PowerShell Session Configurations

Tagged: 

This topic contains 7 replies, has 2 voices, and was last updated by Profile photo of Brian Clanton Brian Clanton 4 weeks, 1 day ago.

  • Author
    Posts
  • #71147
    Profile photo of Brian Clanton
    Brian Clanton
    Participant

    I am in the process of prepping our 100+ terminal server environment for remote PowerShell management and I have run into a problem regarding Endpoint configuration.

    Summary:
    We have a 'Block_App_Exec' GPO that apparently puts the default powershell endpoint on each server into a Constrained language mode which prevents me from running different types of scripts on the network. This GPO was put in place to prevent certain types of malware from running and encrypting files. I confirmed this was the entity that was putting PowerShell endpoint into contrained mode by removing a specific server from the GPO. Post removal, I was able to do the steps below and run my inventory application script without hindrance.

    My 'resolution' was to define a custom endpoint on each server with 'Full Language Mode' capability, however that does not seem to make a difference even when I do a direct session to that endpoint…the $ExecutionContext.SessionState.LanguageMode still returns constrained mode even though I am connecting to the session configuration type that has 'Full Language Mode' capability.

    It seems that the GPO is overriding my custom endpoint.

    Want to confirm that my method is sound so I can invoke powershell commands without relaxing security policies from our network.

    This is a test on one server in the mix to illustrate the issue.

    *****
    Confirming that the session is in Constrained mode.
    *****

    [w2k8-c12-01]: PS C:\> $ExecutionContext.SessionState.LanguageMode
    ConstrainedLanguage

    Whether I use the Invoke-command or Enter-pssession, current language mode prevents execution.

    [w2k8-c12-01]: PS C:\Users\administrator.XXXX\Documents> .\get-installedProg.ps1
    Cannot invoke method. Method invocation is supported only on core types in this language mode.
    At C:\Users\administrator.XXXX \Documents\get-installedProg.ps1:12 char:5
    +     $reg=[microsoft.win32.registrykey]::OpenRemoteBaseKey('LocalMachi ...
    +     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage
     
    You cannot call a method on a null-valued expression.
    At C:\Users\administrator.XXXX\Documents\get-installedProg.ps1:16 char:5
    +     $regkey=$reg.OpenSubKey($UninstallKey)
    +     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At C:\Users\administrator.XXXX\Documents\get-installedProg.ps1:20 char:5
    +     $subkeys=$regkey.GetSubKeyNames()
    +     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull

    Created a custom session configuration on this particular server with 'Full Language Mode'

    PSSC file
    [w2k8-c12-01]: PS C:\Users\administrator.XXXX\Documents> Get-PSSessionConfiguration

    ****
    ***
    
    Name          : tp_session
    PSVersion     : 5.0
    StartupScript : 
    RunAsUser     : 
    Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed

    This is the PSSC file for the session config.

    @{
    
    # Version number of the schema used for this document
    SchemaVersion = '2.0.0.0'
    
    # ID used to uniquely identify this document
    GUID = '8ea96f31-132e-4e95-97b2-6349debc3d62'
    
    # Author of this document
    Author = 'Brian Clanton'
    
    # Description of the functionality provided by these settings
    Description = 'XXXX remote session configuration'
    
    # Company associated with this document
    CompanyName = 'XXXX'
    
    # Session type defaults to apply for this session configuration. Can be 'RestrictedRemoteServer' (recommended), 'Empty', or 'Default'
    SessionType = 'Default'
    
    # Directory to place session transcripts for this session configuration
    # TranscriptDirectory = 'C:\Transcripts\'
    
    # Whether to run this session configuration as the machine's (virtual) administrator account
    # RunAsVirtualAccount = $true
    
    # Groups associated with machine's (virtual) administrator account
    # RunAsVirtualAccountGroups = 'Remote Desktop Users', 'Remote Management Users'
    
    # Scripts to run when applied to a session
    # ScriptsToProcess = 'C:\ConfigData\InitScript1.ps1', 'C:\ConfigData\InitScript2.ps1'
    
    # User roles (security groups), and the role capabilities that should be applied to them when applied to a session
    # RoleDefinitions = @{ 'CONTOSO\SqlAdmins' = @{ RoleCapabilities = 'SqlAdministration' }; 'CONTOSO\ServerMonitors' = @{ VisibleCmdlets = 'Get-Process' } } 
    
    # Language mode to apply when applied to a session. Can be 'NoLanguage' (recommended), 'RestrictedLanguage', 'ConstrainedLanguage', or 'FullLanguage'
    LanguageMode = 'FullLanguage'
    
    }

    I enter a pssession and specify the full language config type, however the language mode is still constrained and I still can't execute the script.

    PS C:\Windows> Enter-PSSession -ComputerName w2k8-c12-01 -ConfigurationName tp_session
    
    [w2k8-c12-01]: PS C:\Users\administrator.XXXX\Documents> $ExecutionContext.SessionState.LanguageMode
    ConstrainedLanguage
    
    [w2k8-c12-01]: PS C:\Users\administrator.XXXX\Documents> .\get-installedProg.ps1
    Cannot invoke method. Method invocation is supported only on core types in this language mode.
    At C:\Users\administrator.XXXX\Documents\get-installedProg.ps1:12 char:5
    +     $reg=[microsoft.win32.registrykey]::OpenRemoteBaseKey('LocalMachi ...
    +     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage
     
    You cannot call a method on a null-valued expression.
    At C:\Users\administrator.XXXX\Documents\get-installedProg.ps1:16 char:5
    +     $regkey=$reg.OpenSubKey($UninstallKey)
    +     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At C:\Users\administrator.XXXX\Documents\get-installedProg.ps1:20 char:5
    +     $subkeys=$regkey.GetSubKeyNames()
    +     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    
    
    
    
  • #71179
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Well... with all due respect, that's a stupid security policy your organization has come up with. Given that only administrators can connect to the default endpoint, you're essentially positing a world where an administrator account has been compromised, and if that happens, PowerShell endpoints are going to be your least concern.

    Additionally, there's basically nothing stopping said malware from just launching a local PowerShell session and having full language, etc. A better approach would be to prevent malware from running on your systems. Your current policy achieves nothing in terms of protection; as an attacker, I could literally circumvent this in a dozen different ways. Instead, you're simply preventing yourself from being able to properly manage the environment. It would be trivial, for example, to simply push an executable to the remote machine and then run that locally to do whatever evil an attacker wanted to achieve.

    But yes, what you're seeing is the intended and desired behavior of that GP setting. You can't really override it in-scope, because that'd defeat the point of the GP setting.

  • #71219
    Profile photo of Brian Clanton
    Brian Clanton
    Participant

    I am looking at the GPO in question and I am trying to find a correlation to what it is doing and why it is affecting PowerShell Endpoint.

    Basically, it is placing Software REstriction Rules to the following path's to dissallow users from inadvertently picking something up in their browser that then runs in an %appdata% or %localappdata% directory.

    Computer Configuration -> Policies -> Security Settings -> Software Restriction Policies -> Additional Rules

    %APPDATA%
    Security Level	Disallowed
    Description	Blocking APPData Path
    Date last modified	12/20/2013 4:22:02 PM
    
    %LOCALAPPDATA%
    Security Level	Disallowed
    Description	
    Date last modified	8/18/2014 1:29:14 PM

    The rest are 'Unrestricted' allowances based on specific files to allow to run in the previously 'disallowed' directory paths.

    Example:

    LOCALAPPDATA%\Citrix\GotoMeeting\*
    Security Level	Unrestricted
    Description	
    Date last modified	8/21/2014 8:45:03 AM
    
    
    GoogleUpdate.exe
    Security Level	Unrestricted
    Description	Google Chrome Installer
    Date last modified	1/29/2015 11:55:26 AM
    

    That is basically it as far as this GPO. I am sure I can make an additional 'Unrestricted' rule if I can find the correlation between what this GPO is disallowing that is setting default PS profile endpoints into 'Constrained mode'. I can't see what that would be.

    I isolated the part of my 'get-installedPrograms' script and the part of my script that generates this language mode issue is where I assign a registry location to a variable. Not sure how preventing %appdata% and running my script with domain admin credentials would cause this.

    PS C:\Users\tsadmin> $computername = $env:computername
    
    $reg=[microsoft.win32.registrykey]::OpenRemoteBaseKey('LocalMachine',$computername)  
    Cannot invoke method. Method invocation is supported only on core types in this language mode.
    At line:3 char:1
    + $reg=[microsoft.win32.registrykey]::OpenRemoteBaseKey('LocalMachine', ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage
  • #71222
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Oh.

    That has literally zero to do with the language level in a PowerShell endpoint. You're looking for something under Remote Shell.

  • #71227
    Profile photo of Brian Clanton
    Brian Clanton
    Participant

    This is the GPO in it's entirety with Company name obfuscated. still not seeing how this applies to my problem. The delegation is specific servers where this GPO is not applied. We only apply this to terminal servers.

    Block-App-Data-Exec
    Data collected on: 5/22/2017 12:39:26 PM	
    General
    Details
    Domain	XXXXX.local
    Owner	XXXXX\Domain Admins
    Created	1/28/2016 5:31:46 PM
    Modified	5/22/2017 10:54:14 AM
    User Revisions	2 (AD), 2 (sysvol)
    Computer Revisions	250 (AD), 250 (sysvol)
    Unique ID	{7C011E8D-341E-479D-8D86-A49878F2AE7E}
    GPO Status	Enabled
    Links
    Location	Enforced	Link Status	Path
    XXXXX	No	Enabled	XXXXX.local
    RemoteServers	No	Enabled	XXXXX.local/RemoteServers
    
    This list only includes links in the domain of the GPO.
    Security Filtering
    The settings in this GPO can only apply to the following groups, users, and computers:
    Name
    NT AUTHORITY\Authenticated Users
    Delegation
    These groups and users have the specified permission for this GPO
    Name	Allowed Permissions	Inherited
    NT AUTHORITY\Authenticated Users	Read (from Security Filtering)	No
    NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS	Read	No
    NT AUTHORITY\SYSTEM	Edit settings, delete, modify security	No
    S-1-5-21-1752468135-3490779455-4126847218-12992	Custom	No
    XXXXX\B5$	Custom	No
    XXXXX\B8$	Custom	No
    XXXXX\Domain Admins	Edit settings, delete, modify security	No
    XXXXX\Enterprise Admins	Edit settings, delete, modify security	No
    XXXXX\W12-CITRIX76$	Custom	No
    XXXXX\W12-CITRIXLIC$	Custom	No
    XXXXX\W12-DAG-EX01$	Custom	No
    XXXXX\W12-DAG-EX02$	Custom	No
    XXXXX\W12-DAG-EX03$	Custom	No
    XXXXX\W12-DAG-EX04$	Custom	No
    XXXXX\W12-DAG-FSW1$	Custom	No
    XXXXX\W12-DEVILDOGS$	Custom	No
    XXXXX\W12-EX01B$	Custom	No
    XXXXX\W12-EX02$	Custom	No
    XXXXX\W12-EX03$	Custom	No
    XXXXX\W12-R12-01V$	Custom	No
    XXXXX\W12-SAN-MGMT$	Custom	No
    XXXXX\W16-R12-01S$	Custom	No
    XXXXX\W2K8-ADMT$	Custom	No
    XXXXX\W2K8-C04$	Custom	No
    XXXXX\W2K8-DC1$	Read	No
    XXXXX\W2K8-DC2$	Custom	No
    XXXXX\W2K8-EX-MIG$	Custom	No
    XXXXX\W2K8-EX-MIG2$	Custom	No
    XXXXX\W2K8-LSOBGYN$	Custom	No
    XXXXX\W2K8-OME$	Custom	No
    XXXXX\W2K8-R02$	Custom	No
    XXXXX\W2K8-R26$	Custom	No
    XXXXX\W2K8-SQL601S$	Custom	No
    XXXXX\W2K8-SQL622S$	Custom	No
    XXXXX\W7-AMC-QB$	Custom	No
    Computer Configuration (Enabled)
    Policies
    Windows Settings
    Security Settings
    Public Key Policies/Trusted Root Certification Authorities
    Properties
    Policy	Setting
    Allow users to select new root certification authorities (CAs) to trust	Enabled
    Client computers can trust the following certificate stores	Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
    To perform certificate-based authentication of users and computers, CAs must meet the following criteria	Registered in Active Directory only
    Software Restriction Policies
    Enforcement
    Policy	Setting
    Apply software restriction policies to the following	All software files except libraries (such as DLLs)
    Apply software restriction policies to the following users	All users
    When applying software restriction policies	Ignore certificate rules
    
    Designated File Types
    File Extension	File Type
    ADE	Microsoft Access Project Extension
    ADP	Microsoft Access Project
    BAS	BAS File
    BAT	Windows Batch File
    CHM	Compiled HTML Help file
    CMD	Windows Command Script
    COM	MS-DOS Application
    CPL	Control panel item
    CRT	Security Certificate
    EXE	Application
    HLP	Help file
    HTA	HTML Application
    INF	Setup Information
    INS	INS File
    ISP	ISP File
    MDB	Microsoft Access Database
    MDE	Microsoft Access MDE Database
    MSC	Microsoft Common Console Document
    MSI	Windows Installer Package
    MSP	Windows Installer Patch
    MST	MST File
    OCX	ActiveX control
    PCD	PCD File
    PIF	Shortcut to MS-DOS Program
    REG	Registration Entries
    SCR	Screen saver
    SHS	SHS File
    URL	Internet Shortcut
    VB	Visual Basic Source file
    WSC	Windows Script Component
    
    Trusted Publishers
    Trusted publisher management	Allow all administrators and users to manage user's own Trusted Publishers
    Certificate verification	None
    
    Software Restriction Policies/Security Levels
    Policy	Setting
    Default Security Level	Unrestricted
    Software Restriction Policies/Additional Rules
    Path Rules
    %APPDATA%
    Security Level	Disallowed
    Description	Blocking APPData Path
    Date last modified	12/20/2013 4:22:02 PM
    
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
    Security Level	Unrestricted
    Description	
    Date last modified	12/20/2013 4:15:29 PM
    
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
    Security Level	Unrestricted
    Description	
    Date last modified	12/20/2013 4:15:29 PM
    
    %LOCALAPPDATA%
    Security Level	Disallowed
    Description	
    Date last modified	8/18/2014 1:29:14 PM
    
    %LOCALAPPDATA%\*\GoToAssist Opener.exe
    Security Level	Unrestricted
    Description	GoToAssist
    Date last modified	1/20/2017 8:00:41 AM
    
    %LOCALAPPDATA%\Citrix\*
    Security Level	Unrestricted
    Description	GoToAssist
    Date last modified	2/16/2016 1:23:05 PM
    
    %LOCALAPPDATA%\Citrix\GotoMeeting\*
    Security Level	Unrestricted
    Description	
    Date last modified	8/21/2014 8:45:03 AM
    
    %LOCALAPPDATA%\Temp\*\Availity.msi
    Security Level	Unrestricted
    Description	Availity Plugin override for CPS
    Date last modified	10/7/2014 9:53:05 AM
    
    %LOCALAPPDATA%\Temp\*\Centricity.msi
    Security Level	Unrestricted
    Description	Centricity Plugin for CPS
    Date last modified	10/7/2014 9:59:44 AM
    
    %LOCALAPPDATA%\Temp\*\ExpressBill.msi
    Security Level	Unrestricted
    Description	ExpressBill installer
    Date last modified	10/7/2014 10:01:50 AM
    
    %LOCALAPPDATA%\Temp\*\LogParser.msi
    Security Level	Unrestricted
    Description	Kryptiq SMPP installer for Log files.
    Date last modified	9/9/2014 11:42:38 AM
    
    %LOCALAPPDATA%\Temp\1\*\Windows\*
    Security Level	Unrestricted
    Description	
    Date last modified	10/7/2014 3:02:52 PM
    
    %LOCALAPPDATA%\Temp\1\Citrix\GoToAssist\*
    Security Level	Unrestricted
    Description	GoToAssist Launcher
    Date last modified	10/2/2014 2:07:10 PM
    
    %LOCALAPPDATA%\Temp\7\A2FCCB0A-892E-4138-9E28-45FB3841F71A.bat
    Security Level	Unrestricted
    Description	GotoMeeting launcher Bat file
    Date last modified	8/21/2014 8:17:14 AM
    
    %LOCALAPPDATA%\Temp\Citrix\*
    Security Level	Unrestricted
    Description	Citrix Go To Assist
    Date last modified	10/8/2014 8:26:36 AM
    
    %LOCALAPPDATA%\Temp\Microsoft .NET Framework 4 Setup_4.0.30319\*
    Security Level	Unrestricted
    Description	
    Date last modified	9/11/2014 4:17:43 PM
    
    *Centricity.msi
    Security Level	Unrestricted
    Description	20150807, ZS, CPS Insall.
    Date last modified	8/7/2015 9:29:55 AM
    
    *gotoassistlauncher.exe
    Security Level	Unrestricted
    Description	Goto Assist Launcher
    Date last modified	2/24/2016 10:42:33 AM
    
    *npp.6.8.1.Installer.exe
    Security Level	Unrestricted
    Description	Notepad++ installer CG 8/5/15
    Date last modified	8/5/2015 3:23:47 PM
    
    *Procmon.exe
    Security Level	Unrestricted
    Description	Process monitor
    Date last modified	5/9/2017 3:47:27 PM
    
    *procmon64.exe
    Security Level	Unrestricted
    Description	
    Date last modified	5/9/2017 3:50:37 PM
    
    *webex.exe
    Security Level	Unrestricted
    Description	WebEx
    Date last modified	9/19/2016 3:43:25 PM
    
    _cleanup.bat
    Security Level	Unrestricted
    Description	Join.me cleanup utility
    Date last modified	8/19/2014 2:59:01 PM
    
    _iu14D2N.tmp
    Security Level	Unrestricted
    Description	eSM Uninstaller
    Date last modified	4/4/2016 11:41:19 AM
    
    1033.MST
    Security Level	Unrestricted
    Description	intellispace installer for Fitzgibbons
    Date last modified	12/6/2016 11:11:38 AM
    
    1033_x64.mst
    Security Level	Unrestricted
    Description	Quest installer for enemble
    Date last modified	1/12/2015 12:45:01 PM
    
    AppCore.exe
    Security Level	Unrestricted
    Description	Gotoassist runtime
    Date last modified	10/24/2014 10:51:47 AM
    
    availity.msi
    Security Level	Unrestricted
    Description	20150807, ZS, CPS Plugin Install.
    Date last modified	8/7/2015 9:17:48 AM
    
    bepatch.msp
    Security Level	Unrestricted
    Description	Symantec hot patch install applet
    Date last modified	12/29/2014 3:17:24 PM
    
    biosie.exe
    Security Level	Unrestricted
    Description	R420 BIOS
    Date last modified	1/30/2015 7:37:09 AM
    
    bomgar-scc.exe
    Security Level	Unrestricted
    Description	CallPointe remote connect.
    Date last modified	11/15/2016 11:46:17 AM
    
    C:\Program Files (x86)\Sage\Peachtree\Peachw.exe
    Security Level	Unrestricted
    Description	Sage 50 Accounting 2015
    Date last modified	7/11/2016 8:37:31 AM
    
    C:\Program Files (x86)\WebEx\Record Playback\AtAuthor.exe
    Security Level	Unrestricted
    Description	WebexRecorder
    Date last modified	7/27/2016 1:02:43 PM
    
    C:\Users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files\*\*\GoToAssist Opener.exe
    Security Level	Unrestricted
    Description	GoToAssist
    Date last modified	1/20/2017 8:05:49 AM
    
    C:\Users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8KI2RI3\GoToMeeting Opener.exe
    Security Level	Unrestricted
    Description	Citrix GoToMeeting
    Date last modified	11/15/2016 1:02:18 PM
    
    C:\Users\Administrator.MMSASP\AppData\Local\Citrix\GoToAssist Remote Support Customer\g2ax_customer_combined_dll_core_win32_x86_758.exe
    Security Level	Unrestricted
    Description	citrix
    Date last modified	10/8/2014 8:28:17 AM
    
    C:\Users\tsadmin\AppData\Local\Temp\*\mbam-setup-2.2.1.1043.tmp
    Security Level	Unrestricted
    Description	
    Date last modified	3/31/2016 9:54:52 AM
    
    CentricityRT.msi
    Security Level	Unrestricted
    Description	
    Date last modified	12/1/2014 12:26:05 AM
    
    chrome_installer.exe
    Security Level	Unrestricted
    Description	Google Chrome Installer
    Date last modified	1/29/2015 11:55:08 AM
    
    CitrixOnlineLauncher.exe
    Security Level	Unrestricted
    Description	G2M Launcher exe
    Date last modified	10/3/2014 2:20:37 PM
    
    CitrixOnlineLauncher.msi
    Security Level	Unrestricted
    Description	G2M Launcher MSI
    Date last modified	8/21/2014 8:40:25 AM
    
    ClientSetup.tmp
    Security Level	Unrestricted
    Description	
    Date last modified	12/19/2016 12:43:39 PM
    
    CMS1500.msi
    Security Level	Unrestricted
    Description	CMS1500 Plugin for CPS
    Date last modified	9/26/2014 12:02:52 PM
    
    CodeCorrect.msi
    Security Level	Unrestricted
    Description	Code Correct CPS Plug-in
    Date last modified	9/19/2016 10:11:37 AM
    
    courgette.exe
    Security Level	Unrestricted
    Description	Go To Meeting Launcher
    Date last modified	12/1/2016 2:33:34 PM
    
    CPS_*_DocuSign for Patients.msi
    Security Level	Unrestricted
    Description	Docusign msi
    Date last modified	11/19/2014 1:59:54 PM
    
    CPS_2.5.0.15_DocuSign for Patients.msi
    Security Level	Disallowed
    Description	
    Date last modified	11/19/2014 4:35:27 PM
    
    CPSHCM.msi
    Security Level	Unrestricted
    Description	CPSHCM plug-in for CPS
    Date last modified	2/16/2016 11:17:42 AM
    
    CustomInstaller.exe
    Security Level	Unrestricted
    Description	Ideal Image for OAR
    Date last modified	9/18/2016 8:41:19 PM
    
    dismhost.exe
    Security Level	Unrestricted
    Description	IE11 Installer from Windows Updates
    Date last modified	4/11/2016 12:48:51 AM
    
    DLLSetup9.tmp
    Security Level	Unrestricted
    Description	DLL Updater for BrokerWolf.
    Date last modified	4/4/2017 8:32:39 AM
    
    DLLUpdate.tmp
    Security Level	Unrestricted
    Description	BrokerWolf Update
    Date last modified	4/4/2017 8:27:16 AM
    
    dotnetchk.exe
    Security Level	Unrestricted
    Description	QuickBooks File Doctor Installer
    Date last modified	4/26/2017 2:24:23 PM
    
    dotNetFx35setup.exe
    Security Level	Unrestricted
    Description	.NET Installer
    Date last modified	4/4/2016 11:20:53 AM
    
    EchoOneApp-7-4-10.exe
    Security Level	Unrestricted
    Description	oneapp pro for hpcp
    Date last modified	6/10/2016 9:25:42 PM
    
    ECWdependencies.msi
    Security Level	Unrestricted
    Description	Ecw Dependencies Setup
    Date last modified	10/24/2016 4:06:10 PM
    
    Elsinore.ScreenConnect.Client*.exe
    Security Level	Unrestricted
    Description	Screen Connect for Visualutions
    Date last modified	9/23/2016 3:27:02 PM
    
    Elsinore.ScreenConnect.Client.exe
    Security Level	Unrestricted
    Description	Visualutions Screen Connect
    Date last modified	5/10/2016 10:12:35 AM
    
    Elsinore.ScreenConnect.WindowsClient.exe
    Security Level	Unrestricted
    Description	HealthCo Screen Connect
    Date last modified	4/27/2016 1:26:43 PM
    
    encrypt.exe
    Security Level	Unrestricted
    Description	SEPM package builder
    Date last modified	8/20/2014 2:27:52 PM
    
    ensemble_x64.msi
    Security Level	Unrestricted
    Description	Quest installer for Ensemble
    Date last modified	1/12/2015 12:42:59 PM
    
    EsmClinicInstaller*.tmp
    Security Level	Unrestricted
    Description	eSM Installer
    Date last modified	4/4/2016 11:20:06 AM
    
    EsmClinicUpdate*.tmp
    Security Level	Unrestricted
    Description	eSM Installer
    Date last modified	4/4/2016 11:19:45 AM
    
    ExpressBill.msi
    Security Level	Unrestricted
    Description	ExpressBill CPS Plug-in
    Date last modified	2/20/2016 1:25:56 PM
    
    eZeeFD.exe
    Security Level	Unrestricted
    Description	Ezee Installer
    Date last modified	2/23/2016 10:31:37 PM
    
    framework452.exe
    Security Level	Unrestricted
    Description	.net framework install
    Date last modified	6/11/2016 4:36:14 PM
    
    g2acomm.exe
    Security Level	Unrestricted
    Description	GoToAssist Launcher
    Date last modified	10/2/2014 2:01:03 PM
    
    G2AInstaller.exe
    Security Level	Unrestricted
    Description	Go2Assist for VirtualOfficeWare Support for PDR - CG
    Date last modified	10/2/2014 1:56:34 PM
    
    g2alaunchercustomer.exe
    Security Level	Unrestricted
    Description	
    Date last modified	10/2/2014 2:01:53 PM
    
    g2aservice.exe
    Security Level	Unrestricted
    Description	GoToAssist Launcher
    Date last modified	10/2/2014 2:00:15 PM
    
    g2asessioncontrol.exe
    Security Level	Unrestricted
    Description	
    Date last modified	10/2/2014 2:02:51 PM
    
    g2ax_installer_customer.exe
    Security Level	Unrestricted
    Description	Go To Assist
    Date last modified	9/19/2016 12:11:08 PM
    
    g2mcomm.exe
    Security Level	Unrestricted
    Description	G2m communication pipe
    Date last modified	8/21/2014 8:39:13 AM
    
    G2MCoreInstExtractor*.exe
    Security Level	Unrestricted
    Description	Go To Meeting Launcher
    Date last modified	12/1/2016 2:31:41 PM
    
    G2MCoreInstExtractor.exe
    Security Level	Unrestricted
    Description	G2M Launcher
    Date last modified	8/21/2014 8:11:21 AM
    
    G2MInstaller.exe
    Security Level	Unrestricted
    Description	GTM Installer
    Date last modified	8/21/2014 8:28:30 AM
    
    G2MInstallerExtractor.exe
    Security Level	Unrestricted
    Description	G2MInstallerExtractor.exe
    Date last modified	4/11/2016 1:15:12 PM
    
    g2mlauncher.exe
    Security Level	Unrestricted
    Description	G2M Launcher
    Date last modified	8/21/2014 8:43:50 AM
    
    g2mstart.exe
    Security Level	Unrestricted
    Description	GTM Launcher Startup file
    Date last modified	8/21/2014 8:37:02 AM
    
    g2mui.exe
    Security Level	Unrestricted
    Description	G2M UI
    Date last modified	8/21/2014 8:47:57 AM
    
    gccheck_small.exe
    Security Level	Unrestricted
    Description	Adobe Reader Installer
    Date last modified	10/3/2016 10:26:48 AM
    
    GenericEStatements.msi
    Security Level	Unrestricted
    Description	GenericEStatements
    Date last modified	2/10/2016 9:13:17 AM
    
    GePmGuiConfiguration.msi
    Security Level	Unrestricted
    Description	Docusign
    Date last modified	11/19/2014 4:42:07 PM
    
    GePmGuiConfigurationBottom.exe
    Security Level	Unrestricted
    Description	Docusign
    Date last modified	11/19/2014 4:35:48 PM
    
    GePmGuiConfigurationBottom.exe
    Security Level	Unrestricted
    Description	docusign
    Date last modified	11/19/2014 4:39:20 PM
    
    getpaths.cmd
    Security Level	Unrestricted
    Description	part of Netsupport's install process.
    Date last modified	1/2/2015 6:47:52 AM
    
    Git-1.9.4-preview20140815.tmp
    Security Level	Unrestricted
    Description	Git Preview 9.14
    Date last modified	8/27/2014 9:59:02 AM
    
    GLJ3025.tmp
    Security Level	Unrestricted
    Description	Visualutions GridEX Installer
    Date last modified	10/17/2016 4:17:20 PM
    
    googlechromestandaloneenterprise.msi
    Security Level	Unrestricted
    Description	Google Chrome Installer
    Date last modified	5/24/2016 2:28:29 PM
    
    GoogleChromeStandaloneEnterprise64.msi
    Security Level	Unrestricted
    Description	Google Chrome Installer
    Date last modified	6/9/2016 8:48:46 AM
    
    GoogleUpdate.exe
    Security Level	Unrestricted
    Description	Google Chrome Installer
    Date last modified	1/29/2015 11:55:26 AM
    
    GoToAssist Corporate Opener.exe
    Security Level	Unrestricted
    Description	Go To Assist Installer
    Date last modified	5/15/2017 4:45:46 PM
    
    GoToAssist Launcher.exe
    Security Level	Unrestricted
    Description	GoToAssist Launcher
    Date last modified	4/11/2016 1:08:24 PM
    
    GoToAssist.exe
    Security Level	Unrestricted
    Description	GoToAssist Binary
    Date last modified	10/24/2014 10:54:09 AM
    
    GoToAssist_service_*.exe
    Security Level	Unrestricted
    Description	GoToAssist binary
    Date last modified	10/24/2014 10:53:46 AM
    
    GoToAssistStarter.exe
    Security Level	Unrestricted
    Description	GoToAssist Launcher
    Date last modified	10/2/2014 1:59:14 PM
    
    GoToMeeting Launcher.exe
    Security Level	Unrestricted
    Description	G2M Launcher
    Date last modified	8/26/2014 8:16:37 AM
    
    GoToMeeting_Launcher.exe
    Security Level	Unrestricted
    Description	GTM Launcher App
    Date last modified	8/21/2014 8:26:49 AM
    
    gtcheck.exe
    Security Level	Unrestricted
    Description	Adobe Reader Installer
    Date last modified	10/3/2016 10:26:34 AM
    
    hwcheck.exe
    Security Level	Unrestricted
    Description	OpenManage Install
    Date last modified	9/2/2014 11:22:54 AM
    
    IdealImage9.msi
    Security Level	Unrestricted
    Description	Ideal Image CPS Plug-in installer.
    Date last modified	3/24/2017 8:39:43 AM
    
    ILMedicaidForm1443.msi
    Security Level	Unrestricted
    Description	CPS Plug-in Installer.
    Date last modified	11/29/2016 10:07:42 AM
    
    iNexxPlatform.msi
    Security Level	Unrestricted
    Description	iNexx Platform Installer
    Date last modified	11/4/2016 8:17:19 AM
    
    InfoExchangeClient.bat
    Security Level	Unrestricted
    Description	
    Date last modified	8/19/2014 11:31:12 AM
    
    IntelliSpace PACS Enterprise.msi
    Security Level	Unrestricted
    Description	Intellispace installer for Fitzgibbons
    Date last modified	12/6/2016 11:09:11 AM
    
    IntuitSyncManager.exe
    Security Level	Unrestricted
    Description	Intuit QuickBooks Sync Manager
    Date last modified	6/13/2016 8:10:19 AM
    
    ISBEW64.exe
    Security Level	Unrestricted
    Description	Plug-in installer for CPS
    Date last modified	8/19/2014 2:59:30 PM
    
    ISScript9.Msi
    Security Level	Unrestricted
    Description	HealthCo Statement Transmitter Installer
    Date last modified	5/3/2017 1:56:02 PM
    
    javainst.exe
    Security Level	Unrestricted
    Description	Java Installer
    Date last modified	9/13/2016 11:39:24 AM
    
    join.me.exe
    Security Level	Unrestricted
    Description	
    Date last modified	8/19/2014 2:58:23 PM
    
    jre-8u91-windows-au.exe
    Security Level	Unrestricted
    Description	Java 8 Update 91 installer.
    Date last modified	5/19/2016 12:41:08 PM
    
    jre-8u91-windows-i586.exe
    Security Level	Unrestricted
    Description	Java Installer
    Date last modified	5/24/2016 11:03:15 AM
    
    jre-8u91-windows-x64.exe
    Security Level	Unrestricted
    Description	Java 8 Update 91 64-bit installer
    Date last modified	5/27/2016 7:20:25 AM
    
    lmi_rescue.exe
    Security Level	Unrestricted
    Description	Log Me In
    Date last modified	8/19/2014 3:00:11 PM
    
    lsetup.exe
    Security Level	Unrestricted
    Description	Backup Exec 2014 install
    Date last modified	9/1/2014 9:42:07 PM
    
    lwupdprg*.exe
    Security Level	Unrestricted
    Description	BrokerWolf update for Starck
    Date last modified	7/9/2016 11:21:57 PM
    
    lwupdprg*.exe
    Security Level	Unrestricted
    Description	Brokerwolf updates
    Date last modified	6/20/2016 7:34:31 AM
    
    M:\Temp\mia1\stamps.msi
    Security Level	Unrestricted
    Description	Stamps.Com installer
    Date last modified	10/16/2014 2:11:13 PM
    
    MakeSFX.exe
    Security Level	Unrestricted
    Description	SEPM package builder
    Date last modified	8/20/2014 2:43:10 PM
    
    mbam-setup.tmp
    Security Level	Unrestricted
    Description	
    Date last modified	12/12/2014 6:56:42 PM
    
    mbam-setup-2.0.2.1012.tmp
    Security Level	Unrestricted
    Description	malwarebytes download
    Date last modified	11/1/2014 2:34:26 PM
    
    mbam-setup-ninite.10789-2.2.1.1043.exe
    Security Level	Unrestricted
    Description	MBAM Installer
    Date last modified	5/19/2016 3:49:06 PM
    
    MBARW_Setup.tmp
    Security Level	Unrestricted
    Description	Malwarebytes AntiRansomware install
    Date last modified	5/17/2016 12:03:46 PM
    
    miniunz.exe
    Security Level	Unrestricted
    Description	Dell Firmware Updates
    Date last modified	9/2/2014 11:39:05 AM
    
    msxml6x64.msi
    Security Level	Unrestricted
    Description	CPS12 SP13 MIK Installer
    Date last modified	12/17/2016 7:38:51 PM
    
    NetSupport Manager.msi
    Security Level	Unrestricted
    Description	NetSupport Install
    Date last modified	9/1/2014 7:27:29 PM
    
    Ninite Chrome Installer.exe
    Security Level	Unrestricted
    Description	Chrome Installer
    Date last modified	6/9/2016 8:46:04 AM
    
    ninite.exe
    Security Level	Unrestricted
    Description	Ninite.com installer
    Date last modified	2/20/2016 1:57:44 PM
    
    novaink7.exe
    Security Level	Unrestricted
    Description	Secure Messaging Desktop for NDBC
    Date last modified	9/29/2016 2:06:27 PM
    
    novainv7.exe
    Security Level	Unrestricted
    Description	Secure Messaging Desktop for NDBC
    Date last modified	9/29/2016 2:06:36 PM
    
    novapk.tmp
    Security Level	Unrestricted
    Description	Secure Messaging Desktop for NDBC
    Date last modified	9/29/2016 2:03:05 PM
    
    novapv.tmp
    Security Level	Unrestricted
    Description	Secure Messaging Desktop for NDBC
    Date last modified	9/29/2016 2:02:33 PM
    
    omchecks.exe
    Security Level	Unrestricted
    Description	OpenManage Install
    Date last modified	9/2/2014 11:23:49 AM
    
    OneAppInstall.exe
    Security Level	Unrestricted
    Description	
    Date last modified	6/10/2016 9:31:28 PM
    
    ose00000.exe
    Security Level	Unrestricted
    Description	Office 2010 Installer
    Date last modified	1/15/2015 2:27:22 PM
    
    pam-setup-x64.exe
    Security Level	Unrestricted
    Description	PAM Install
    Date last modified	8/27/2014 3:15:27 PM
    
    pam-setup-x64.tmp
    Security Level	Unrestricted
    Description	PAM Install
    Date last modified	8/27/2014 3:17:18 PM
    
    PatchSetup.exe
    Security Level	Unrestricted
    Description	Symantec Patch Launcher
    Date last modified	12/29/2014 1:45:11 PM
    
    PCStarter.exe
    Security Level	Unrestricted
    Description	TurboMeeting from Brevium for LSOBGYN
    Date last modified	1/17/2017 11:20:28 AM
    
    prereqreport.vbs
    Security Level	Unrestricted
    Description	OpenManage Install
    Date last modified	9/2/2014 11:21:54 AM
    
    procexp.exe
    Security Level	Unrestricted
    Description	for Process Explorer
    Date last modified	9/6/2014 1:25:37 PM
    
    procexp64.exe
    Security Level	Unrestricted
    Description	for 64bit Process Exlorer
    Date last modified	9/6/2014 1:29:36 PM
    
    produkey.exe
    Security Level	Unrestricted
    Description	Produkey to grab license keys.
    Date last modified	1/30/2017 10:22:13 AM
    
    QIE2043_6347_64bit.tmp
    Security Level	Unrestricted
    Description	QIE Installer
    Date last modified	5/24/2016 2:28:07 PM
    
    QIE2043_6698_64bit.tmp
    Security Level	Unrestricted
    Description	QVera Installer
    Date last modified	9/13/2016 11:41:51 AM
    
    QuickBooks File Doctor setup.exe
    Security Level	Unrestricted
    Description	QuickBooks File Doctor Installer
    Date last modified	4/26/2017 2:18:13 PM
    
    QuickBooks File Doctor.msi
    Security Level	Unrestricted
    Description	QuickBooks File Doctor Installer
    Date last modified	4/26/2017 2:23:55 PM
    
    quickbooksinstalldiagnostictool.exe
    Security Level	Unrestricted
    Description	
    Date last modified	12/25/2014 4:45:11 AM
    
    quickbooksinstalldiagnostictoolapp.exe
    Security Level	Unrestricted
    Description	
    Date last modified	12/25/2014 4:47:29 AM
    
    r65588en*
    Security Level	Unrestricted
    Description	
    Date last modified	6/30/2015 10:56:08 AM
    
    r65690en*.exe
    Security Level	Unrestricted
    Description	Ricoh Driver 6/30/15 CG
    Date last modified	6/30/2015 11:04:15 AM
    
    readerdc_en_ra_install.exe
    Security Level	Unrestricted
    Description	Adobe Reader Installer
    Date last modified	5/25/2016 10:44:39 AM
    
    readerdc_en_raie_install.exe
    Security Level	Unrestricted
    Description	Adobe Reader Installer
    Date last modified	10/3/2016 10:26:16 AM
    
    regcheck.vbs
    Security Level	Unrestricted
    Description	OpenManage Install
    Date last modified	9/2/2014 11:23:14 AM
    
    RelayHealth.msi
    Security Level	Unrestricted
    Description	Relay Health CPS Plug-in
    Date last modified	9/2/2014 11:26:19 AM
    
    RelayHealthRT.msi
    Security Level	Unrestricted
    Description	
    Date last modified	12/1/2014 12:31:18 AM
    
    SageAdvisorUpdate.msi
    Security Level	Unrestricted
    Description	Sage 100 Contracting Installer
    Date last modified	5/18/2017 2:53:02 PM
    
    SASDUPIE.exe
    Security Level	Unrestricted
    Description	Dell Firmware Updates
    Date last modified	9/2/2014 11:42:12 AM
    
    ScmHelper.exe
    Security Level	Unrestricted
    Description	SEPM package builder
    Date last modified	8/20/2014 2:17:18 PM
    
    ScreenConnect.WindowsClient.exe
    Security Level	Unrestricted
    Description	ScreenConnect for VOW
    Date last modified	9/22/2016 9:17:25 AM
    
    SDRtmpenv.bat
    Security Level	Unrestricted
    Description	VeritasSDR
    Date last modified	3/9/2017 2:11:49 PM
    
    Sep64.msi
    Security Level	Unrestricted
    Description	SEP local client pull install
    Date last modified	8/20/2014 4:06:21 PM
    
    SEPMPackageTool.exe
    Security Level	Unrestricted
    Description	SEPM package builder
    Date last modified	8/20/2014 2:28:01 PM
    
    setup.exe
    Security Level	Unrestricted
    Description	Plug-in installer for CPS
    Date last modified	8/19/2014 2:59:43 PM
    
    SetupLauncher.exe
    Security Level	Unrestricted
    Description	Backup Exec install launcher
    Date last modified	12/29/2014 1:38:57 PM
    
    SMD.tmp
    Security Level	Unrestricted
    Description	Secure Messaging Desktop for NDBC
    Date last modified	9/29/2016 1:57:33 PM
    
    smpp.tmp
    Security Level	Unrestricted
    Description	SMPP Installer
    Date last modified	3/2/2017 8:31:39 AM
    
    spsetup.exe
    Security Level	Unrestricted
    Description	Dell Firmware Updates
    Date last modified	9/2/2014 11:40:50 AM
    
    SpsModuleSdk.msi
    Security Level	Unrestricted
    Description	Sage 100 Contracting Installer
    Date last modified	5/18/2017 2:54:12 PM
    
    SqlCmdLnUtils.msi
    Security Level	Unrestricted
    Description	SQL Command Line Utilities for eSM
    Date last modified	2/19/2016 7:27:40 AM
    
    SqlCmdLnUtils.msi
    Security Level	Unrestricted
    Description	
    Date last modified	4/4/2016 11:21:27 AM
    
    sqlncli.msi
    Security Level	Unrestricted
    Description	CPS SQL Native Client Installer
    Date last modified	12/7/2016 10:11:13 AM
    
    SsaWrapper.exe
    Security Level	Unrestricted
    Description	SEP local client pull install
    Date last modified	8/20/2014 4:06:29 PM
    
    stamps.exe
    Security Level	Unrestricted
    Description	Stamps.Com installer
    Date last modified	10/16/2014 2:08:05 PM
    
    StarterDotNet20.exe
    Security Level	Unrestricted
    Description	this is the GTM launcher
    Date last modified	8/21/2014 8:10:34 AM
    
    Support-LogMeInRescue.exe
    Security Level	Unrestricted
    Description	
    Date last modified	8/19/2014 12:34:02 PM
    
    SymDiag.exe
    Security Level	Unrestricted
    Description	Symantec Help tool - gathers logs and other data for trouble shooting issues
    Date last modified	12/29/2014 3:16:24 PM
    
    SymDiagUi3.exe
    Security Level	Unrestricted
    Description	Symantec part of SymHelp applet to gather info doe support
    Date last modified	12/29/2014 4:07:38 PM
    
    target.exe
    Security Level	Unrestricted
    Description	Revo Installer
    Date last modified	2/20/2016 1:59:56 PM
    
    TiClientCore.exe
    Security Level	Unrestricted
    Description	FixMe.IT for Phreesia for LSOBGYN
    Date last modified	9/12/2016 2:26:28 PM
    
    TiClientCoreLauncher.exe
    Security Level	Unrestricted
    Description	FixMe.IT for Phreesia for LSOBGYN
    Date last modified	9/12/2016 2:26:00 PM
    
    TiClientStandalone.exe
    Security Level	Unrestricted
    Description	FixMe.IT for Phreesia for LSOBGYN
    Date last modified	9/12/2016 2:24:27 PM
    
    TiLauncher.exe
    Security Level	Unrestricted
    Description	FixMe.IT for Phreesia for LSOBGYN
    Date last modified	9/12/2016 2:22:52 PM
    
    TMDownloader.exe
    Security Level	Unrestricted
    Description	TurboMeeting from Brevium for LSOBGYN
    Date last modified	1/17/2017 11:20:12 AM
    
    TMLauncher.exe
    Security Level	Unrestricted
    Description	TurboMeeting from Brevium for LSOBGYN
    Date last modified	1/17/2017 11:20:24 AM
    
    TurboMeeting.exe
    Security Level	Unrestricted
    Description	Brevium's meeting software
    Date last modified	12/30/2016 9:52:53 AM
    
    TXDWC.msi
    Security Level	Unrestricted
    Description	TXDWC GE Plug-in installer
    Date last modified	12/15/2016 3:04:17 PM
    
    vbstest.vbs
    Security Level	Unrestricted
    Description	OpenManage Install
    Date last modified	9/2/2014 11:20:50 AM
    
    vc_red.msi
    Security Level	Unrestricted
    Description	QuickBooks Install
    Date last modified	11/7/2014 8:20:54 AM
    
    vcredist_x64.exe
    Security Level	Unrestricted
    Description	CPS12.2 Server Setup installer
    Date last modified	10/28/2016 2:07:27 PM
    
    vcredist_x86.exe
    Security Level	Unrestricted
    Description	CPS12.2 Client Installer
    Date last modified	10/28/2016 4:12:39 PM
    
    VFP9DLLs.exe
    Security Level	Unrestricted
    Description	BrokerWolf Updater.
    Date last modified	4/4/2017 8:34:58 AM
    
    VFP9DLLs.tmp
    Security Level	Unrestricted
    Description	BrokerWolf Updater
    Date last modified	4/4/2017 8:36:34 AM
    
    visinstaller*
    Security Level	Unrestricted
    Description	Visualutions software
    Date last modified	1/16/2015 2:28:21 AM
    
    VMware Tools64.msi
    Security Level	Unrestricted
    Description	VMWare Tools Installer
    Date last modified	8/25/2015 1:52:32 PM
    
    VOWFSC.msi
    Security Level	Unrestricted
    Description	JBoss Plugin
    Date last modified	10/2/2014 2:20:11 PM
    
    winrmcheck.vbs
    Security Level	Unrestricted
    Description	OpenManage Install
    Date last modified	9/2/2014 11:23:31 AM
    
    User Configuration (Enabled)
    No settings defined.
    
  • #71233
    Profile photo of Brian Clanton
    Brian Clanton
    Participant

    So this is not language mode for default sessions that is my issue and I am troubleshooting the wrong end? This manifested in a language mode error when I used invoke-command or enter-pssession so I thought it had to do with the PSSC file settings.

    I did another test to affirm that it was this GPO that is causing this issue.

    Server has GPO Block App Data applied.

    PS C:\Users\tsadmin> $ExecutionContext.SessionState.LanguageMode
    ConstrainedLanguage
    
    PS C:\Users\tsadmin> $computername = $env:computername
    
    $reg=[microsoft.win32.registrykey]::OpenRemoteBaseKey('LocalMachine',$computername)  
    Cannot invoke method. Method invocation is supported only on core types in this language mode.
    At line:3 char:1
    + $reg=[microsoft.win32.registrykey]::OpenRemoteBaseKey('LocalMachine', ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage
     

    AFter Deny Block-App-Data read rights for this server and pushed GPO updates.

    PS C:\Users\tsadmin> $ExecutionContext.SessionState.LanguageMode
    FullLanguage
    
    PS C:\Users\tsadmin> $computername = $env:computername
    $reg=[microsoft.win32.registrykey]::OpenRemoteBaseKey('LocalMachine',$computername)  
    
    PS C:\Users\tsadmin> 
  • #71236
    Profile photo of Don Jones
    Don Jones
    Keymaster

    K that's a lot of data ;).

    You're conflating a few unrelated things, and you're also being affected by some interaction between features – specifically, AppLocker and Software Restriction Policies. See https://social.technet.microsoft.com/Forums/ie/en-US/44445864-ee91-4073-9f21-50ab36ec781b/powershell-5-limited-to-constrainedlanguage-language-mode?forum=winserverpowershell.

    You may find some additional context in https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/.

    It isn't so much an SRP setting, which is what you listed in detail above. It's the fact that SRP is enabled.

  • #71624
    Profile photo of Brian Clanton
    Brian Clanton
    Participant

    Done ALOT of reading this memorial weekend. There are scripts that I would like to run remotely, which gather information from each terminal server where I will need to go into the registry (example, listing installed programs on every server for comparison).

    This link to this forum had this to say:

    "Powershell makes a test if it works under Application White List (AWL) or not. Powershell creates a couple of files with extention ps1 and psm1 in %temp% folder and then trys to start it. If this attempt fails Powershell decides that it works under AWL and switches on constrained language mode. Name of the files created by powershell are always random but the content of these files is always the same (each file consist of the only one symbol – '1'). So you can create the only one hash rule to allow these files to start."

    My supervisor does not want me to make an allowance rule in the SRP group policy we have which will allow *.ps1 files to run in the administrator AppData folder. I tried modifying the administrator's "User" temp variable to something else outside of the Appdata directory and that doesn't work.

    The last sentence suggested hashing the script would allow for 'full language' capability and that doesn't work either (script still errors out with 'language-mode' disallow error, despite running PS session as domain administrator.

    My goal is to be able to run commands/scripts both locally and remote in full language mode as an administrator while still utilizing our SRP to apply to any other accounts.

    I have not found anyone who has indicated they have accomplished this with PS 5 while using a SRP Group Policy. I know I can Deny rights to this policy for the domain admin, but was wondering if there is any other way around it.

You must be logged in to reply to this topic.