Author Posts

May 21, 2017 at 9:53 pm

I am in the process of prepping our 100+ terminal server environment for remote PowerShell management and I have run into a problem regarding Endpoint configuration.

Summary:
We have a 'Block_App_Exec' GPO that apparently puts the default powershell endpoint on each server into a Constrained language mode which prevents me from running different types of scripts on the network. This GPO was put in place to prevent certain types of malware from running and encrypting files. I confirmed this was the entity that was putting PowerShell endpoint into contrained mode by removing a specific server from the GPO. Post removal, I was able to do the steps below and run my inventory application script without hindrance.

My 'resolution' was to define a custom endpoint on each server with 'Full Language Mode' capability, however that does not seem to make a difference even when I do a direct session to that endpoint…the $ExecutionContext.SessionState.LanguageMode still returns constrained mode even though I am connecting to the session configuration type that has 'Full Language Mode' capability.

It seems that the GPO is overriding my custom endpoint.

Want to confirm that my method is sound so I can invoke powershell commands without relaxing security policies from our network.

This is a test on one server in the mix to illustrate the issue.

*****
Confirming that the session is in Constrained mode.
*****

[w2k8-c12-01]: PS C:\> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage

Whether I use the Invoke-command or Enter-pssession, current language mode prevents execution.

[w2k8-c12-01]: PS C:\Users\administrator.XXXX\Documents> .\get-installedProg.ps1
Cannot invoke method. Method invocation is supported only on core types in this language mode.
At C:\Users\administrator.XXXX \Documents\get-installedProg.ps1:12 char:5
+     $reg=[microsoft.win32.registrykey]::OpenRemoteBaseKey('LocalMachi ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage
 
You cannot call a method on a null-valued expression.
At C:\Users\administrator.XXXX\Documents\get-installedProg.ps1:16 char:5
+     $regkey=$reg.OpenSubKey($UninstallKey)
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull
 
You cannot call a method on a null-valued expression.
At C:\Users\administrator.XXXX\Documents\get-installedProg.ps1:20 char:5
+     $subkeys=$regkey.GetSubKeyNames()
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

Created a custom session configuration on this particular server with 'Full Language Mode'

PSSC file
[w2k8-c12-01]: PS C:\Users\administrator.XXXX\Documents> Get-PSSessionConfiguration

****
***

Name          : tp_session
PSVersion     : 5.0
StartupScript : 
RunAsUser     : 
Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed

This is the PSSC file for the session config.

@{

# Version number of the schema used for this document
SchemaVersion = '2.0.0.0'

# ID used to uniquely identify this document
GUID = '8ea96f31-132e-4e95-97b2-6349debc3d62'

# Author of this document
Author = 'Brian Clanton'

# Description of the functionality provided by these settings
Description = 'XXXX remote session configuration'

# Company associated with this document
CompanyName = 'XXXX'

# Session type defaults to apply for this session configuration. Can be 'RestrictedRemoteServer' (recommended), 'Empty', or 'Default'
SessionType = 'Default'

# Directory to place session transcripts for this session configuration
# TranscriptDirectory = 'C:\Transcripts\'

# Whether to run this session configuration as the machine's (virtual) administrator account
# RunAsVirtualAccount = $true

# Groups associated with machine's (virtual) administrator account
# RunAsVirtualAccountGroups = 'Remote Desktop Users', 'Remote Management Users'

# Scripts to run when applied to a session
# ScriptsToProcess = 'C:\ConfigData\InitScript1.ps1', 'C:\ConfigData\InitScript2.ps1'

# User roles (security groups), and the role capabilities that should be applied to them when applied to a session
# RoleDefinitions = @{ 'CONTOSO\SqlAdmins' = @{ RoleCapabilities = 'SqlAdministration' }; 'CONTOSO\ServerMonitors' = @{ VisibleCmdlets = 'Get-Process' } } 

# Language mode to apply when applied to a session. Can be 'NoLanguage' (recommended), 'RestrictedLanguage', 'ConstrainedLanguage', or 'FullLanguage'
LanguageMode = 'FullLanguage'

}

I enter a pssession and specify the full language config type, however the language mode is still constrained and I still can't execute the script.

PS C:\Windows> Enter-PSSession -ComputerName w2k8-c12-01 -ConfigurationName tp_session

[w2k8-c12-01]: PS C:\Users\administrator.XXXX\Documents> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage

[w2k8-c12-01]: PS C:\Users\administrator.XXXX\Documents> .\get-installedProg.ps1
Cannot invoke method. Method invocation is supported only on core types in this language mode.
At C:\Users\administrator.XXXX\Documents\get-installedProg.ps1:12 char:5
+     $reg=[microsoft.win32.registrykey]::OpenRemoteBaseKey('LocalMachi ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage
 
You cannot call a method on a null-valued expression.
At C:\Users\administrator.XXXX\Documents\get-installedProg.ps1:16 char:5
+     $regkey=$reg.OpenSubKey($UninstallKey)
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull
 
You cannot call a method on a null-valued expression.
At C:\Users\administrator.XXXX\Documents\get-installedProg.ps1:20 char:5
+     $subkeys=$regkey.GetSubKeyNames()
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull
 



May 22, 2017 at 11:41 am

Well... with all due respect, that's a stupid security policy your organization has come up with. Given that only administrators can connect to the default endpoint, you're essentially positing a world where an administrator account has been compromised, and if that happens, PowerShell endpoints are going to be your least concern.

Additionally, there's basically nothing stopping said malware from just launching a local PowerShell session and having full language, etc. A better approach would be to prevent malware from running on your systems. Your current policy achieves nothing in terms of protection; as an attacker, I could literally circumvent this in a dozen different ways. Instead, you're simply preventing yourself from being able to properly manage the environment. It would be trivial, for example, to simply push an executable to the remote machine and then run that locally to do whatever evil an attacker wanted to achieve.

But yes, what you're seeing is the intended and desired behavior of that GP setting. You can't really override it in-scope, because that'd defeat the point of the GP setting.

May 22, 2017 at 5:59 pm

I am looking at the GPO in question and I am trying to find a correlation to what it is doing and why it is affecting PowerShell Endpoint.

Basically, it is placing Software REstriction Rules to the following path's to dissallow users from inadvertently picking something up in their browser that then runs in an %appdata% or %localappdata% directory.

Computer Configuration -> Policies -> Security Settings -> Software Restriction Policies -> Additional Rules

%APPDATA%
Security Level	Disallowed
Description	Blocking APPData Path
Date last modified	12/20/2013 4:22:02 PM

%LOCALAPPDATA%
Security Level	Disallowed
Description	
Date last modified	8/18/2014 1:29:14 PM

The rest are 'Unrestricted' allowances based on specific files to allow to run in the previously 'disallowed' directory paths.

Example:

LOCALAPPDATA%\Citrix\GotoMeeting\*
Security Level	Unrestricted
Description	
Date last modified	8/21/2014 8:45:03 AM


GoogleUpdate.exe
Security Level	Unrestricted
Description	Google Chrome Installer
Date last modified	1/29/2015 11:55:26 AM

That is basically it as far as this GPO. I am sure I can make an additional 'Unrestricted' rule if I can find the correlation between what this GPO is disallowing that is setting default PS profile endpoints into 'Constrained mode'. I can't see what that would be.

I isolated the part of my 'get-installedPrograms' script and the part of my script that generates this language mode issue is where I assign a registry location to a variable. Not sure how preventing %appdata% and running my script with domain admin credentials would cause this.

PS C:\Users\tsadmin> $computername = $env:computername

$reg=[microsoft.win32.registrykey]::OpenRemoteBaseKey('LocalMachine',$computername)  
Cannot invoke method. Method invocation is supported only on core types in this language mode.
At line:3 char:1
+ $reg=[microsoft.win32.registrykey]::OpenRemoteBaseKey('LocalMachine', ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage

May 22, 2017 at 6:01 pm

Oh.

That has literally zero to do with the language level in a PowerShell endpoint. You're looking for something under Remote Shell.

May 22, 2017 at 6:16 pm

This is the GPO in it's entirety with Company name obfuscated. still not seeing how this applies to my problem. The delegation is specific servers where this GPO is not applied. We only apply this to terminal servers.

Block-App-Data-Exec
Data collected on: 5/22/2017 12:39:26 PM	
General
Details
Domain	XXXXX.local
Owner	XXXXX\Domain Admins
Created	1/28/2016 5:31:46 PM
Modified	5/22/2017 10:54:14 AM
User Revisions	2 (AD), 2 (sysvol)
Computer Revisions	250 (AD), 250 (sysvol)
Unique ID	{7C011E8D-341E-479D-8D86-A49878F2AE7E}
GPO Status	Enabled
Links
Location	Enforced	Link Status	Path
XXXXX	No	Enabled	XXXXX.local
RemoteServers	No	Enabled	XXXXX.local/RemoteServers

This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:
Name
NT AUTHORITY\Authenticated Users
Delegation
These groups and users have the specified permission for this GPO
Name	Allowed Permissions	Inherited
NT AUTHORITY\Authenticated Users	Read (from Security Filtering)	No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS	Read	No
NT AUTHORITY\SYSTEM	Edit settings, delete, modify security	No
S-1-5-21-1752468135-3490779455-4126847218-12992	Custom	No
XXXXX\B5$	Custom	No
XXXXX\B8$	Custom	No
XXXXX\Domain Admins	Edit settings, delete, modify security	No
XXXXX\Enterprise Admins	Edit settings, delete, modify security	No
XXXXX\W12-CITRIX76$	Custom	No
XXXXX\W12-CITRIXLIC$	Custom	No
XXXXX\W12-DAG-EX01$	Custom	No
XXXXX\W12-DAG-EX02$	Custom	No
XXXXX\W12-DAG-EX03$	Custom	No
XXXXX\W12-DAG-EX04$	Custom	No
XXXXX\W12-DAG-FSW1$	Custom	No
XXXXX\W12-DEVILDOGS$	Custom	No
XXXXX\W12-EX01B$	Custom	No
XXXXX\W12-EX02$	Custom	No
XXXXX\W12-EX03$	Custom	No
XXXXX\W12-R12-01V$	Custom	No
XXXXX\W12-SAN-MGMT$	Custom	No
XXXXX\W16-R12-01S$	Custom	No
XXXXX\W2K8-ADMT$	Custom	No
XXXXX\W2K8-C04$	Custom	No
XXXXX\W2K8-DC1$	Read	No
XXXXX\W2K8-DC2$	Custom	No
XXXXX\W2K8-EX-MIG$	Custom	No
XXXXX\W2K8-EX-MIG2$	Custom	No
XXXXX\W2K8-LSOBGYN$	Custom	No
XXXXX\W2K8-OME$	Custom	No
XXXXX\W2K8-R02$	Custom	No
XXXXX\W2K8-R26$	Custom	No
XXXXX\W2K8-SQL601S$	Custom	No
XXXXX\W2K8-SQL622S$	Custom	No
XXXXX\W7-AMC-QB$	Custom	No
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
Public Key Policies/Trusted Root Certification Authorities
Properties
Policy	Setting
Allow users to select new root certification authorities (CAs) to trust	Enabled
Client computers can trust the following certificate stores	Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria	Registered in Active Directory only
Software Restriction Policies
Enforcement
Policy	Setting
Apply software restriction policies to the following	All software files except libraries (such as DLLs)
Apply software restriction policies to the following users	All users
When applying software restriction policies	Ignore certificate rules

Designated File Types
File Extension	File Type
ADE	Microsoft Access Project Extension
ADP	Microsoft Access Project
BAS	BAS File
BAT	Windows Batch File
CHM	Compiled HTML Help file
CMD	Windows Command Script
COM	MS-DOS Application
CPL	Control panel item
CRT	Security Certificate
EXE	Application
HLP	Help file
HTA	HTML Application
INF	Setup Information
INS	INS File
ISP	ISP File
MDB	Microsoft Access Database
MDE	Microsoft Access MDE Database
MSC	Microsoft Common Console Document
MSI	Windows Installer Package
MSP	Windows Installer Patch
MST	MST File
OCX	ActiveX control
PCD	PCD File
PIF	Shortcut to MS-DOS Program
REG	Registration Entries
SCR	Screen saver
SHS	SHS File
URL	Internet Shortcut
VB	Visual Basic Source file
WSC	Windows Script Component

Trusted Publishers
Trusted publisher management	Allow all administrators and users to manage user's own Trusted Publishers
Certificate verification	None

Software Restriction Policies/Security Levels
Policy	Setting
Default Security Level	Unrestricted
Software Restriction Policies/Additional Rules
Path Rules
%APPDATA%
Security Level	Disallowed
Description	Blocking APPData Path
Date last modified	12/20/2013 4:22:02 PM

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
Security Level	Unrestricted
Description	
Date last modified	12/20/2013 4:15:29 PM

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
Security Level	Unrestricted
Description	
Date last modified	12/20/2013 4:15:29 PM

%LOCALAPPDATA%
Security Level	Disallowed
Description	
Date last modified	8/18/2014 1:29:14 PM

%LOCALAPPDATA%\*\GoToAssist Opener.exe
Security Level	Unrestricted
Description	GoToAssist
Date last modified	1/20/2017 8:00:41 AM

%LOCALAPPDATA%\Citrix\*
Security Level	Unrestricted
Description	GoToAssist
Date last modified	2/16/2016 1:23:05 PM

%LOCALAPPDATA%\Citrix\GotoMeeting\*
Security Level	Unrestricted
Description	
Date last modified	8/21/2014 8:45:03 AM

%LOCALAPPDATA%\Temp\*\Availity.msi
Security Level	Unrestricted
Description	Availity Plugin override for CPS
Date last modified	10/7/2014 9:53:05 AM

%LOCALAPPDATA%\Temp\*\Centricity.msi
Security Level	Unrestricted
Description	Centricity Plugin for CPS
Date last modified	10/7/2014 9:59:44 AM

%LOCALAPPDATA%\Temp\*\ExpressBill.msi
Security Level	Unrestricted
Description	ExpressBill installer
Date last modified	10/7/2014 10:01:50 AM

%LOCALAPPDATA%\Temp\*\LogParser.msi
Security Level	Unrestricted
Description	Kryptiq SMPP installer for Log files.
Date last modified	9/9/2014 11:42:38 AM

%LOCALAPPDATA%\Temp\1\*\Windows\*
Security Level	Unrestricted
Description	
Date last modified	10/7/2014 3:02:52 PM

%LOCALAPPDATA%\Temp\1\Citrix\GoToAssist\*
Security Level	Unrestricted
Description	GoToAssist Launcher
Date last modified	10/2/2014 2:07:10 PM

%LOCALAPPDATA%\Temp\7\A2FCCB0A-892E-4138-9E28-45FB3841F71A.bat
Security Level	Unrestricted
Description	GotoMeeting launcher Bat file
Date last modified	8/21/2014 8:17:14 AM

%LOCALAPPDATA%\Temp\Citrix\*
Security Level	Unrestricted
Description	Citrix Go To Assist
Date last modified	10/8/2014 8:26:36 AM

%LOCALAPPDATA%\Temp\Microsoft .NET Framework 4 Setup_4.0.30319\*
Security Level	Unrestricted
Description	
Date last modified	9/11/2014 4:17:43 PM

*Centricity.msi
Security Level	Unrestricted
Description	20150807, ZS, CPS Insall.
Date last modified	8/7/2015 9:29:55 AM

*gotoassistlauncher.exe
Security Level	Unrestricted
Description	Goto Assist Launcher
Date last modified	2/24/2016 10:42:33 AM

*npp.6.8.1.Installer.exe
Security Level	Unrestricted
Description	Notepad++ installer CG 8/5/15
Date last modified	8/5/2015 3:23:47 PM

*Procmon.exe
Security Level	Unrestricted
Description	Process monitor
Date last modified	5/9/2017 3:47:27 PM

*procmon64.exe
Security Level	Unrestricted
Description	
Date last modified	5/9/2017 3:50:37 PM

*webex.exe
Security Level	Unrestricted
Description	WebEx
Date last modified	9/19/2016 3:43:25 PM

_cleanup.bat
Security Level	Unrestricted
Description	Join.me cleanup utility
Date last modified	8/19/2014 2:59:01 PM

_iu14D2N.tmp
Security Level	Unrestricted
Description	eSM Uninstaller
Date last modified	4/4/2016 11:41:19 AM

1033.MST
Security Level	Unrestricted
Description	intellispace installer for Fitzgibbons
Date last modified	12/6/2016 11:11:38 AM

1033_x64.mst
Security Level	Unrestricted
Description	Quest installer for enemble
Date last modified	1/12/2015 12:45:01 PM

AppCore.exe
Security Level	Unrestricted
Description	Gotoassist runtime
Date last modified	10/24/2014 10:51:47 AM

availity.msi
Security Level	Unrestricted
Description	20150807, ZS, CPS Plugin Install.
Date last modified	8/7/2015 9:17:48 AM

bepatch.msp
Security Level	Unrestricted
Description	Symantec hot patch install applet
Date last modified	12/29/2014 3:17:24 PM

biosie.exe
Security Level	Unrestricted
Description	R420 BIOS
Date last modified	1/30/2015 7:37:09 AM

bomgar-scc.exe
Security Level	Unrestricted
Description	CallPointe remote connect.
Date last modified	11/15/2016 11:46:17 AM

C:\Program Files (x86)\Sage\Peachtree\Peachw.exe
Security Level	Unrestricted
Description	Sage 50 Accounting 2015
Date last modified	7/11/2016 8:37:31 AM

C:\Program Files (x86)\WebEx\Record Playback\AtAuthor.exe
Security Level	Unrestricted
Description	WebexRecorder
Date last modified	7/27/2016 1:02:43 PM

C:\Users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files\*\*\GoToAssist Opener.exe
Security Level	Unrestricted
Description	GoToAssist
Date last modified	1/20/2017 8:05:49 AM

C:\Users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8KI2RI3\GoToMeeting Opener.exe
Security Level	Unrestricted
Description	Citrix GoToMeeting
Date last modified	11/15/2016 1:02:18 PM

C:\Users\Administrator.MMSASP\AppData\Local\Citrix\GoToAssist Remote Support Customer\g2ax_customer_combined_dll_core_win32_x86_758.exe
Security Level	Unrestricted
Description	citrix
Date last modified	10/8/2014 8:28:17 AM

C:\Users\tsadmin\AppData\Local\Temp\*\mbam-setup-2.2.1.1043.tmp
Security Level	Unrestricted
Description	
Date last modified	3/31/2016 9:54:52 AM

CentricityRT.msi
Security Level	Unrestricted
Description	
Date last modified	12/1/2014 12:26:05 AM

chrome_installer.exe
Security Level	Unrestricted
Description	Google Chrome Installer
Date last modified	1/29/2015 11:55:08 AM

CitrixOnlineLauncher.exe
Security Level	Unrestricted
Description	G2M Launcher exe
Date last modified	10/3/2014 2:20:37 PM

CitrixOnlineLauncher.msi
Security Level	Unrestricted
Description	G2M Launcher MSI
Date last modified	8/21/2014 8:40:25 AM

ClientSetup.tmp
Security Level	Unrestricted
Description	
Date last modified	12/19/2016 12:43:39 PM

CMS1500.msi
Security Level	Unrestricted
Description	CMS1500 Plugin for CPS
Date last modified	9/26/2014 12:02:52 PM

CodeCorrect.msi
Security Level	Unrestricted
Description	Code Correct CPS Plug-in
Date last modified	9/19/2016 10:11:37 AM

courgette.exe
Security Level	Unrestricted
Description	Go To Meeting Launcher
Date last modified	12/1/2016 2:33:34 PM

CPS_*_DocuSign for Patients.msi
Security Level	Unrestricted
Description	Docusign msi
Date last modified	11/19/2014 1:59:54 PM

CPS_2.5.0.15_DocuSign for Patients.msi
Security Level	Disallowed
Description	
Date last modified	11/19/2014 4:35:27 PM

CPSHCM.msi
Security Level	Unrestricted
Description	CPSHCM plug-in for CPS
Date last modified	2/16/2016 11:17:42 AM

CustomInstaller.exe
Security Level	Unrestricted
Description	Ideal Image for OAR
Date last modified	9/18/2016 8:41:19 PM

dismhost.exe
Security Level	Unrestricted
Description	IE11 Installer from Windows Updates
Date last modified	4/11/2016 12:48:51 AM

DLLSetup9.tmp
Security Level	Unrestricted
Description	DLL Updater for BrokerWolf.
Date last modified	4/4/2017 8:32:39 AM

DLLUpdate.tmp
Security Level	Unrestricted
Description	BrokerWolf Update
Date last modified	4/4/2017 8:27:16 AM

dotnetchk.exe
Security Level	Unrestricted
Description	QuickBooks File Doctor Installer
Date last modified	4/26/2017 2:24:23 PM

dotNetFx35setup.exe
Security Level	Unrestricted
Description	.NET Installer
Date last modified	4/4/2016 11:20:53 AM

EchoOneApp-7-4-10.exe
Security Level	Unrestricted
Description	oneapp pro for hpcp
Date last modified	6/10/2016 9:25:42 PM

ECWdependencies.msi
Security Level	Unrestricted
Description	Ecw Dependencies Setup
Date last modified	10/24/2016 4:06:10 PM

Elsinore.ScreenConnect.Client*.exe
Security Level	Unrestricted
Description	Screen Connect for Visualutions
Date last modified	9/23/2016 3:27:02 PM

Elsinore.ScreenConnect.Client.exe
Security Level	Unrestricted
Description	Visualutions Screen Connect
Date last modified	5/10/2016 10:12:35 AM

Elsinore.ScreenConnect.WindowsClient.exe
Security Level	Unrestricted
Description	HealthCo Screen Connect
Date last modified	4/27/2016 1:26:43 PM

encrypt.exe
Security Level	Unrestricted
Description	SEPM package builder
Date last modified	8/20/2014 2:27:52 PM

ensemble_x64.msi
Security Level	Unrestricted
Description	Quest installer for Ensemble
Date last modified	1/12/2015 12:42:59 PM

EsmClinicInstaller*.tmp
Security Level	Unrestricted
Description	eSM Installer
Date last modified	4/4/2016 11:20:06 AM

EsmClinicUpdate*.tmp
Security Level	Unrestricted
Description	eSM Installer
Date last modified	4/4/2016 11:19:45 AM

ExpressBill.msi
Security Level	Unrestricted
Description	ExpressBill CPS Plug-in
Date last modified	2/20/2016 1:25:56 PM

eZeeFD.exe
Security Level	Unrestricted
Description	Ezee Installer
Date last modified	2/23/2016 10:31:37 PM

framework452.exe
Security Level	Unrestricted
Description	.net framework install
Date last modified	6/11/2016 4:36:14 PM

g2acomm.exe
Security Level	Unrestricted
Description	GoToAssist Launcher
Date last modified	10/2/2014 2:01:03 PM

G2AInstaller.exe
Security Level	Unrestricted
Description	Go2Assist for VirtualOfficeWare Support for PDR - CG
Date last modified	10/2/2014 1:56:34 PM

g2alaunchercustomer.exe
Security Level	Unrestricted
Description	
Date last modified	10/2/2014 2:01:53 PM

g2aservice.exe
Security Level	Unrestricted
Description	GoToAssist Launcher
Date last modified	10/2/2014 2:00:15 PM

g2asessioncontrol.exe
Security Level	Unrestricted
Description	
Date last modified	10/2/2014 2:02:51 PM

g2ax_installer_customer.exe
Security Level	Unrestricted
Description	Go To Assist
Date last modified	9/19/2016 12:11:08 PM

g2mcomm.exe
Security Level	Unrestricted
Description	G2m communication pipe
Date last modified	8/21/2014 8:39:13 AM

G2MCoreInstExtractor*.exe
Security Level	Unrestricted
Description	Go To Meeting Launcher
Date last modified	12/1/2016 2:31:41 PM

G2MCoreInstExtractor.exe
Security Level	Unrestricted
Description	G2M Launcher
Date last modified	8/21/2014 8:11:21 AM

G2MInstaller.exe
Security Level	Unrestricted
Description	GTM Installer
Date last modified	8/21/2014 8:28:30 AM

G2MInstallerExtractor.exe
Security Level	Unrestricted
Description	G2MInstallerExtractor.exe
Date last modified	4/11/2016 1:15:12 PM

g2mlauncher.exe
Security Level	Unrestricted
Description	G2M Launcher
Date last modified	8/21/2014 8:43:50 AM

g2mstart.exe
Security Level	Unrestricted
Description	GTM Launcher Startup file
Date last modified	8/21/2014 8:37:02 AM

g2mui.exe
Security Level	Unrestricted
Description	G2M UI
Date last modified	8/21/2014 8:47:57 AM

gccheck_small.exe
Security Level	Unrestricted
Description	Adobe Reader Installer
Date last modified	10/3/2016 10:26:48 AM

GenericEStatements.msi
Security Level	Unrestricted
Description	GenericEStatements
Date last modified	2/10/2016 9:13:17 AM

GePmGuiConfiguration.msi
Security Level	Unrestricted
Description	Docusign
Date last modified	11/19/2014 4:42:07 PM

GePmGuiConfigurationBottom.exe
Security Level	Unrestricted
Description	Docusign
Date last modified	11/19/2014 4:35:48 PM

GePmGuiConfigurationBottom.exe
Security Level	Unrestricted
Description	docusign
Date last modified	11/19/2014 4:39:20 PM

getpaths.cmd
Security Level	Unrestricted
Description	part of Netsupport's install process.
Date last modified	1/2/2015 6:47:52 AM

Git-1.9.4-preview20140815.tmp
Security Level	Unrestricted
Description	Git Preview 9.14
Date last modified	8/27/2014 9:59:02 AM

GLJ3025.tmp
Security Level	Unrestricted
Description	Visualutions GridEX Installer
Date last modified	10/17/2016 4:17:20 PM

googlechromestandaloneenterprise.msi
Security Level	Unrestricted
Description	Google Chrome Installer
Date last modified	5/24/2016 2:28:29 PM

GoogleChromeStandaloneEnterprise64.msi
Security Level	Unrestricted
Description	Google Chrome Installer
Date last modified	6/9/2016 8:48:46 AM

GoogleUpdate.exe
Security Level	Unrestricted
Description	Google Chrome Installer
Date last modified	1/29/2015 11:55:26 AM

GoToAssist Corporate Opener.exe
Security Level	Unrestricted
Description	Go To Assist Installer
Date last modified	5/15/2017 4:45:46 PM

GoToAssist Launcher.exe
Security Level	Unrestricted
Description	GoToAssist Launcher
Date last modified	4/11/2016 1:08:24 PM

GoToAssist.exe
Security Level	Unrestricted
Description	GoToAssist Binary
Date last modified	10/24/2014 10:54:09 AM

GoToAssist_service_*.exe
Security Level	Unrestricted
Description	GoToAssist binary
Date last modified	10/24/2014 10:53:46 AM

GoToAssistStarter.exe
Security Level	Unrestricted
Description	GoToAssist Launcher
Date last modified	10/2/2014 1:59:14 PM

GoToMeeting Launcher.exe
Security Level	Unrestricted
Description	G2M Launcher
Date last modified	8/26/2014 8:16:37 AM

GoToMeeting_Launcher.exe
Security Level	Unrestricted
Description	GTM Launcher App
Date last modified	8/21/2014 8:26:49 AM

gtcheck.exe
Security Level	Unrestricted
Description	Adobe Reader Installer
Date last modified	10/3/2016 10:26:34 AM

hwcheck.exe
Security Level	Unrestricted
Description	OpenManage Install
Date last modified	9/2/2014 11:22:54 AM

IdealImage9.msi
Security Level	Unrestricted
Description	Ideal Image CPS Plug-in installer.
Date last modified	3/24/2017 8:39:43 AM

ILMedicaidForm1443.msi
Security Level	Unrestricted
Description	CPS Plug-in Installer.
Date last modified	11/29/2016 10:07:42 AM

iNexxPlatform.msi
Security Level	Unrestricted
Description	iNexx Platform Installer
Date last modified	11/4/2016 8:17:19 AM

InfoExchangeClient.bat
Security Level	Unrestricted
Description	
Date last modified	8/19/2014 11:31:12 AM

IntelliSpace PACS Enterprise.msi
Security Level	Unrestricted
Description	Intellispace installer for Fitzgibbons
Date last modified	12/6/2016 11:09:11 AM

IntuitSyncManager.exe
Security Level	Unrestricted
Description	Intuit QuickBooks Sync Manager
Date last modified	6/13/2016 8:10:19 AM

ISBEW64.exe
Security Level	Unrestricted
Description	Plug-in installer for CPS
Date last modified	8/19/2014 2:59:30 PM

ISScript9.Msi
Security Level	Unrestricted
Description	HealthCo Statement Transmitter Installer
Date last modified	5/3/2017 1:56:02 PM

javainst.exe
Security Level	Unrestricted
Description	Java Installer
Date last modified	9/13/2016 11:39:24 AM

join.me.exe
Security Level	Unrestricted
Description	
Date last modified	8/19/2014 2:58:23 PM

jre-8u91-windows-au.exe
Security Level	Unrestricted
Description	Java 8 Update 91 installer.
Date last modified	5/19/2016 12:41:08 PM

jre-8u91-windows-i586.exe
Security Level	Unrestricted
Description	Java Installer
Date last modified	5/24/2016 11:03:15 AM

jre-8u91-windows-x64.exe
Security Level	Unrestricted
Description	Java 8 Update 91 64-bit installer
Date last modified	5/27/2016 7:20:25 AM

lmi_rescue.exe
Security Level	Unrestricted
Description	Log Me In
Date last modified	8/19/2014 3:00:11 PM

lsetup.exe
Security Level	Unrestricted
Description	Backup Exec 2014 install
Date last modified	9/1/2014 9:42:07 PM

lwupdprg*.exe
Security Level	Unrestricted
Description	BrokerWolf update for Starck
Date last modified	7/9/2016 11:21:57 PM

lwupdprg*.exe
Security Level	Unrestricted
Description	Brokerwolf updates
Date last modified	6/20/2016 7:34:31 AM

M:\Temp\mia1\stamps.msi
Security Level	Unrestricted
Description	Stamps.Com installer
Date last modified	10/16/2014 2:11:13 PM

MakeSFX.exe
Security Level	Unrestricted
Description	SEPM package builder
Date last modified	8/20/2014 2:43:10 PM

mbam-setup.tmp
Security Level	Unrestricted
Description	
Date last modified	12/12/2014 6:56:42 PM

mbam-setup-2.0.2.1012.tmp
Security Level	Unrestricted
Description	malwarebytes download
Date last modified	11/1/2014 2:34:26 PM

mbam-setup-ninite.10789-2.2.1.1043.exe
Security Level	Unrestricted
Description	MBAM Installer
Date last modified	5/19/2016 3:49:06 PM

MBARW_Setup.tmp
Security Level	Unrestricted
Description	Malwarebytes AntiRansomware install
Date last modified	5/17/2016 12:03:46 PM

miniunz.exe
Security Level	Unrestricted
Description	Dell Firmware Updates
Date last modified	9/2/2014 11:39:05 AM

msxml6x64.msi
Security Level	Unrestricted
Description	CPS12 SP13 MIK Installer
Date last modified	12/17/2016 7:38:51 PM

NetSupport Manager.msi
Security Level	Unrestricted
Description	NetSupport Install
Date last modified	9/1/2014 7:27:29 PM

Ninite Chrome Installer.exe
Security Level	Unrestricted
Description	Chrome Installer
Date last modified	6/9/2016 8:46:04 AM

ninite.exe
Security Level	Unrestricted
Description	Ninite.com installer
Date last modified	2/20/2016 1:57:44 PM

novaink7.exe
Security Level	Unrestricted
Description	Secure Messaging Desktop for NDBC
Date last modified	9/29/2016 2:06:27 PM

novainv7.exe
Security Level	Unrestricted
Description	Secure Messaging Desktop for NDBC
Date last modified	9/29/2016 2:06:36 PM

novapk.tmp
Security Level	Unrestricted
Description	Secure Messaging Desktop for NDBC
Date last modified	9/29/2016 2:03:05 PM

novapv.tmp
Security Level	Unrestricted
Description	Secure Messaging Desktop for NDBC
Date last modified	9/29/2016 2:02:33 PM

omchecks.exe
Security Level	Unrestricted
Description	OpenManage Install
Date last modified	9/2/2014 11:23:49 AM

OneAppInstall.exe
Security Level	Unrestricted
Description	
Date last modified	6/10/2016 9:31:28 PM

ose00000.exe
Security Level	Unrestricted
Description	Office 2010 Installer
Date last modified	1/15/2015 2:27:22 PM

pam-setup-x64.exe
Security Level	Unrestricted
Description	PAM Install
Date last modified	8/27/2014 3:15:27 PM

pam-setup-x64.tmp
Security Level	Unrestricted
Description	PAM Install
Date last modified	8/27/2014 3:17:18 PM

PatchSetup.exe
Security Level	Unrestricted
Description	Symantec Patch Launcher
Date last modified	12/29/2014 1:45:11 PM

PCStarter.exe
Security Level	Unrestricted
Description	TurboMeeting from Brevium for LSOBGYN
Date last modified	1/17/2017 11:20:28 AM

prereqreport.vbs
Security Level	Unrestricted
Description	OpenManage Install
Date last modified	9/2/2014 11:21:54 AM

procexp.exe
Security Level	Unrestricted
Description	for Process Explorer
Date last modified	9/6/2014 1:25:37 PM

procexp64.exe
Security Level	Unrestricted
Description	for 64bit Process Exlorer
Date last modified	9/6/2014 1:29:36 PM

produkey.exe
Security Level	Unrestricted
Description	Produkey to grab license keys.
Date last modified	1/30/2017 10:22:13 AM

QIE2043_6347_64bit.tmp
Security Level	Unrestricted
Description	QIE Installer
Date last modified	5/24/2016 2:28:07 PM

QIE2043_6698_64bit.tmp
Security Level	Unrestricted
Description	QVera Installer
Date last modified	9/13/2016 11:41:51 AM

QuickBooks File Doctor setup.exe
Security Level	Unrestricted
Description	QuickBooks File Doctor Installer
Date last modified	4/26/2017 2:18:13 PM

QuickBooks File Doctor.msi
Security Level	Unrestricted
Description	QuickBooks File Doctor Installer
Date last modified	4/26/2017 2:23:55 PM

quickbooksinstalldiagnostictool.exe
Security Level	Unrestricted
Description	
Date last modified	12/25/2014 4:45:11 AM

quickbooksinstalldiagnostictoolapp.exe
Security Level	Unrestricted
Description	
Date last modified	12/25/2014 4:47:29 AM

r65588en*
Security Level	Unrestricted
Description	
Date last modified	6/30/2015 10:56:08 AM

r65690en*.exe
Security Level	Unrestricted
Description	Ricoh Driver 6/30/15 CG
Date last modified	6/30/2015 11:04:15 AM

readerdc_en_ra_install.exe
Security Level	Unrestricted
Description	Adobe Reader Installer
Date last modified	5/25/2016 10:44:39 AM

readerdc_en_raie_install.exe
Security Level	Unrestricted
Description	Adobe Reader Installer
Date last modified	10/3/2016 10:26:16 AM

regcheck.vbs
Security Level	Unrestricted
Description	OpenManage Install
Date last modified	9/2/2014 11:23:14 AM

RelayHealth.msi
Security Level	Unrestricted
Description	Relay Health CPS Plug-in
Date last modified	9/2/2014 11:26:19 AM

RelayHealthRT.msi
Security Level	Unrestricted
Description	
Date last modified	12/1/2014 12:31:18 AM

SageAdvisorUpdate.msi
Security Level	Unrestricted
Description	Sage 100 Contracting Installer
Date last modified	5/18/2017 2:53:02 PM

SASDUPIE.exe
Security Level	Unrestricted
Description	Dell Firmware Updates
Date last modified	9/2/2014 11:42:12 AM

ScmHelper.exe
Security Level	Unrestricted
Description	SEPM package builder
Date last modified	8/20/2014 2:17:18 PM

ScreenConnect.WindowsClient.exe
Security Level	Unrestricted
Description	ScreenConnect for VOW
Date last modified	9/22/2016 9:17:25 AM

SDRtmpenv.bat
Security Level	Unrestricted
Description	VeritasSDR
Date last modified	3/9/2017 2:11:49 PM

Sep64.msi
Security Level	Unrestricted
Description	SEP local client pull install
Date last modified	8/20/2014 4:06:21 PM

SEPMPackageTool.exe
Security Level	Unrestricted
Description	SEPM package builder
Date last modified	8/20/2014 2:28:01 PM

setup.exe
Security Level	Unrestricted
Description	Plug-in installer for CPS
Date last modified	8/19/2014 2:59:43 PM

SetupLauncher.exe
Security Level	Unrestricted
Description	Backup Exec install launcher
Date last modified	12/29/2014 1:38:57 PM

SMD.tmp
Security Level	Unrestricted
Description	Secure Messaging Desktop for NDBC
Date last modified	9/29/2016 1:57:33 PM

smpp.tmp
Security Level	Unrestricted
Description	SMPP Installer
Date last modified	3/2/2017 8:31:39 AM

spsetup.exe
Security Level	Unrestricted
Description	Dell Firmware Updates
Date last modified	9/2/2014 11:40:50 AM

SpsModuleSdk.msi
Security Level	Unrestricted
Description	Sage 100 Contracting Installer
Date last modified	5/18/2017 2:54:12 PM

SqlCmdLnUtils.msi
Security Level	Unrestricted
Description	SQL Command Line Utilities for eSM
Date last modified	2/19/2016 7:27:40 AM

SqlCmdLnUtils.msi
Security Level	Unrestricted
Description	
Date last modified	4/4/2016 11:21:27 AM

sqlncli.msi
Security Level	Unrestricted
Description	CPS SQL Native Client Installer
Date last modified	12/7/2016 10:11:13 AM

SsaWrapper.exe
Security Level	Unrestricted
Description	SEP local client pull install
Date last modified	8/20/2014 4:06:29 PM

stamps.exe
Security Level	Unrestricted
Description	Stamps.Com installer
Date last modified	10/16/2014 2:08:05 PM

StarterDotNet20.exe
Security Level	Unrestricted
Description	this is the GTM launcher
Date last modified	8/21/2014 8:10:34 AM

Support-LogMeInRescue.exe
Security Level	Unrestricted
Description	
Date last modified	8/19/2014 12:34:02 PM

SymDiag.exe
Security Level	Unrestricted
Description	Symantec Help tool - gathers logs and other data for trouble shooting issues
Date last modified	12/29/2014 3:16:24 PM

SymDiagUi3.exe
Security Level	Unrestricted
Description	Symantec part of SymHelp applet to gather info doe support
Date last modified	12/29/2014 4:07:38 PM

target.exe
Security Level	Unrestricted
Description	Revo Installer
Date last modified	2/20/2016 1:59:56 PM

TiClientCore.exe
Security Level	Unrestricted
Description	FixMe.IT for Phreesia for LSOBGYN
Date last modified	9/12/2016 2:26:28 PM

TiClientCoreLauncher.exe
Security Level	Unrestricted
Description	FixMe.IT for Phreesia for LSOBGYN
Date last modified	9/12/2016 2:26:00 PM

TiClientStandalone.exe
Security Level	Unrestricted
Description	FixMe.IT for Phreesia for LSOBGYN
Date last modified	9/12/2016 2:24:27 PM

TiLauncher.exe
Security Level	Unrestricted
Description	FixMe.IT for Phreesia for LSOBGYN
Date last modified	9/12/2016 2:22:52 PM

TMDownloader.exe
Security Level	Unrestricted
Description	TurboMeeting from Brevium for LSOBGYN
Date last modified	1/17/2017 11:20:12 AM

TMLauncher.exe
Security Level	Unrestricted
Description	TurboMeeting from Brevium for LSOBGYN
Date last modified	1/17/2017 11:20:24 AM

TurboMeeting.exe
Security Level	Unrestricted
Description	Brevium's meeting software
Date last modified	12/30/2016 9:52:53 AM

TXDWC.msi
Security Level	Unrestricted
Description	TXDWC GE Plug-in installer
Date last modified	12/15/2016 3:04:17 PM

vbstest.vbs
Security Level	Unrestricted
Description	OpenManage Install
Date last modified	9/2/2014 11:20:50 AM

vc_red.msi
Security Level	Unrestricted
Description	QuickBooks Install
Date last modified	11/7/2014 8:20:54 AM

vcredist_x64.exe
Security Level	Unrestricted
Description	CPS12.2 Server Setup installer
Date last modified	10/28/2016 2:07:27 PM

vcredist_x86.exe
Security Level	Unrestricted
Description	CPS12.2 Client Installer
Date last modified	10/28/2016 4:12:39 PM

VFP9DLLs.exe
Security Level	Unrestricted
Description	BrokerWolf Updater.
Date last modified	4/4/2017 8:34:58 AM

VFP9DLLs.tmp
Security Level	Unrestricted
Description	BrokerWolf Updater
Date last modified	4/4/2017 8:36:34 AM

visinstaller*
Security Level	Unrestricted
Description	Visualutions software
Date last modified	1/16/2015 2:28:21 AM

VMware Tools64.msi
Security Level	Unrestricted
Description	VMWare Tools Installer
Date last modified	8/25/2015 1:52:32 PM

VOWFSC.msi
Security Level	Unrestricted
Description	JBoss Plugin
Date last modified	10/2/2014 2:20:11 PM

winrmcheck.vbs
Security Level	Unrestricted
Description	OpenManage Install
Date last modified	9/2/2014 11:23:31 AM

User Configuration (Enabled)
No settings defined.

May 22, 2017 at 6:31 pm

So this is not language mode for default sessions that is my issue and I am troubleshooting the wrong end? This manifested in a language mode error when I used invoke-command or enter-pssession so I thought it had to do with the PSSC file settings.

I did another test to affirm that it was this GPO that is causing this issue.

Server has GPO Block App Data applied.

PS C:\Users\tsadmin> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage

PS C:\Users\tsadmin> $computername = $env:computername

$reg=[microsoft.win32.registrykey]::OpenRemoteBaseKey('LocalMachine',$computername)  
Cannot invoke method. Method invocation is supported only on core types in this language mode.
At line:3 char:1
+ $reg=[microsoft.win32.registrykey]::OpenRemoteBaseKey('LocalMachine', ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage
 

AFter Deny Block-App-Data read rights for this server and pushed GPO updates.

PS C:\Users\tsadmin> $ExecutionContext.SessionState.LanguageMode
FullLanguage

PS C:\Users\tsadmin> $computername = $env:computername
$reg=[microsoft.win32.registrykey]::OpenRemoteBaseKey('LocalMachine',$computername)  

PS C:\Users\tsadmin> 

May 22, 2017 at 6:38 pm

K that's a lot of data ;).

You're conflating a few unrelated things, and you're also being affected by some interaction between features – specifically, AppLocker and Software Restriction Policies. See https://social.technet.microsoft.com/Forums/ie/en-US/44445864-ee91-4073-9f21-50ab36ec781b/powershell-5-limited-to-constrainedlanguage-language-mode?forum=winserverpowershell.

You may find some additional context in https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/.

It isn't so much an SRP setting, which is what you listed in detail above. It's the fact that SRP is enabled.

May 28, 2017 at 10:02 pm

Done ALOT of reading this memorial weekend. There are scripts that I would like to run remotely, which gather information from each terminal server where I will need to go into the registry (example, listing installed programs on every server for comparison).

This link to this forum had this to say:

"Powershell makes a test if it works under Application White List (AWL) or not. Powershell creates a couple of files with extention ps1 and psm1 in %temp% folder and then trys to start it. If this attempt fails Powershell decides that it works under AWL and switches on constrained language mode. Name of the files created by powershell are always random but the content of these files is always the same (each file consist of the only one symbol – '1'). So you can create the only one hash rule to allow these files to start."

My supervisor does not want me to make an allowance rule in the SRP group policy we have which will allow *.ps1 files to run in the administrator AppData folder. I tried modifying the administrator's "User" temp variable to something else outside of the Appdata directory and that doesn't work.

The last sentence suggested hashing the script would allow for 'full language' capability and that doesn't work either (script still errors out with 'language-mode' disallow error, despite running PS session as domain administrator.

My goal is to be able to run commands/scripts both locally and remote in full language mode as an administrator while still utilizing our SRP to apply to any other accounts.

I have not found anyone who has indicated they have accomplished this with PS 5 while using a SRP Group Policy. I know I can Deny rights to this policy for the domain admin, but was wondering if there is any other way around it.