You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
close

12: How to Block running PowerShell 2.0 using Least Privilege Manager

ISSUE:

Blocking PowerShell Version 2 using a traditional command line rule in PolicyPak Least Privilege Manager (PPLPM) results in multiple block events being generated every second in the PolicyPak event log.

CAUSE:

When you try to run PowerShell -v 2 (or an equivalent) from the PowerShell prompt the following is happening:

First, the parent (PowerShell) creates a child with the following command line:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -version 2

When it fails (due to the fact the PP LPM Client Side Extensions (CSE) blocks it), the parent (the initial PowerShell process) creates a temporary child process with another command line:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -version 2.

The child process then creates another child process with the initial command line and PPLPM blocks it.

Then it repeats in an endless loop.

WORKAROUND:

Since we cannot alter the internal PowerShell logic that attempts to restart the child process to overcome the failure we have to use the two scripts below to workaround the issue. The two policies below are also attached as XML for your convenience.

Lastly test using the command directly below to ensure that PowerShell Version 2.0 is now successfully blocked and that there are no longer multiple block events being created in the PolicyPak event log.

PowerShell -version 2.0

 
  • 1319
  • 08-Mar-2024
  • 296 Views