Compiled result fails on some commands when run as LOCAL SYSTEM

Question

Compiled result fails on some commands when run as LOCAL SYSTEM

Closed this issue 4 years ago · 6 comments

Generated a script that, among lots of other things, searches for hidden files with specific extensions.
Here's the code:

if ( !(dir -Path "c:\users" -name '.mp3' -Recurse -Force) -and !(dir 'c:$Recycle.bin' -name '.mp3' -recurse -force) ) {echo "There are NO hidden mp3 files"}

Then, used win-ps2exe to generate a compiled executable and configured a service to use srvany.exe to execute that script as SYSTEM.

When run, the compiled version doesn't find those files when they are there. But, when I change from SYSTEM to an administrative user's credentials, those files are found.
This would indicate that the LOCAL SYSTEM account can't 'see' hidden files - which shouldn't be $true.

I'm making the jump that it may have something to do with how the script was compiled. I tried all the different ways available on this gui to configure the compiled executable but still get the same issue.

Answer 1 · 2020-10-09T12:57:43.000Z

Hello darthiest,

please first check the parameters of your command. The parameter -Name of Get-ChildItem does not mean what you think it does. And most of the times there is no directory C:$recycle.bin, there is only C\:$recycle.bin (or is it a copy-paste failure?).

I think your command should be something like

if ( !(dir -Path "c:\users" -include '*.mp3' -Recurse -Force) -and !(dir 'c:\$Recycle.bin' -include '*.mp3' -recurse -force) ) {echo "There are NO hidden mp3 files"}

Greetings

Markus

Answer 2 · 2020-10-09T13:07:13.000Z

Thanks,
I changed it from -name to -include, but SYSTEM is still not finding those hidden files when local admin can.

Recall that I mentioned that code works as intended when run by an administrator account. As soon as I switch my service credentials to the SYSTEM account, it fails to find hidden files buried in the c:\users directory. Yes, the missing \ was a copy paste issue, it's already in my code

Answer 3 · 2020-10-09T14:40:22.000Z

Hello darthiest,

please try it with PowerShell without compiling. I guess it has something to do with the starting directory. Maybe you can output the list of found MP3 files to a file to check if there is a logical error.

Greetings

Markus

Answer 4 · 2020-10-10T12:59:33.000Z

Well, it doesn't seem to be an issue with ps2exe, but with the LocalSystem Account in general.

As you recommended, I brought up powershell running as system and ran the command looking for the hidden mp3 files in the users directory.

The result returned the same error on all the subdirectories below c:\users:
CategoryInfo : PermissionDenied: (C:\users\username\My Documents:String) [Get-ChildItem], UnauthorizedAccessException
FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand

According to Microsoft, "[the SYSTEM account] has extensive privileges on the local computer...its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrator SIDs; these accounts have access to most system objects_"_

https://docs.microsoft.com/en-us/windows/win32/services/localsystem-account

Answer 5 · 2020-10-11T16:41:23.000Z

Hello darthiest,

OK. I think it has something to do with the hidden junctions in the user's directories. Maybe you can filter them out.

Greetings

Markus

Answer 6 · 2020-10-31T16:55:38.000Z

Closed since no response for 3 weeks