PowerShell StartProcess: invalid handle

Question

I'm trying to install google chrome on a remote machine through powershell. This is what I'm trying to do (I've pretty much just scraped this together from a couple of other posts on various sites):

$Path = $env:TEMP; 

$Installer = "chrome_installer.exe";

(new-object System.Net.WebClient).DownloadFile('http://dl.google.com/chrome/install/375.126/chrome_installer.exe', "$Path\$Installer");

Start-Process -FilePath $Path\$Installer -Args "/silent /install" -Verb RunAs -Wait;

Remove-Item $Path\$Installer

it's failing on the fourth line: Start-Process -FilePath $Path\$Installer -Args "/silent /install" -Verb RunAs -Wait;

with the error:

Start-Process : This command cannot be run due to the error: The handle is 
 invalid.
At line:1 char:2
+  Start-Process -FilePath $Path\$Installer -Args "/silent /install" -V ...
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Start-Process], InvalidOp 
   erationException
    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.C 
   ommands.StartProcessCommand

I'm quite inexperienced with PowerShell and I'm having a hard time figuring out what the "handle" in the error is. Any help is appreciated :)

EDIT: with a try/catch { $_ | FL * -Force} around the failing command it gives this output:

PSMessageDetails      : 
Exception             : System.InvalidOperationException: This command cannot 
                        be run due to the error: The handle is invalid.
                           at System.Management.Automation.MshCommandRuntime.Th
                        rowTerminatingError(ErrorRecord errorRecord)
TargetObject          : 
CategoryInfo          : InvalidOperation: (:) [Start-Process], 
                        InvalidOperationException
FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands
                        .StartProcessCommand
ErrorDetails          : 
InvocationInfo        : System.Management.Automation.InvocationInfo
ScriptStackTrace      : at <ScriptBlock>, <No file>: line 4
PipelineIterationInfo : {}

With catching $_.Exception instead, it gives:

Message        : This command cannot be run due to the error: The handle is 
             invalid.
Data           : {}
InnerException : 
TargetSite     : Void ThrowTerminatingError(System.Management.Automation.ErrorR
                 ecord)
StackTrace     :    at System.Management.Automation.MshCommandRuntime.ThrowTerm
                 inatingError(ErrorRecord errorRecord)
HelpLink       : 
Source         : System.Management.Automation
HResult        : -2146233079

Is the file actually downloaded? Also what version of powershell? — Maximilian Burszley, Jun 05 '18 at 19:15
@TheIncorrigible1 the file is downloaded properly. the powershell version shows as: `Major Minor Build Revision ----- ----- ----- -------- 5 1 14393 2189 ` (output of: $PSVersionTable.PSVersion ) — jnotelddim, Jun 05 '18 at 19:24
yes, sorry, I have checked that the installer exists. it shows up where expected and has an appropriate size — jnotelddim, Jun 05 '18 at 19:33
Does executing the downloaded exe work if you clear the internet zoning from the file first? I think the handle is about the file being in the wrong zone for a normal integrity process. — Gerrit, Jun 05 '18 at 20:30
@TheIncorrigible1 Exception: `Message : This command cannot be run due to the error: The handle is invalid. Data : {} InnerException : TargetSite : Void ThrowTerminatingError(System.Management.Automation.ErrorR ecord) StackTrace : at System.Management.Automation.MshCommandRuntime.ThrowTerm inatingError(ErrorRecord errorRecord) HelpLink : Source : System.Management.Automation HResult : -2146233079 ` — jnotelddim, Jun 05 '18 at 21:26
@TheIncorrigible1 I ran ` catch { $_.Exception | FL * -Force }` to get that - not sure that that's correct — jnotelddim, Jun 05 '18 at 21:28
I decoded the `HRESULT` to `80131509`, but can't find a source for that code. — Maximilian Burszley, Jun 05 '18 at 21:37
@TheIncorrigible1 I had no idea that that's what that was. thanks for sharing that knowledge! hopefully that'll come in handy another time. For now though, is there anything else you can recommend I do from here? — jnotelddim, Jun 05 '18 at 21:42
Can you run the executable manually after downloading it to `%TEMP%`? — Maximilian Burszley, Jun 05 '18 at 21:45
@TheIncorrigible1 I'm not able to get it to execute at all so far. I've stopped trying to run it from Temp now because of the other commenter who said downloading to Temp was bad practice. Now im doing everything out of the same directory: D:\home\site\wwwroot\ but I haven't been able to get it to execute from there either. — jnotelddim, Jun 05 '18 at 22:04
It's not the same thing, but it's a similar error, at this link https://stackoverflow.com/questions/628191/net-process-start-process-error-using-credentials-the-handle-is-invalid/628209 it seems like this error message is kind of a bad error message which should instead suggest redirecting input/output. Just thought I'd point that out in case it helps anyone have an idea of what's wrong. — jnotelddim, Jun 05 '18 at 22:12

Gerrit · Answer 1 · 2018-06-06T07:41:15.857

1

Elevation

The script would need elevation. To read about remote elevation: https://ss64.com/ps/syntax-elevate.html

If you use Invoke-Command to run a script or command on a remote computer, then it will not run elevated even if the local session is. This is because any prompt for elevation will happen on the remote machine in a non-interactive session and so will fail.

Using Enter-PSSession to start a whole new session will support elevation if you specify CredSSP, which enables the delegation of user credentials:

New-PSSession ss64dom.com -Auth CredSSP -cred ss64dom\user64

Zone identifier

The script could be hampered by the Internet Zone Identifier marker.

Source: http://woshub.com/how-windows-determines-that-the-file-has-been-downloaded-from-the-internet/

In PowerShell 3.0, you can display the list of files with Zone.Identifier stream in a directory using this command:

Get-ChildItem -Recurse | Get-Item -Stream Zone.Identifier -ErrorAction SilentlyContinue | Select-Object FileName

The attribute is removed as follows:

Remove-Item .\install-file.exe -Stream Zone.Identifier

In Windows PowerShell 4.0, you can delete Zone.Identifier using a separate cmdlet:

Unblock-File install-file.exe

Addendum: Remove-Item will raise an error if it does not find the alternate stream. Therefore use:

Remove-Item $Path\$Installer -Stream Zone.Identifier -ErrorAction SilentlyContinue

edited Jun 06 '18 at 07:41

answered Jun 05 '18 at 20:48

Gerrit

861
6
11

I'm trying to get the Zone Identifier for the file in question, but the first chain of commands you suggested crashed powershell. here's what I'm trying now: `Get-ChildItem .\chrome_installer.exe | Get-Item -Stream Zone.Identifier` **the error I got**: `Get-Item : Could not open the alternate data stream 'Zone.Identifier' of the file D:\home\site\wwwroot\chrome_installer.exe. ` – jnotelddim Jun 05 '18 at 21:21
When I try: `Get-Item .\chrome_installer.exe -Stream Zone.Identifier Get-Item .\chrome_installer.exe -Stream Zone.Identifier` It gives me the same error. at the end of the error it says: ` FullyQualifiedErrorId : AlternateDataStreamNotFound,Microsoft.PowerShell .Commands.GetItemCommand ` I just didnt paste it in the last comment cause it was too many characters – jnotelddim Jun 05 '18 at 21:23
1

After the first unblock it seems Windows remembers an unblock and then there is no alternate stream. – Gerrit Jun 05 '18 at 21:43
then I guess it's fair to assume it's not a Zone Identifier issue if it's already been unblocked? – jnotelddim Jun 05 '18 at 22:06
You are still getting the same error? I cannot reproduce it, there seems to be a localized problem with that. Try setting a `-WorkingDirectory` in Start-Process. If you get past that you will have to look at elevation, because the installer will ask for elevation, even with the /silent. – Gerrit Jun 05 '18 at 22:15
Instead of Start-Process try: `& $Path\$Installer /silent /install | write`. I don't believe the /silent /install switches are passed with the Start-Process. – Gerrit Jun 05 '18 at 22:21
I am. Yeah I'm thinking it might have something to do with the environment of remote machine. I thought the `RunAs` was for elevation. Is there something further you suspect I may need to do to gain further privileges? – jnotelddim Jun 05 '18 at 22:24
I tried `& $Path\$Installer /silent /install | write` and it gave me no output at all :\ – jnotelddim Jun 05 '18 at 22:27
If you leave off the /silent then you get the install elevation dialog I presume? Apparently it just aborts when called with /silent and not being elevated. Are you executing this script in a remote PS Session? – Gerrit Jun 06 '18 at 07:18
I don't think you can elevate remotely. Maybe you could use scheduled tasks with the elevation bit set, to execute your script on remote machines. https://social.technet.microsoft.com/Forums/sharepoint/en-US/7007a181-f667-4b52-bc40-80bc387e406a/how-to-run-pssession-as-elevated-user?forum=winserverpowershell – Gerrit Jun 06 '18 at 07:32
Seems I was wrong about remote elevation. I have amended the answer. – Gerrit Jun 06 '18 at 07:41

score 0 · Accepted Answer · answered Jun 11 '18 at 21:27

As far as I can tell, it comes down to the fact that in Azure Web App environments, you don't have permissions to install applications freely.

I guess management of the environment is restricted so they can guarantee a certain level of service.

You can read more about it here:

https://learn.microsoft.com/en-us/azure/app-service/choose-web-site-cloud-service-vm

Theo · Answer 3 · 2018-06-05T20:05:14.400

-2

try double-quoting the FilePath you are feeding the Start-Process command, OR use $(Join-Path $Path $Installer)

Right now you are escaping the $ for $Installer, so the path to the file cannot be resolved.

Start-Process -FilePath "$Path\$Installer" -Args "/silent /install" -Verb RunAs -Wait;

# OR (even better I think)

Start-Process -FilePath $(Join-Path $Path $Installer) -Args "/silent /install" -Verb RunAs -Wait;

edited Jun 05 '18 at 20:05

answered Jun 05 '18 at 20:04

Theo

57,719
8
24
41

2

`\\` is not the escape character in PowerShell. – Maximilian Burszley Jun 05 '18 at 20:05
just type this in the ISE: $Path = $env:TEMP $Installer = "chrome_installer.exe" $Path\$Installer if you run it, you will get an Unexpected Token error – Theo Jun 05 '18 at 20:06
1

That's because it's not interpreted as a string at the command line, but IS interpreted as a string as an argument to a parameter... – Maximilian Burszley Jun 05 '18 at 20:09
2

Also, it is bad practice to try and install anything from the Temp folder – Theo Jun 05 '18 at 20:14
2

as @TheIncorrigible1 stated, \ is not the escape sequence in powershell. If you do this: `$path = $env:temp; $installer = "chrome_installer.exe"; $path\$installer` you will get an error simply because there is an unexpected token. If however you do this: `Write-host -Object $path\$installer` You will get this output: `C:\Users\username\AppData\Local\Temp\chrome_installer.exe` So as you see, when used as a parameter the interpreter concatenates the two variables. By the way, don't just assume, but try it out first.,, – EBGreen Jun 05 '18 at 20:17
@Theo thanks for letting me know. I'll keep that in mind. – jnotelddim Jun 05 '18 at 20:17
Having said all of that `Join-Path` is definitely the prefered method. – EBGreen Jun 05 '18 at 20:18
@EBGreen `Join-Path` is good when you don't know where your variables are coming from, but unnecessary when using well-known environment variables (`$Env:temp` on Windows will resolve to `$Env:userprofile\AppData\Local\Temp` without a trailing slash) – Maximilian Burszley Jun 05 '18 at 20:23
Unless some yahoo changes it via a GPO. Which I have seen. I still use Join-Path simply because I can't always assume that things will be what I think they should be and I have as yet to see a down side to using it other than a little more typing. – EBGreen Jun 05 '18 at 20:26
@EBGreen The absolute madmen.... Until the OP updates their question with the inner exception, no answer is possible – Maximilian Burszley Jun 05 '18 at 20:31

PowerShell StartProcess: invalid handle

3 Answers3

Elevation

Zone identifier

Linked