Link to home
Start Free TrialLog in
Avatar of credog
credog

asked on

Powershell Get-ProcessMitigation -name Fails

We are trying to implement the Win 10 1809 STIG. Several of the checks in the STIG use Get-ProcessMitigation -Name PROGRAM.  Several checks are failing due to the PS command error below:
Get-ProcessMitigation -Name Acrobat.exe
Get-ProcessMitigation : Requested registry access is not allowed.
At line:1 char:1
+ Get-ProcessMitigation -Name Acrobat.exe
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-ProcessMitigation], SecurityException
    + FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.Samples.PowerShell.Commands.GetProcessMitigationCommand

Open in new window

However, the following runs fine:
Get-ItemProperty -path 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acrobat.exe'

DisableExceptionChainValidation : 0
MitigationOptions               : {1, 1, 33, 0...}
MitigationAuditOptions          : {0, 0, 0, 0...}
PSPath                          : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acrobat.exe
PSParentPath                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
PSChildName                     : Acrobat.exe
PSDrive                         : HKLM
PSProvider                      : Microsoft.PowerShell.Core\Registry

Open in new window

Get-ProcessMitigation -system also runs fine.  Get-ProcessMitigation without the -name is suppose to return all the program values, however that has the same registry error.  We are having a hard time trying to figure out how to fix this so we can get accurate results.
Avatar of ITguy565
ITguy565
Flag of United States of America image
This sounds like it could be a UAC issue.. Are you running this from an admin powershell or cmd prompt?
Avatar of ITguy565
ITguy565
Flag of United States of America image
Look at the code and see which registry key it is attempting to access or modify.. Then look at the permissions on that registry key.

Verify that the user that you are attempting to run this script with has the permissions necessary to access that registry key.
Avatar of credog
credog

ASKER

Running from PS shell as admin.  I am running the command as an admin the permissions state that Administrators have full control .  The owner is SYSTEM.

In the first post I listed the key HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*
Get-ItemProperty -path 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acrobat.exe'  works fine.
ASKER CERTIFIED SOLUTION
Avatar of credog
credog
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial