1

I am trying to run calc app using RunOnce registry key(HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce). When the machine is restarted and I login using Enter-PSSession remotely with appropriate credentials, when I check the currently running processes using Get-Process I see that "calc" app has not started yet. Only when I login using RDP does the application run.

As per RunOnce registry key, the command runs when the user logs in and then gets deleted. So when the user logs in using Enter-PSSession, technically it must work right?

Here is the code to generate the RunOnce registry key item for the Current user

function Set-RunOnce
{
    [CmdletBinding()]
    param
    (
        #The Name of the Registry Key in the Autorun-Key.
        [string]
        $KeyName = 'Run',

        #Command to run
        [string]
        $Command = '%systemroot%\System32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -command calc'
  
    ) 

    
    if (-not ((Get-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce).$KeyName ))
    {
        New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce' -Name $KeyName -Value $Command -PropertyType ExpandString
    }
    else
    {
        Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce' -Name $KeyName -Value $Command -PropertyType ExpandString
    }
}

Inspired from here: https://www.powershellgallery.com/packages/WindowsImageConverter/1.0/Content/Set-RunOnce.ps1

I tried invoking Get-Process to check for calc app several seconds after entering the PSSession, but to no avail.

Yamadev
  • 11
  • 1
  • `When the user logs in using Enter-PSSession, technically it must work right` No, not right. – Scepticalist Mar 23 '23 at 13:34
  • @Scepticalist I set the RunOnce key to open the calc app the current user, and I login using PSSession using the same user. Why shouldn't that work. Is there a difference in session when we login by Powershell remotely VS manual login. – Yamadev Mar 27 '23 at 05:06
  • Yes. PSSession does not load your profile, therefore does not load a registry profile. – Scepticalist Mar 27 '23 at 06:48

1 Answers1

0

Scepticalist is correct. PowerShell remoting (by default) does not load any profile in the remote session.

PowerShell profiles aren't run automatically in remote sessions, so the commands that the profiles add aren't present in the remote session. In addition, the $PROFILE automatic variable isn't populated in remote sessions.

To run a profile in a session, use the Invoke-Command cmdlet.

For example, the following command runs the "Current user, Current Host" profile from the local computer in the session in $s.

Invoke-Command -Session $s -FilePath $PROFILE

The following command runs the "Current user, Current Host" profile from the remote computer in the session in $s. Because the $PROFILE variable isn't populated, the command uses the explicit path to the profile. We use dot sourcing operator so that the profile executes in the current scope on the remote computer and not in its own scope.

Invoke-Command -Session $s -ScriptBlock { . "$HOME\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1"}

Source https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.3

Kevin Gagel
  • 11
  • 3