2

I have a relatively straight forward script.

  1. Export secedit
  2. Look for a specific SIDs and store them
  3. For each of the SIDs, return the group name

However, when I try to filter the results of Get-LocalGroup based on the SID value, I get no results. If instead of using a variable in the Where portion of the script I use the actual value, then it works just fine. What am I doing wrong?

secedit /export /areas USER_RIGHTS /cfg c:\temp\logs.txt
$userrights = Select-String -Path "c:\temp\logs.txt" -Pattern 'SeRemoteInteractiveLogonRight' | Out-String
$userrights = $userrights.Replace("C:\temp\logs.txt:35:SeRemoteInteractiveLogonRight = ", "").Replace("*", "").Split(",")
$userrights

foreach ($userright in $userrights)
{
    Get-LocalGroup | Where {$_.SID -Match $userright}

}
mklement0
  • 382,024
  • 64
  • 607
  • 775
Kuba
  • 165
  • 7
  • What happens if you use `Get-LocalGroup -SID $userright` instead? – Santiago Squarzon Oct 28 '22 at 21:18
  • 1
    Try logging the value of the variable to the console - e.g. ```write-host “user right = ‘$userright’”``` (include the quotes around the variable so you can make sure there’s no leading / trailing spaces in the value). Then compare that to the literal value you use that works… – mclayton Oct 28 '22 at 21:18
  • As an aside: Use `| Select-Object -ExpandProperty Line` or, in PowerShell (Core) 7+, the `-Raw` switch, instead of `| Out-String` in order to get just the _text_ of matching lines. `Select-Sting` emits _objects_ that wrap each matched line alongside metadata, whose `.Line` property contains the matched line. If you apply `Out-String` to such an object, you get its _for-display_ representation which includes the input file name, as you've experienced. – mklement0 Oct 30 '22 at 02:00

1 Answers1

2

This seems to work properly for me in both Windows PowerShell and PowerShell Core, -Encoding unicode was key to make it work in my case, not sure if it could relate to your issue too:

Select-String .\test.txt -Pattern '(?<=SeRemoteInteractiveLogonRight[= *]{4}).+' -Encoding unicode |
    ForEach-Object { $_.Matches.Value -split ',?\*' | Get-LocalGroup -SID { $_ } }

Thanks mklement0 for confirming this was indeed an Encoding issue. As he states in his helpful comment:

"...it seems that secedit.exe creates UTF-16LE ("Unicode") files without a BOM, which is why reading them requires -Encoding Unicode."

Santiago Squarzon
  • 41,465
  • 5
  • 14
  • 37