How to bypass security warning when running EXE from network location? - powershell

I am trying to write a complex unattended install script that installs from a network directory. I'm running PS in administrator mode with bypass security.
When I run:
Start-Process "\\192.168.5.7\MSChart.exe" -ArgumentList "/q" -Wait
I get:
How can I bypass this without adding the network location as a trusted server? Ideally simply using PowerShell. I've tried Unblock-File, no luck.

The network share is not trusted by your computer, hence it warns you. You would have to add the share to the trusted zone in the systems internet settings, and allow "launching programs and unsafe files".
You cannot bypass it, but
add the required configuration to the registry
or copy the files locally and run it from there
using PowerShell

You can bypass the warning by adding -NoNewWindow as in Start-Process "\\192.168.5.7\MSChart.exe" -ArgumentList "/q" -Wait -NoNewWindow.
You should however leverage DNS for your path (e.g. \\share.domain.com\file.exe) and ensure the URI (share.domain.com) is in your system 'Trusted Sites' or 'Intranet Sites' list or you may still be blocked. Copying the file to the local system first may also fix the problem.
Reference: https://social.technet.microsoft.com/Forums/en-US/92eab96d-fe1a-4119-a5bc-f171d517466a/getting-open-file-security-warning-using-startprocess?forum=winserverpowershell

Maybe you want to Unblock-File and accept all of the risks that come with that and then try to execute it?
I don't recommend anyone EVER run a script like this:
function Unblock-Dir()
{
gci -Directory | % {
push-location $_ ;
gci | % {
Write-Host "Unblocking $_";
Unblock-File $_
}
Unblock-Dir ;
Pop-Location
}
Unblock-File -path .\*
}
It's just too dangerous.

Related

Windows Defender and handling downloaded PowerShell scripts

I use Set-ExecutionPolicy RemoteSigned and download some scripts and modules. These are my scripts so they are not signed. I could use Bypass or RemoteSigned or Unrestricted. I feel that Unrestricted feels a bit over the top so I got with RemoteSigned and indeed, even though my scripts are not signed, I can download them and run them... for a while. Then, "Windows Defender" catches up and completely deletes my scripts. My questions are:
After I download a script, is there a programmatic way with PowerShell to instruct Windows Defender to mark that script on the exclusion list?
Would you say that Unrestricted is a bit unsafe? If so, what is the process of making these scripts signed (or self-signed?), or is this not possible? i.e. Set to Unrestricted so that files are not nuked, then download the file, then somehow put it on an exclusion list, then set the ExecutionPolicy back to RemoteSigned?
Downloaded files are marked as from the internet. Your need to unblock them. Use the built-in cmdlet for that.
# Get specifics for a module, cmdlet, or function
(Get-Command -Name Unblock-File).Parameters
(Get-Command -Name Unblock-File).Parameters.Keys
Get-help -Name Unblock-File -Examples
# Results
<#
Unblock-File -Path C:\Users\User01\Documents\Downloads\PowerShellTips.chm
dir C:\Downloads\*PowerShell* | Unblock-File
Get-Item * -Stream "Zone.Identifier" -ErrorAction SilentlyContinue
C:\ps-test\Start-ActivityTracker.ps1
Get-Item C:\ps-test\Start-ActivityTracker.ps1 | Unblock-File
#>
Get-help -Name Unblock-File -Full
Get-help -Name Unblock-File -Online
Any script you use will be looked at for actions it is performing. Your AV solution (Windows Defender notwithstanding) will take action(s) on it if it appears to be doing unexpected/nefarious things at any point. This has nothing to do with whether they are signed or not, or what ExecutionPolicy you set.
EP = only means allow a script(s) to run, not control what the script does/is going to do and the EP is not a security boundary, as documented in the help files.
Unblock-File Module: Microsoft.PowerShell.Utility
Unblocks files that were downloaded from the Internet.
This is all related to Windows ADS.
'windows alternate data streams downloaded file'
### Detecting Alternate Data Streams with PowerShell and DOS
dir /s /r | find ":DATA"
Get-Item –Path 'C:\users\me\desktop\*' -Stream *
Get-Content –Path 'C:\users\me\some_file.exe' -Stream zone.identifier
# Results
<#
[ZoneTransfer]
ZoneId=3
1
2
#>
Downloaded file via zone 3, we now know that is the Internet Zone as depicted in the chart below.
Value Setting
0 My Computer
1 Local Intranet Zone
2 Trusted sites Zone
3 Internet Zone
4 Restricted Sites Zone
Or using MS SysInternals: streams.exe

Install/Uninstall Zabbix with Powershell in c:\Program files(x86)\zabbix folder

in order to distribute Zabbix in our company, I would like to create a function for the Zabbix 5.2 client in my installation script.
This also means that zabbix_agentd.exe is registered as a service with the associated parameters.
I am apparently too stupid to do this with the start-process.
The following line serves as an example .. I've tried a few things but couldn't find a suitable quotation, etc.
start-process -FilePath cmd.exe -ArgumentList "/c c:\program files (x86)\zabbix\zabbix_agend.exe --config C:\Program Files (x86)\Zabbix\zabbix_agentd.win.conf --install"
I also hope that I can transfer the path to zabbix_agentd.exe as a variable
Ih hope someone has a tip.
Thanks in advance
For Windows I use the MSI for installations and check the registry if the correct version is already installed else upgrade.
Replace and for your own.
$zabbixversion = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Zabbix SIA\Zabbix Agent (64-bit)").ProductVersion
if ($zabbixversion -eq "5.0.20.2400") {
write-host "Zabbix already installed"
exit
}
else
{
write-host "Uninstall Zabbix Agent"
msiexec /uninstall \\<share>\zabbix_agent-5.0.20-windows-amd64-openssl.msi server=<SERVERIP> sport=10050 lport=10050 SERVERACTIVE=<SERVERIP> rmtcmd=0
write-host "Installing Zabbix Agent"
msiexec /I \\<share>\\zabbix_agent-5.0.20-windows-amd64-openssl.msi server=<SERVERIP> sport=10050 lport=10050 SERVERACTIVE=<SERVERIP> rmtcmd=0
}
You should use the MSI package instead.
You can specify as parameters the host name/ip address of the server, the remote command support, the psk support etc...
You can then launch it with cmd/powershell or even better via GPO
See the documentation page for some of examples

Run exe with arguments on remote machine

This one is ruining me. Something that I'm pretty sure should be simple just isn't working and it's probably just a single quotation/character out of place.
There's a lync/Skype tool called sefautil.exe that does all kinds of marvelous things the webGUI doesn't. A typical command would be:
C:\Program Files\Skype for Business Server 2015\ResKit>sefautil.exe /server:sfbpool01.domain.local sip:user1#domain.local /setfwddestination:user2#domain.local /enablefwdimmediate
This works fine when remoted onto any of the machines, but I'm really struggling to run it via remote PowerShell.
Whatever commands I try via invoke-command either give me a standard /? response or nothing at all. I've passed the args via -ArgumentList, as a variable, as anything I can think of and it's just not working.
What makes the thing even more tasking as if you run without admin rights, you won't ever get any results. The command has to be ran as an admin. Now I can quite easily put an admin mode checker into my script, but if it's just as easy to send the command as admin I'll take it.
Any help would be massively appreciated.
#qbanet359
I've gone about it a different way which feels a little cheap, but it does work so can't complain.
I've created a scheduled task on the server hosting sefautil.exe to run a batch file under elevated permissions - I've called it sefautil.
I also copied sefaUTIL.exe to C:\TEMP on the server.
Then in my PowerShell script I'm using:
$SERVER = "\\computer1\c$\temp"
"cd \" | Out-File "$SERVER\sefautiltest.bat" -Encoding unicode
"cmd /c C:\Temp\sefautil.exe /server:sfbpool01.ad.leics.gov.uk sip:dols.team#leics.gov.uk" | Out-File "$SERVER\sefautiltest.bat" -Append
gc $SERVER\sefautiltest.bat | out-file $server\sefautil.bat -encoding ascii
Invoke-Command -Credential $CREDS -ComputerName computer 01-ScriptBlock { schtasks /Run /TN sefautil }
It's almost certainly a long winded way of doing this, but it does work.
Thanks for giving me a fresh perspective on things.
A Little late to the party, but I'm sure a lot of other SfB-Admins will struggle here as well.
This is how I made it work:
Invoke-Command -ComputerName $Global:SefaUtilServer -ScriptBlock {&'C:\Program Files\Skype for Business Server 2015\ResKit\SEFAUtil.exe' '/server:epsachhst-lfe11.epsa.swisscom-mcc.local' $args[0] "/enablefwdnoanswer" "/setfwddestination:$($args[1])" "/callanswerwaittime:$($args[2])"} -Credential $Global:LyncSchedTask_Cred -Authentication Credssp -ArgumentList #($UserSip.replace("sip:",""),$Destination,$Delay)
Hint: make sure, that you don't run in the "Powershell Double Hop issue". SefaUtil will make a Connection to a Frontend Server (I assume it's the one with the CMS located) to make the actual changes in the DB. (See my answer on TechNet: https://social.technet.microsoft.com/Forums/office/en-US/5d4c4f90-1b40-4742-ae4b-c2e1a62a0adb/running-sefautil-remotely?forum=lyncdeploy#da6b82b9-cada-420b-a7a7-2110c0ed2280 (by cwa.cloud)
This is the solution I came up with below.
Basically create a batch file with powershell on the SfB server and then run it with psexec to use the System account (psexec had been copied to the server).
Make sure you insert your own server's name where it has "servername" and run the script with an account that has sufficient permissions. Then call the script with the correct parameters.
BTW, I've noticed it can return an error code of 1 if the forwarding is already in place.
param ([string]$FwdUser,[string]$DestUser)
#skype for business phone forwarding
#create a batch file to run the command, run it as system with psexec and remove the batch file afterwards. sefautil does not cooperate with remote execution
$sefautilcmd = "`"C:\Program Files\Skype for Business Server 2015\ResKit\SEFAUtil.exe`" /Server:servername.headoffice.novationleasing.com.au " + $FwdUser + " /setfwddestination:" + $DestUser + " /enablefwdimmediate"
New-Item \\servername\c$\temp\tempfwd.bat
Set-Content \\servername\c$\temp\tempfwd.bat $sefautilcmd
Invoke-Command -ComputerName servername -ScriptBlock {C:\temp\psexec.exe -s -accepteula c:\temp\tempfwd.bat}
Remove-Item \\servername\c$\temp\tempfwd.bat

Powershell Get-ChildItem doesn't work properly on IIS directory

I was going to write up a simple alias 'iis' to invoke the IIS Manager, which is 'C:\Windows\System32\inetsrv\InetMgr.exe'
set-alias iis "OpenIIS.ps1"
and in the OpenIIS.ps1 I have
$item = "C:\Windows\system32\inetsrv\InetMgr.exe"
invoke-item -path $item
This doesn't work. The error I get is "The system cannot find the file specified"
In fact, just doing a Get-ChildItem on the inetsrv won't show the InetMgr.exe (no difference with -Force switch)
Get-ChildItem C:\Windows\system32\inetsrv\*.exe -force
Obviously I can see it in Explorer and I can launch it using cmd, but not with Powershell it seems. Also, Powershell is running as Administrator.
What is going on?
As a workaround I tried creating a link to the file and then invoking that link from Powershell. I now get a 'NotSpecified' Win32Exception.
I have originally used 64 bit Powershell, but get the same result on the x86 Powershell (both run as Administrator)
Are you at the elevated PowerShell prompt? Some system files may not show up unless you use -Force parameter with Get-ChildItem.
I think evidently the file InetMgr.exe is not there as when I do a get-childitem in the mentioned directory,it lists the "InetMgr.exe" there.
This may not be the problem with Get-ChildItem or the Alias you created but instead with ur IIS Server.

Execute remote quiet MSI installs from Powershell

I am trying to use the Invoke-Command powershell cmdlet to install a MSI installer. From within powershell on the local machine and from the proper directory, the following works:
./setup /quiet
The following does not seem to work:
$script =
{
param($path)
cd "$path"
& ./setup /quiet
return pwd
}
return Invoke-Command -ComputerName $product.IPs -ScriptBlock $script -Args $sourcePath
For test purposes I am working on the local machine passing in "." for the -ComputerName argument. The paths have been verified correct before passing in to Invoke-Command, and errors generated on different versions of this code indicate the paths are correct. I have also tried with and without the "& " on the remote call to setup. Other Invoke-Command calls are working, so I doubt it is a permissions issue. I have verified that the return from the pwd call is the expected directory.
How do I get the install to work?
What error (if any) are you receiving? Unfortunately, you must run the shell as admin on your local machine to be able to connect to your local machine with invoke-command or any WINRM based command that requires administrative privilege (this is not a requirement when connecting remotely).
When connecting to loopback, I believe it is unable (for some security reason) to enumerate groups and determine if you are in an admin enabled AD or local group, which is how it auto elevates when invoking on a remote machine. The only solution may be to have a conditional which checks for localhost and if so, don't use the -ComputerName parameter.
This GitHub Issue covers it
You might try using Start-Process in your script block:
cd $path
start-process setup.exe -arg "/quiet"
Not sure if you will want or need to wait. Look at help for Start-Process.
I have had weird issues when trying to remotely execute a script on a local machine. In other words, remote powershell to the local machine. It comes back with an error that seems to say that PowerShell remoting is not enabled on the machine, but it was. I can run the script remotely from another machine to the target, but when using remoting to the same box, the issue crops up.
Verify that the WinRM service is running.
Verify powershell remoting has been enabled as in Enable-PSRemoting -force.
Verify your powershell execution policy is loose enough as in Set-ExecutionPolicy Unrestricted, for example. If the policy was set to RemoteSigned, this might be the problem.
You might also want to verify the user you are running the script as (locally, but using remoting) has privileges to "log on as a service" or as a batch job. Just guessing there, if the above list doesn't solve anything.