Invoke Powershell 7 commands in Hyper-V VM without Admin

Question

I'm trying to use Powershell to remotely perform actions within a Windows 10 Hyper-V VM from the Windows 11 host. These actions must:

• Be run in the guest OS using Powershell 7
• Be run in the guest OS without administrator priviledges (runas /trustlevel:0x20000 <cmd> doesn't work for these actions)
• Be run in the guest OS synchronously with it's output captured (i.e. usual de-elevation techniques such as scheduled tasks / explorer.exe <cmd> aren't applicable)

While I am able to run non-elevated commands in Powershell 5.1, I am not able to do so using Powershell 7 as, no matter what I try (see below), a user without administrative priviledges isn't able to use the Powershell 7 session configurations.

My hunch is that the Powershell 7 session configurations (which need to be created while running as Administrator) have file permissions which are not accessible to non-administrative users but I've not been able to find the associated files and verify this.

Stuff I have tried is below. Any suggestions much appreciated.

Powershell 5.1

I can execute regular Powershell 5.1 commands using Invoke-Command, New-Session, Enter-Session, etc using:

Invoke-Command -VMName $vmName -Credential $creds -ScriptBlock { $PSVersionTable }

Which shows this command has been executed using PSVersion 5.1:

Name                           Value
----                           -----
WSManStackVersion              3.0
BuildVersion                   10.0.19041.1682
PSVersion                      5.1.19041.1682
SerializationVersion           1.1.0.1
CLRVersion                     4.0.30319.42000
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
PSEdition                      Desktop

And works regardless of whether or not the user for specified credentials has administrator priviledges in the guest OS. This can be checked using:

Invoke-Command -VMName $vmName -Credential $creds -ScriptBlock { whoami /groups }

Which results in the following when the user is in the Administrator group:

Group Name

=============================================================
Everyone
NT AUTHORITY\Local account and member of Administrators group
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
NT AUTHORITY\Local account
NT AUTHORITY\NTLM Authentication

And the following when the user is not in the Administrator group:

Group Name

======================================
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
NT AUTHORITY\Local account
NT AUTHORITY\NTLM Authentication

Powershell 7

Running Enable-PSRemoting in an elevated Powershell 7 session within the guest OS creates additional session configurations which can be seen using Get-PSSessionConfigration as shown below:

Name          : PowerShell.7
PSVersion     : 7.3
StartupScript :
RunAsUser     :
Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
                Management Users AccessAllowed

Name          : PowerShell.7.3.0
PSVersion     : 7.3
StartupScript :
RunAsUser     :
Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
                Management Users AccessAllowed

If the user for the specified credentials is in the Administrators group, these configurations can then be used to execute commands in Powershell 7, for example:

Invoke-Command -VMName $vmName -Credential $creds -ConfigurationName PowerShell.7 -ScriptBlock { $PSVersionTable }

Which shows this command has been executed using PSVersion 7.3:

Name                           Value
----                           -----
WSManStackVersion              3.0
OS                             Microsoft Windows 10.0.19044
PSVersion                      7.3.0
SerializationVersion           1.1.0.1
PSRemotingProtocolVersion
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
GitCommitId                    7.3.0
Platform                       Win32NT
PSEdition                      Core

However, if the user for specified credentials is not in the Administrators group then an error is encountered when executing the same command:

OpenError: Cannot create or open the configuration session PowerShell.7.

Adding User to "Remote Management Users"

Given then PSSession Configurations shown above seem to suggest a user in the Remote Management Users group should have AccessAllowed I have tried adding this group to the user for the specified credentials. This is shown by executing the following command in Powershell 5.1:

> Invoke-Command -VMName $vmName -Credential $creds -ScriptBlock { whoami /groups }

Group Name
======================================
Everyone
BUILTIN\Users
BUILTIN\Remote Management Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
NT AUTHORITY\Local account
NT AUTHORITY\NTLM Authentication
Mandatory Label\Medium Mandatory Level

But results in the same error when executing the command in Powershell 7:

> Invoke-Command -VMName $vmName -Credential $creds -ConfigurationName PowerShell.7 -ScriptBlock { whoami /groups }

OpenError: Cannot create or open the configuration session PowerShell.7.

Adding User/Users group to Powershell.7 Session Configuration

I have tried add the specific user and/or the Users group to the Powershell.7 Session Configuration using:

Set-PSSessionConfiguration -Name PowerShell.7 -ShowSecurityDescriptorUI

But the user for the specified credentials is still unable able to access the configuration:

> Invoke-Command -VMName $vmName -Credential $creds -ConfigurationName PowerShell.7 -ScriptBlock { whoami /groups }

OpenError: Cannot create or open the configuration session PowerShell.7.

Changing Default Session Configuration

I have also tried setting the default (Microsoft.PowerShell) session configuration to PowerShell 7 by using the script shown here which executes correctly and can be verified using the command:

> Get-PSSessionConfiguration -Name Microsoft.PowerShell

Name          : Microsoft.PowerShell
PSVersion     : 7.3
StartupScript :
RunAsUser     :
Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
                Management Users AccessAllowed

But commands still seem to be invoked using Powershell 5.1 as shown:

> Invoke-Command -VMName $vmName -Credential $creds -ScriptBlock { $PSVersionTable }

Name                           Value
----                           -----
WSManStackVersion              3.0
BuildVersion                   10.0.19041.1682
PSVersion                      5.1.19041.1682
SerializationVersion           1.1.0.1
CLRVersion                     4.0.30319.42000
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
PSEdition                      Desktop

Aaaaaaand, now I'm out of ideas. I could possibly move to using Powershell remoting over SSH but this has it's own set of challenges (generating and adding keys, VM being accessible/resolvable on the external network, etc) so I'm really hoping there's a simply solution to the above.

Help me Stackoverflow Kinobi, you're my only hope.

Answer 1

But the user for the specified credentials is still unable able to access the configuration:

Invoke-Command -VMName $vmName -Credential $creds -ConfigurationName PowerShell.7 -ScriptBlock { whoami /groups }

OpenError: Cannot create or open the configuration session PowerShell.7.

I think there is catch, even if you set standard user to be allowed remote access you still need to use an elevated PS console to execute commands.

when I run the command in the console that was open as standard user the command fails with same error you posted, but opening it as Admin worked by specifying standard user credentials, ex.

In VM run:

Enable-PSRemoting

$SessionName = "StandardSession"
Register-PSSessionConfiguration -Name $SessionName -AccessMode Remote

# When the security dialog shows up, add "Users" to list and set "full controll"
Set-PSSessionConfiguration -ShowSecurityDescriptorUI -Name $SessionName -AccessMode Remote

On host system open PS as Admin and run:

# Add VM name to trusted hosts, update this to VM host name
$Domain = "VM_NETBIOS_NAME"
Set-Item -Path WSMan:\localhost\client\TrustedHosts -Value $Domain -Concatenate

# Restart WinRM service for changes to take effect
Restart-Service -Name WinRM

# Enter credentials of standard user account in VM
$creds = Get-Credential

Invoke-Command -ComputerName $Domain -Credential $creds -ScriptBlock { $PSVersionTable } -ConfigurationName "StandardSession"

Although I didn't test these commands exactly but as part of my other setup which works, by using these commands I got pwrshplugin.dll error but you might get different result, which if you get the same can run the following to confirm all plugins are enabled:

Get-Item WSMan:\localhost\Plugin\* | ForEach-Object {
  $Enabled = Get-Item "WSMan:\localhost\Plugin\$($_.Name)\Enabled" |
  Select-Object -ExpandProperty Value

  [PSCustomObject] @{
    Name = $_.Name
    Enabled = $Enabled
    PSPath = $_.PSPath
  }
} | Sort-Object -Property Enabled -Descending | Format-Table -AutoSize

Likely an elevated PS on host isn't a solution you seek but keep in mind that there is registry setting in:

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy

Which allows remote access to members of the Administrators group.
This setting is implicitly set by Enable-PSRemoting

This option is needed to avoid UAC.
I think problem is that for Administrators you can disable UAC but you can't disable UAC for standard users in Windows, but remoting requires this option to be set.

Also this registry option exists only for HKEY_LOCAL_MACHINE, there is no equivalent per-user setting in HKEY_USERS to allow remote access to User.

Hopefully this might shade some light or help to troubleshoot issues, sadly I'm unable to make a reproducible example out of my setup.

EDIT:

On host system in an elevated PS I've run:

# note that $creds are standard user creds of a user in VM
Invoke-Command -ComputerName $Domain -Credential $creds -ScriptBlock { $PSVersionTable } -ConfigurationName "CustomSession"

And got an error:

OpenError: [VM-PRO] Connecting to remote server VM-PRO failed with the following error message : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2689860592" Machine="VM-PRO"><f:Message><f:ProviderFault provider="CustomSession" path="C:\Windows\system32\PowerShell\7.3.1\pwrshplugin.dll"></f:ProviderFault></f:Message></f:WSManFault> For more information, see the about_Remote_Troubleshooting Help topic.

Copy this path, in my example it's C:\Windows\system32\PowerShell\7.3.1\pwrshplugin.dll

In guest system visit path C:\Windows\system32\PowerShell\7.3.1 and grant write permission to Users group on this directory.

See this: issue for more information.

Then again I run the command and it succeeded:

Invoke-Command -ComputerName $Domain -Credential $creds -ScriptBlock { $PSVersionTable } -ConfigurationName "CustomSession"

Name                           Value
----                           -----
PSVersion                      7.3.1
WSManStackVersion              3.0
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSEdition                      Core
OS                             Microsoft Windows 10.0.19045
PSRemotingProtocolVersion
Platform                       Win32NT
SerializationVersion           1.1.0.1
GitCommitId                    7.3.1

Of course this works only if you run PS as Admin on host system to run commands as standard user in guest system.