X Tutup
The Wayback Machine - https://web.archive.org/web/20230329061736/https://github.com/PowerShell/PowerShell/issues/19410
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wait-Process -InputObject $P where $P= Start-Process with credentials, Passtru and no -Wait results is Access Denied #19410

Open
5 tasks done
jjsmeets opened this issue Mar 27, 2023 · 5 comments
Open
5 tasks done

Wait-Process -InputObject $P where $P= Start-Process with credentials, Passtru and no -Wait results is Access Denied #19410

jjsmeets opened this issue Mar 27, 2023 · 5 comments
Labels
Needs-Triage The issue is new and needs to be triaged by a work group. Resolution-Duplicate The issue is a duplicate.

Comments

@jjsmeets
Copy link

Prerequisites

Steps to reproduce

#I can not use Wait-Process to wait for a process started with Start-Process -PassTru -Credials $credential (other user)

$Script_Str ='D:_DATA_PUBLIC_DATA_f_shared_batch_scripts\Slideshow_runAndWait_sub2.ps1'
$Process1 =Start-Process pwsh.exe -PassThru -credential $Credentials -ArgumentList "-file $Script_Str"
wait-Process -InputObject $Process1

Expected behavior

The applet Wait-Process should continue as soon as the started process has ended

Actual behavior

I get Access Denied and also timeout message

Error details

Wait-Process: 
Line |
   3 |  wait-Process -InputObject $Process1
     |  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | This command stopped operation of "pwsh (3844)" because of the following error: Toegang geweigerd..
Wait-Process: 
Line |
   3 |  wait-Process -InputObject $Process1
     |  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | This command stopped operation because process "pwsh (3844)" is not stopped in the specified time-out.

get_error reports only last error:

Exception             : 
    Type    : System.TimeoutException
    Message : This command stopped operation because process "pwsh (3844)" is not stopped in the specified time-out.
    HResult : -2146233083
TargetObject          : System.Diagnostics.Process
CategoryInfo          : CloseError: (System.Diagnostics.Process:Process) [Wait-Process], TimeoutException
FullyQualifiedErrorId : ProcessNotTerminated,Microsoft.PowerShell.Commands.WaitProcessCommand
InvocationInfo        : 
    MyCommand        : Wait-Process
    ScriptLineNumber : 3
    OffsetInLine     : 1
    HistoryId        : 37
    Line             : wait-Process -InputObject $Process1
    Statement        : wait-Process -InputObject $Process1
    PositionMessage  : At line:3 char:1
                       + wait-Process -InputObject $Process1
                       + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    InvocationName   : wait-Process
    CommandOrigin    : Internal
ScriptStackTrace      : at <ScriptBlock>, <No file>: line 3
PipelineIterationInfo :

Environment data

[32;1mName                          �[0m�[32;1m Value�[0m
�[32;1m----                          �[0m �[32;1m-----�[0m
PSVersion                      7.4.0-preview.2
PSEdition                      Core
GitCommitId                    7.4.0-preview.2
OS                             Microsoft Windows 10.0.22621
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Visuals

remarks: in powershell 7.4 preview 2 the same kind of problem was solved which involved
$p =Start-Process -PassTru -Credentials and -Wat.
That works now but Wait-Process -InputObject -$p does still not work.
($p.waitforExit however was already working in powershell 5 en 7)
@jjsmeets jjsmeets added the Needs-Triage The issue is new and needs to be triaged by a work group. label Mar 27, 2023
@jborean93
Copy link
Collaborator

This is essentially a duplicate of #19411 (comment)

@jjsmeets
Copy link
Author

I do not agree that it is a duplicate. Perhaps the background reason is the same .Net issue but it are completely different powershell issues.
The same .Net problem were mentioned as the background reason for the -Wait problem on the start-process, but that was solved, so why can these issues not be solved used the same (interrnal) technique?

@jborean93
Copy link
Collaborator

jborean93 commented Mar 27, 2023
edited

It is, the process object you get back from Start-Process is very limited in what you can do as your user does not have permissions to work with that token.

The same .Net problem were mentioned as the background reason for the -Wait problem on the start-process, but that was solved, so why can these issues not be solved used the same (interrnal) technique?

Using Start-Process -Credential ... -Wait was solved because internally it still had access to the process token given to the user when it created the process. This token had full access to do whatever it wanted, like wait until it was done ("synchronization rights"). Unfortunately that full process token is discarded as dotnet has no way to say hey give me a System.Diagnostics.Process object from that process handle. It is forced to use [System.Diagnostics.Process]::GetProcessById($newProcId) to get a new process object but now it's subject to the same access checks that user normally would have when inspecting other processes.

The ultimately fix is to stop doing the work manually in Start-Process to spawn the new process and just use the dotnet API directly as now that Process object has the process token with full access on it. This was not possible before as dotnet didn't expose all the options that pwsh has but with the merging off dotnet/runtime#82662 it should now be possible to do so.

@SteveL-MSFT SteveL-MSFT added the Resolution-Duplicate The issue is a duplicate. label Mar 27, 2023
@jjsmeets
Copy link
Author

Ok I understand that during start-process the solution could be different (because of the internal available token), But why does $p.WaitForExit be different then Wait-Process while they both only wait for the process itself (while start-process -Wait should/will wait for the full process-tree (also started child processes!)

@jborean93
Copy link
Collaborator

The process object you get back from Start-Process -PassThru doesn't have enough rights on the process itself. to do things like waiting for it to exit or checking the exit code. This is because your user account doesn't have permissions over the new process that is running as another user. It's like doing:

Start-Process pwsh.exe -Credential $cred
$proc = Get-Process -Name pwsh
$proc.WaitForExit()

Windows does give the creator of the new process a handle to that process with full access to do whatever they want but the way PowerShell starts it and how dotnet works it is unable to embed that token in the Process object returned by Start-Process. The only way around this is to have dotnet create the process as another user as in that scenario the process object contains that full access handle.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs-Triage The issue is new and needs to be triaged by a work group. Resolution-Duplicate The issue is a duplicate.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jborean93 @SteveL-MSFT @jjsmeets
X Tutup