when reading remotely. – Kai Zhao May 16 '16 at 13:44
  • I also tried to execute a remote ps1 file with `get-winevent` thru a `invoke-command {powershell.exe -file}`, still couldn't get around this. – Kai Zhao May 16 '16 at 13:45
  • Another idea: try invoking wevtutil command line tool via PS remoting, see if *that* gets a local-like security context... – Seva Alekseyev May 16 '16 at 14:44
  • Explicit "Access denied" this time. – Seva Alekseyev May 16 '16 at 14:58
0

According to Default ACLs on Windows Event Logs @ MSDN blog, in Windows Server 2003+, the default ACL for the System log goes:

O:BAG:SYD:
 *(D;;0xf0007;;;AN)  // (Deny) Anonymous:All Access
 *(D;;0xf0007;;;BG)  // (Deny) Guests:All Access
  (A;;0xf0007;;;SY)  // LocalSystem:Full
  (A;;0x7;;;BA)      // Administrators:Read,Write,Clear
  (A;;0x5;;;SO)      // Server Operators:Read,Clear
  (A;;0x1;;;IU)      // INTERACTIVE LOGON:Read   <===================
  (A;;0x1;;;SU)      // SERVICES LOGON:Read
  (A;;0x1;;;S-1-5-3) // BATCH LOGON:Read
  (A;;0x2;;;LS)      // LocalService:Write
  (A;;0x2;;;NS)      // NetworkService:Write

Does NT AUTHORITY\INTERACTIVE LOGON include RDP logon? I've found a forum message that says so, but I'd better find a doc to that effect...

The article claims this ACE comes "straight from the source code". So it's hard-coded in the service, with a chance to change via the registry.

Seva Alekseyev
  • 59,826
  • 25
  • 160
  • 281
0

You need local admin rights to open a powershell session.

But there is a workaround/alterative here:

https://4sysops.com/archives/powershell-remoting-without-administrator-rights/

Dave
  • 344
  • 1
  • 8
0

I had the weirdest variation of this problem, was driving me nuts !
Remoting from a server W2008r2 (logged on as domain admin, inside interactive powershell session) to workstation Win7 to get logon/logoff events :

invoke-command -computername $pc {Get-WinEvent -FilterHashtable @{logname='
Security';Id=@(4624,4634)}}
-> No events were found that match the specified selection criteria.

But it does work when outputting an empty string in the scriptblock before the Get-Winevent :

invoke-command -computername $pc {"";Get-WinEvent -FilterHashtable @{lognam
e='Security';Id=@(4624,4634)}}


TimeCreated             ProviderName                                 Id Message                 PSComputerName
-----------             ------------                                 -- -------                 --------------
19/03/2018 11:51:41     Microsoft-Windows-Se...                    4624 An account was succe... b25_x64
19/03/2018 11:51:41     Microsoft-Windows-Se...                    4624 An account was succe... b25_x64

Stumbled upon this fix after trying everything: Enter-Pssession, New-Pssession, using -credential parameter to pass a predefined credential to invoke-command, to get-winevent, to both. Nothing worked, gave "No events..." in every combination.
Then I inserted a $cred inside the scriptblock to show the passed on credential for debugging, and suddenly I got the events I was looking for...

Patrick E
  • 1
  • To complete my previous post: don't forget to pipe the output of the "" to NULL, so as to not pollute the pipeline: ... `$pc {""|out-null; Get-WinEvent...` – Patrick E Mar 25 '18 at 10:29