credog
asked on
Powershell Get-ProcessMitigation -name Fails
We are trying to implement the Win 10 1809 STIG. Several of the checks in the STIG use Get-ProcessMitigation -Name PROGRAM. Several checks are failing due to the PS command error below:
Get-ProcessMitigation -Name Acrobat.exe
Get-ProcessMitigation : Requested registry access is not allowed.
At line:1 char:1
+ Get-ProcessMitigation -Name Acrobat.exe
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ProcessMitigation], SecurityException
+ FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.Samples.PowerShell.Commands.GetProcessMitigationCommand
However, the following runs fine:Get-ItemProperty -path 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acrobat.exe'
DisableExceptionChainValidation : 0
MitigationOptions : {1, 1, 33, 0...}
MitigationAuditOptions : {0, 0, 0, 0...}
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acrobat.exe
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
PSChildName : Acrobat.exe
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
Get-ProcessMitigation -system also runs fine. Get-ProcessMitigation without the -name is suppose to return all the program values, however that has the same registry error. We are having a hard time trying to figure out how to fix this so we can get accurate results.
This sounds like it could be a UAC issue.. Are you running this from an admin powershell or cmd prompt?
Look at the code and see which registry key it is attempting to access or modify.. Then look at the permissions on that registry key.
Verify that the user that you are attempting to run this script with has the permissions necessary to access that registry key.
Verify that the user that you are attempting to run this script with has the permissions necessary to access that registry key.
ASKER
Running from PS shell as admin. I am running the command as an admin the permissions state that Administrators have full control . The owner is SYSTEM.
In the first post I listed the key HKLM:\Software\Microsoft\W indows NT\CurrentVersion\Image File Execution Options\*
Get-ItemProperty -path 'HKLM:\Software\Microsoft\ Windows NT\CurrentVersion\Image File Execution Options\Acrobat.exe' works fine.
In the first post I listed the key HKLM:\Software\Microsoft\W
Get-ItemProperty -path 'HKLM:\Software\Microsoft\
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.