[secretsdump] Fix -use-vss for use in all languages #1470
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi !
Currently, the
secretsdump
's-use-vss
option only works for systems installed in english, as it parses the (localized) text outputs ofvssadmin
commands.If we try using this option on non-english systems,
secretsdump
will fail and won't find any existing shadow copy, and will create a new one and not find that one either.This PR aims to fix this: instead of parsing
vssadmin
commands,secretsdump
will obtain shadow copies through WMI (not localized), and as such should work in situations where it does not right now.A
DCOMConnection
has been added toRemoteOperations
, instantiated if-use-vss
is used. Additionally, all previous individual uses ofDCOMConnection
(for use with the execution methodswmiexec
andmmcexec
) have been merged into that one. I'm not aware of any issue that could be introduced doing this, but I might be wrong, please test.The only remaining use of remote command execution if for the command
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX\... %SYSTEMROOT%\Temp\xxx.tmp
. I wish there was a way to replace it with a nice RPC call so that we could do away with the exec methods completely, but I'm not aware of any way with Root Local Device paths.I welcome tests in different environments, for now this has just been tested in labs.
Cheers !