New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Powershell Add-AppxPackage not working for standard user (only admin) #7765

Open
jeremy-qik opened this Issue Oct 23, 2018 · 14 comments

Comments

Projects
None yet
3 participants
@jeremy-qik

jeremy-qik commented Oct 23, 2018

Hopefully this is the right place (sorry if its not). I am currently trying to side load an appx (UWP) in test kitchen. However it does not work for a standard user. When I set it to an admin account, it works (but that only installs the app for that admin user - I need it installed for a deescalated user). I suspect this is a bug in remote Powershell?

Output:

STDERR: C:\Users\....\AppData\Local\Temp\chef-script20181023-3108-f0qjq7.ps1 : Win32 internal error "Access is denied" 0x5 
       
       occurred while reading the console output buffer. Contact Microsoft Customer Support Services.

Code:

powershell_script 'Install Appx' do
     code 'Add-AppxPackage Example_1.0.0.0.appx'
     cwd 'C:\...'
     user "standardUserHere"
     password "password"
     sensitive false
end

Edit: The command also works on the box itself when I login as the standard user and it copy into powershell

@stuartpreston

This comment has been minimized.

Member

stuartpreston commented Oct 24, 2018

@jeremy-qik Can you provide the relevant parts of your kitchen.yml file? Are you running this with elevated: true in your winrm transport? Have you tried running your code directly on the target machine rather than remotely over a winrm connection, also have you tried shelling out to runas /user standarduser then running powershell -command Add-AppxPackage etc. to see if that makes any difference?

@jeremy-qik

This comment has been minimized.

jeremy-qik commented Oct 24, 2018

Hi @stuartpreston

Thanks for you response.
I have tried logging in as the standard user and running the commands in powershell manually and it works.


If I change the user running in power shell to the admin (non elevated in the powershell_script it works).

e.g.

powershell_script 'Install Appx' do
     code 'Add-AppxPackage Example_1.0.0.0.appx'
     cwd 'C:\...'
     user "adminUser"
     password "adminPassword"
     sensitive false
end

Runas

PS C:\Users\adminUser> runas /user:'standardUser' “powershell”
runas /user:'standardUser' powershell
Enter the password for standardUser:
Attempting to start powershell as user "DESKTOP-...\standardUser" ...

(in the new Window that popped up)

PS C:\Windows\system32> whoami
desktop-...\standardUser
...(cd to dir)…
PS C:\Dir> Add-AppxPackage Example_1.0.0.0_x64.appx

And it works (Get-AppxPackage -Name *Example* reports app successfully installed)


.kitchen.yml

---
driver:
  name: vagrant
  communicator: winrm

provisioner:
  name: chef_zero
  always_update_cookbooks: true
  #log_level: info

verifier:
  name: inspec

transport:
  name: winrm
  guest: windows
  elevated: true

platforms:
  - name: windows
    os_type: windows
    driver:
      box: image_name_here
    driver_config:
      username: adminUser
      password: adminPass

suites:
  - name: default
    data_bags_path: "test/integration/data_bags"
    run_list:
    - recipe[...]
    verifier:
    inspec_tests:
        - test/integration/default

I have tried various other configs permutations this morning to try and fix the issue and no luck (such as removing the elevated).


Versions

$ chef --version
Chef Development Kit Version: 3.2.30
chef-client version: 14.4.56
delivery version: master (6862f27aba89109a9630f0b6c6798efec56b4efe)
berks version: 7.0.6
kitchen version: 1.23.2
inspec version: 2.2.70
$vagrant --version
Vagrant 2.0.4
Virtualbox: 5.2.18

@jeremy-qik jeremy-qik changed the title from Powershell Add-AppxPackage not working for standard user (only elevated admin) to Powershell Add-AppxPackage not working for standard user (only admin) Oct 24, 2018

@stuartpreston

This comment has been minimized.

Member

stuartpreston commented Oct 24, 2018

That is strange, as when you run with elevated: true Test Kitchen will create a scheduled task on the remote computer. So this should mimic exactly Chef Client running as the specified user on the target machine. Though usually Chef Client is running as System if installed as a Scheduled Task or even the Windows Service so perhaps you could try with adding:

elevated_username: System
elevated_password: null

Underneath the existing elevated: true setting in your transport.

@jeremy-qik

This comment has been minimized.

jeremy-qik commented Oct 24, 2018

I tried adding (below) but same issue. I also tried placing the elevated_username/elevated_password under driver_config as well

---
driver:
  name: vagrant
  communicator: winrm

provisioner:
  name: chef_zero
  always_update_cookbooks: true
  #log_level: info

verifier:
  name: inspec

transport:
  name: winrm
  guest: windows
  elevated: true
  elevated_username: System
  elevated_password: null

platforms:
  - name: windows
    os_type: windows
    driver:
      box: image_name_here
    driver_config:
      username: adminUser
      password: adminPass

suites:
  - name: default
    data_bags_path: "test/integration/data_bags"
    run_list:
    - recipe[...]
    verifier:
    inspec_tests:
        - test/integration/default
STDOUT: 
       STDERR: C:\Windows\Temp\chef-script20181024-5088-ld3fe7.ps1 : Win32 internal error "Access is denied" 0x5 occurred while 
       
       reading the console output buffer. Contact Microsoft Customer Support Services.
       
       
       ---- End output of "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -File "C:/Windows/Temp/chef-script20181024-5088-ld3fe7.ps1" ----
@stuartpreston

This comment has been minimized.

Member

stuartpreston commented Oct 24, 2018

If you have a look into your tempdir on the remote machine there should be a kitchen folder containing all your cookbooks. Does the powershell_script execute correctly if you use chef-apply? Trying to figure out if it's really a Chef Client problem or just a PowerShell one because it's over winrm.

@jeremy-qik

This comment has been minimized.

jeremy-qik commented Oct 24, 2018

I am having a look at the scripts now.

I did notice that Chef calls Powershell 1 (C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe) . I thought it might be related, but does not appear to be the case.

I made a test and got some output (not sure if its helpful). Has a little more info.

batch 'App Install' do
    code <<-EOH
        powershell -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -Command "Add-AppxPackage -Path \”c:/test/Example_1.0.0.0_x64.appx\""
    EOH
    cwd "c:/test"
    user “standardUser”
    password “standardUserPassword”
    sensitive false
end
[2018-10-24T15:52:20+01:00] FATAL: Mixlib::ShellOut::ShellCommandFailed: batch[App Install] (app::install line 47) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1'
       ---- Begin output of "C:\Windows\system32\cmd.exe" /c "C:/Windows/Temp/chef-script20181024-3296-195dfql.bat" ----
       STDOUT: C:\Test\Example_1.0.0.0_x64>powershell -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -Command "Add-AppxPackage -Path “C:/test/Example_1.0.0.0_x64.appx""
       STDERR: Add-AppxPackage : Win32 internal error "Access is denied" 0x5 occurred while reading the console output buffer. 
       
       Contact Microsoft Customer Support Services.
       
       At line:1 char:1
       
       + Add-AppxPackage -Path C:\Test\Example_1.0.0.0_x64...
       
       + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       
           + CategoryInfo          : ReadError: (:) [Add-AppxPackage], HostException
       
           + FullyQualifiedErrorId : ReadConsoleOutput,Microsoft.Windows.Appx.PackageManager.Commands.AddAppxPackageCommand
       ---- End output of "C:\Windows\system32\cmd.exe" /c "C:/Windows/Temp/chef-script20181024-3296-195dfql.bat" ----
       Ran "C:\Windows\system32\cmd.exe" /c "C:/Windows/Temp/chef-script20181024-3296-195dfql.bat" returned 1
@jeremy-qik

This comment has been minimized.

jeremy-qik commented Oct 24, 2018

Testing Running the Powershell script manually.

Chef
Note: I added the sleep to keep the ps1 in the C:\Windows\Temp directory. Chef seems to delete them after the run completes.

powershell_script 'App Install' do
    code <<-EOH
        sleep 20
        Add-AppxPackage -Path "#{app_installer_full_path}/Example_1.0.0.0_x64.appx"
    EOH
    user "standardUser"
    password "standardPass"
    sensitive false
end

Run output

       Running handlers:
       [2018-10-24T17:10:46+01:00] ERROR: Running exception handlers
       Running handlers complete
       [2018-10-24T17:10:46+01:00] ERROR: Exception handlers complete
       Chef Client failed. 0 resources updated in 44 seconds
       [2018-10-24T17:10:46+01:00] FATAL: Stacktrace dumped to C:/Users/…/AppData/Local/Temp/kitchen/cache/chef-stacktrace.out
       [2018-10-24T17:10:46+01:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
       [2018-10-24T17:10:46+01:00] FATAL: Mixlib::ShellOut::ShellCommandFailed: powershell_script[App Install] (recipe::app-install line 31) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1'
       ---- Begin output of "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -File "C:/Windows/Temp/chef-script20181024-6304-1aoo602.ps1" ----
       STDOUT: 
       STDERR: C:\Windows\Temp\chef-script20181024-6304-1aoo602.ps1 : Win32 internal error "Access is denied" 0x5 occurred while 
       
       reading the console output buffer. Contact Microsoft Customer Support Services.
       
       
       ---- End output of "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -File "C:/Windows/Temp/chef-script20181024-6304-1aoo602.ps1" ----
       Ran "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -File "C:/Windows/Temp/chef-script20181024-6304-1aoo602.ps1" returned 1
$$$$$$         + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
$$$$$$         + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,chef-script20181024-6304-1aoo602.ps1
$$$$$$     + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
$$$$$$     + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,chef-script20181024-6304-1aoo602.ps1

Running the script on the machine
Note: From the admin account
Note: I copied the Powershell files from C:\Windows\Temp to C:\Test

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\AdminUser> runas /user:’standardUser’ powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> cd c:/Test
PS C:\Test> ls


    Directory: C:\Test


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       24/10/2018     17:10           2460 chef-script20181024-6304-1aoo602.ps1
-a----       24/10/2018     17:10            137 chef_powershell_script-user-code20181024-6304-1tdp3ts.ps1
-a----       24/10/2018     17:09            448 winrm-elevated-shell-75ba627d-55b9-4902-a780-4623623a0ee2.ps1


PS C:\Test> whoami
desktop-rnv1bpf\standardUser

PS C:\Test> & "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -File "C:/Test/chef-script20181024-6304-1aoo602.ps1"

Testing shows it has installed (using)

PS C:\Users\Admin> Get-AppxPackage -AllUsers -Name *example*
@jeremy-qik

This comment has been minimized.

jeremy-qik commented Oct 24, 2018

Testing the recipe manually

PS C:\Users\Admin> chef-apply C:\Users\Admin\AppData\Local\Temp\kitchen\cookbooks\app\recipes\app-install.rb
Recipe: (chef-apply cookbook)::(chef-apply recipe)
  * powershell_script[App Install] action run
    - execute "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -File "C:/Users/Admin/AppData/Local/Temp/chef-script20181024-8004-12dpfwp.ps1"
get-appxpackage -allusers -name *example*

Shows it has installed.

So I guess this is not a Chef issue and is a WinRM issue? If so where do I go to report this? :)
I might have to see if I can test this on a real machine (not using Kitchen - I guess this means it will not use WinRM and possibly work). Only other thing I can think of, is it

@stuartpreston

This comment has been minimized.

Member

stuartpreston commented Oct 24, 2018

Mm, well in theory that's good and shows that beyond Test Kitchen your recipe is likely to work. It possibly points to a Local Security Policy that Admin has that System does not. Have you tried setting the elevated user to Admin and seeing if that works? Otherwise, yes it does sound as if there's some WinRM oddity here.

@jeremy-qik

This comment has been minimized.

jeremy-qik commented Oct 25, 2018

I exported the Group Policy as XML and HTML for both users. Its not something I am very familiar with but I could not see any differences that could explain this (except for the admin policy part).

PS C:\Users\Admin> gpresult /USER "admin" /H "C:\\admin.html"
PS C:\Users\Admin> gpresult /USER "standardUser" /H "C:\\standardUser.html"
PS C:\Users\Admin> gpresult /USER "admin" /X "C:\\admin.xml"
PS C:\Users\Admin> gpresult /USER "standardUser" /X "C:\\standardUser.xml"

I also have tried.

$ vagrant winrm --command "whoami"
desktop-...\admin

$ vagrant winrm --command "chef-apply C:\\Users\\Admin\\AppData\\Local\\Temp\\kitchen\\cookbooks\\app\\recipes\\app-install.rb"

And it fails with the same error message

 STDOUT: 
    STDERR: C:\Users\Admin\AppData\Local\Temp\chef-script20181025-1196-thz0dc.ps1 : Win32 internal error "Access is denied" 0x5 

    occurred while reading the console output buffer. Contact Microsoft Customer Support Services.

        + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException

        + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,chef-script20181025-1196-thz0dc.ps1
    ---- End output of "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -File "C:/Users/Admin/AppData/Local/Temp/chef-script20181025-1196-thz0dc.ps1" ----
    Ran "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -File "C:/Users/Admin/AppData/Local/Temp/chef-script20181025-1196-thz0dc.ps1" returned 1
@stuartpreston

This comment has been minimized.

Member

stuartpreston commented Oct 26, 2018

How about wherher the standardUser has a profile created already at the point this is executed? Beyond that I'm out of ideas I'm afraid. It does seem to be a WinRM-related issue at this point and not something we can address in Chef.

@jeremy-qik

This comment has been minimized.

jeremy-qik commented Oct 26, 2018

Thanks for your help @stuartpreston . Yeah it is an interesting issue! I have logged in as the standard user, to make sure the profile is created etc.
I finally found a workaround. Its far from ideal, but it might help in pin pointing the issue.

file "c:/app-install.ps1" do
    content <<-EOH
        cd -path "C:/Test"

        Add-AppxPackage Example_1.0.0.0_x64.appx -DependencyPath "Dependencies\\x64\\A.appx","Dependencies\\x64\\B.appx","Dependencies\\x64\\C.appx"
    EOH
end
powershell_script 'App Install' do
    code <<-EOH
        $username = 'standardUser'
        $password = 'passwordHere'

        $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
        $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword

        Start-Process -NoNewWindow -Wait -FilePath "C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe" -ArgumentList "-ExecutionPolicy Bypass -File c:/app-install.ps1" -Credential $credential
    EOH
    user "standardUser"
    password "passwordHere"
end

Interestingly if I remove the -Credential $credential part it does not work!
Note: I am open to any other (better) idea's

@jeremy-qik

This comment has been minimized.

jeremy-qik commented Oct 30, 2018

Incase someone else finds this. I thought it might be related to the -NoProfile when powershell_script runs, but I tried (below) with no luck

file "c:/app-install.ps1" do
    content <<-EOH
        cd -path "C:/Test"

        Add-AppxPackage Example_1.0.0.0_x64.appx -DependencyPath "Dependencies\\x64\\A.appx","Dependencies\\x64\\B.appx","Dependencies\\x64\\C.appx"
    EOH
end
execute 'App Install' do
    command "powershell.exe -NoLogo -NonInteractive -ExecutionPolicy Bypass -InputFormat None -File c:/app-install.ps1"
    user "standardUser"
    password "standardPass"
    cwd "c:/Test"
    #elevated true
    sensitive false
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment