From 8083c1e1bb20ae4ceed16298bd2eeddf9cb5a70a Mon Sep 17 00:00:00 2001 From: Harmj0y Date: Thu, 2 Jun 2016 02:14:38 -0400 Subject: Updated Privesc README.md and .psd1 to reflect the new PowerUp function names. --- Privesc/README.md | 52 +++++++++++++++++++++++++++++----------------------- 1 file changed, 29 insertions(+), 23 deletions(-) (limited to 'Privesc/README.md') diff --git a/Privesc/README.md b/Privesc/README.md index bb68a43..66a7730 100644 --- a/Privesc/README.md +++ b/Privesc/README.md @@ -28,32 +28,38 @@ Optional Dependencies: None ### Service Enumeration: - Get-ServiceUnquoted - returns services with unquoted paths that also have a space in the name - Get-ServiceFilePermission - returns services where the current user can write to the service binary path or its config - Get-ServicePermission - returns services the current user can modify - Get-ServiceDetail - returns detailed information about a specified service + Get-ServiceUnquoted - returns services with unquoted paths that also have a space in the name + Get-ModifiableServiceFile - returns services where the current user can write to the service binary path or its config + Get-ModifiableService - returns services the current user can modify + Get-ServiceDetail - returns detailed information about a specified service ### Service Abuse: - Invoke-ServiceAbuse - modifies a vulnerable service to create a local admin or execute a custom command - Write-ServiceBinary - writes out a patched C# service binary that adds a local admin or executes a custom command - Install-ServiceBinary - replaces a service binary with one that adds a local admin or executes a custom command - Restore-ServiceBinary - restores a replaced service binary with the original executable + Invoke-ServiceAbuse - modifies a vulnerable service to create a local admin or execute a custom command + Write-ServiceBinary - writes out a patched C# service binary that adds a local admin or executes a custom command + Install-ServiceBinary - replaces a service binary with one that adds a local admin or executes a custom command + Restore-ServiceBinary - restores a replaced service binary with the original executable ### DLL Hijacking: - Find-DLLHijack - finds .dll hijacking opportunities for currently running processes - Find-PathHijack - finds service %PATH% .dll hijacking opportunities - Write-HijackDll - writes out a hijackable .dll + Find-ProcessDLLHijack - finds potential DLL hijacking opportunities for currently running processes + Find-PathHijack - finds service %PATH% .dll hijacking opportunities + Write-HijackDll - writes out a hijackable .dll ### Registry Checks: - Get-RegAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set - Get-RegAutoLogon - checks for Autologon credentials in the registry - Get-VulnAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns - -### Misc.: - Get-VulnSchTask - find schtasks with modifiable target files - Get-UnattendedInstallFile - finds remaining unattended installation files - Get-Webconfig - checks for any encrypted web.config strings - Get-ApplicationHost - checks for encrypted application pool and virtual directory passwords - Write-UserAddMSI - write out a MSI installer that prompts for a user to be added - Invoke-AllChecks - runs all current escalation checks and returns a report - + Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set + Get-RegistryAutoLogon - checks for Autologon credentials in the registry + Get-RegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns + +### Miscellaneous Checks: + Get-ModifiableScheduledTaskFile - find schtasks with modifiable target files + Get-UnattendedInstallFile - finds remaining unattended installation files + Get-Webconfig - checks for any encrypted web.config strings + Get-ApplicationHost - checks for encrypted application pool and virtual directory passwords + Get-SiteListPassword - retrieves the plaintext passwords for any found McAfee's SiteList.xml files + +### Other Helpers/Meta-Functions: + Get-ModifiablePath - tokenizes an input string and returns the files in it the current user can modify + Add-ServiceDacl - adds a Dacl field to a service object returned by Get-Service + Set-ServiceBinPath - sets the binary path for a service to a specified value through Win32 API methods + Test-ServiceDaclPermission - tests one or more passed services or service names against a given permission set + Write-UserAddMSI - write out a MSI installer that prompts for a user to be added + Invoke-AllChecks - runs all current escalation checks and returns a report -- cgit v1.2.3 From 09d253f0700e637b410dbab26de037f1317d0401 Mon Sep 17 00:00:00 2001 From: Harmj0y Date: Fri, 3 Jun 2016 22:43:12 -0400 Subject: Added Get-CurrentUserTokenGroupSid to enumerate all group SIDs the current user is a part of, regardless of being disabled. Replaced 'whoami /groups' local admin + medium integrity check with comparison against Get-CurrentUserTokenGroupSid --- Privesc/PowerUp.ps1 | 96 +++++++++++++++++++++++++++++++++++++++++++++++++--- Privesc/Privesc.psd1 | 1 + Privesc/README.md | 1 + 3 files changed, 94 insertions(+), 4 deletions(-) (limited to 'Privesc/README.md') diff --git a/Privesc/PowerUp.ps1 b/Privesc/PowerUp.ps1 index f463599..16d247a 100644 --- a/Privesc/PowerUp.ps1 +++ b/Privesc/PowerUp.ps1 @@ -880,6 +880,78 @@ function Get-ModifiablePath { } +function Get-CurrentUserTokenGroupSid { +<# + .SYNOPSIS + + Returns all SIDs that the current user is a part of, whether they are disabled or not. + + Author: @harmj0y + License: BSD 3-Clause + + .DESCRIPTION + + First gets the current process handle using the GetCurrentProcess() Win32 API call and feeds + this to OpenProcessToken() to open up a handle to the current process token. The API call + GetTokenInformation() is then used to enumerate the TOKEN_GROUPS for the current process + token. Each group is iterated through and the SID structure is converted to a readable + string using ConvertSidToStringSid(), and the unique list of SIDs the user is a part of + (disabled or not) is returned as a string array. + + .LINK + + https://msdn.microsoft.com/en-us/library/windows/desktop/aa379624(v=vs.85).aspx + https://msdn.microsoft.com/en-us/library/windows/desktop/aa379624(v=vs.85).aspx + https://msdn.microsoft.com/en-us/library/windows/desktop/aa379554(v=vs.85).aspx +#> + + $CurrentProcess = $Kernel32::GetCurrentProcess() + + # TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY) + $TOKEN_READ = 0x00020008 + + [IntPtr]$hProcToken = [IntPtr]::Zero + $Success = $Advapi32::OpenProcessToken($CurrentProcess, $TOKEN_READ, [ref]$hProcToken);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() + + if($Success) { + + $TokenGroupsPtrSize = $TOKEN_GROUPS::GetSize() + + [IntPtr]$TokenGroupsPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenGroupsPtrSize) + + [UInt32]$RealSize = 0 + + # query the TokenGroups information (2) structure for the current thred token + $Success2 = $Advapi32::GetTokenInformation($hProcToken, 2, $TokenGroupsPtr, $TokenGroupsPtrSize, [ref]$TokenGroupsPtrSize);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() + + if($Success2) { + + $TokenGroups = $TokenGroupsPtr -as $TOKEN_GROUPS + + $TokenGroups.Groups | Where-Object {$_.SID} | Foreach-Object { + # convert each SID structure to a SID string we can decode + $SidString = '' + $Result = $Advapi32::ConvertSidToStringSid($_.SID, [ref]$SidString);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() + if($Result -eq 0) { + Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)" + } + else { + $SidString + } + } | Where-Object {$_ -and ($_ -ne '')} | Sort-Object -Unique + } + else { + Write-Warning ([ComponentModel.Win32Exception] $LastError) + } + + [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenGroupsPtr) + } + else { + Write-Warning ([ComponentModel.Win32Exception] $LastError) + } +} + + function Add-ServiceDacl { <# .SYNOPSIS @@ -3447,13 +3519,14 @@ function Invoke-AllChecks { else{ "`n`n[*] Checking if user is in a local group with administrative privileges..." - if( ($(whoami /groups) -like "*S-1-5-32-544*").length -eq 1 ){ + $CurrentUserSids = Get-CurrentUserTokenGroupSid + if($CurrentUserSids -contains 'S-1-5-32-544') { "[+] User is in a local group that grants administrative privileges!" "[+] Run a BypassUAC attack to elevate privileges to admin." if($HTMLReport) { ConvertTo-HTML -Head $Header -Body "

User In Local Group With Adminisrtative Privileges

" | Out-File -Append $HtmlReportFile - } + } } } @@ -3573,8 +3646,12 @@ function Invoke-AllChecks { $Module = New-InMemoryModule -ModuleName PowerUpModule $FunctionDefinitions = @( - (func advapi32 QueryServiceObjectSecurity ([Bool]) @([IntPtr], [Security.AccessControl.SecurityInfos], [Byte[]], [UInt32], [UInt32].MakeByRefType()) -SetLastError) - (func advapi32 ChangeServiceConfig ([Bool]) @([IntPtr], [UInt32], [UInt32], [UInt32], [String], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [IntPtr]) -SetLastError -Charset Unicode) + (func kernel32 GetCurrentProcess ([IntPtr]) @()) + (func advapi32 OpenProcessToken ([Bool]) @( [IntPtr], [UInt32], [IntPtr].MakeByRefType()) -SetLastError) + (func advapi32 GetTokenInformation ([Bool]) @([IntPtr], [UInt32], [IntPtr], [UInt32], [UInt32].MakeByRefType()) -SetLastError), + (func advapi32 ConvertSidToStringSid ([Int]) @([IntPtr], [String].MakeByRefType()) -SetLastError), + (func advapi32 QueryServiceObjectSecurity ([Bool]) @([IntPtr], [Security.AccessControl.SecurityInfos], [Byte[]], [UInt32], [UInt32].MakeByRefType()) -SetLastError), + (func advapi32 ChangeServiceConfig ([Bool]) @([IntPtr], [UInt32], [UInt32], [UInt32], [String], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [IntPtr]) -SetLastError -Charset Unicode), (func advapi32 CloseServiceHandle ([Bool]) @([IntPtr]) -SetLastError) ) @@ -3602,5 +3679,16 @@ $ServiceAccessRights = psenum $Module PowerUp.ServiceAccessRights UInt32 @{ AllAccess = 0x000F01FF } -Bitfield +$SID_AND_ATTRIBUTES = struct $Module PowerUp.SidAndAttributes @{ + Sid = field 0 IntPtr + Attributes = field 1 UInt32 +} + +$TOKEN_GROUPS = struct $Module PowerUp.TokenGroups @{ + GroupCount = field 0 UInt32 + Groups = field 1 $SID_AND_ATTRIBUTES.MakeArrayType() -MarshalAs @('ByValArray', 32) +} + $Types = $FunctionDefinitions | Add-Win32Type -Module $Module -Namespace 'PowerUp.NativeMethods' $Advapi32 = $Types['advapi32'] +$Kernel32 = $Types['kernel32'] diff --git a/Privesc/Privesc.psd1 b/Privesc/Privesc.psd1 index fe964a3..e4222bf 100644 --- a/Privesc/Privesc.psd1 +++ b/Privesc/Privesc.psd1 @@ -27,6 +27,7 @@ FunctionsToExport = @( 'Find-PathHijack', 'Find-ProcessDLLHijack', 'Get-ApplicationHost', + 'Get-CurrentUserTokenGroupSid', 'Get-ModifiablePath', 'Get-ModifiableScheduledTaskFile', 'Get-ModifiableService', diff --git a/Privesc/README.md b/Privesc/README.md index 66a7730..8e4b75d 100644 --- a/Privesc/README.md +++ b/Privesc/README.md @@ -58,6 +58,7 @@ Optional Dependencies: None ### Other Helpers/Meta-Functions: Get-ModifiablePath - tokenizes an input string and returns the files in it the current user can modify + Get-CurrentUserTokenGroupSid - returns all SIDs that the current user is a part of, whether they are disabled or not Add-ServiceDacl - adds a Dacl field to a service object returned by Get-Service Set-ServiceBinPath - sets the binary path for a service to a specified value through Win32 API methods Test-ServiceDaclPermission - tests one or more passed services or service names against a given permission set -- cgit v1.2.3 From 491594529205b66937c718b38cb4e7909935e6ec Mon Sep 17 00:00:00 2001 From: Harmj0y Date: Sat, 4 Jun 2016 19:07:28 -0400 Subject: Renamed Get-RegistryAutoRun to Get-ModifiableRegistryAutoRun Renamed Find-PathHijack to Find-PathDLLHijack Fixed exposed functions in PowerSploit.psd1 --- PowerSploit.psd1 | 23 +++++++++++++++-------- Privesc/PowerUp.ps1 | 15 +++++++-------- Privesc/Privesc.psd1 | 4 ++-- Privesc/README.md | 6 +++--- Tests/Privesc.tests.ps1 | 32 ++++++++++++++++---------------- 5 files changed, 43 insertions(+), 37 deletions(-) (limited to 'Privesc/README.md') diff --git a/PowerSploit.psd1 b/PowerSploit.psd1 index 492b846..065ea68 100644 --- a/PowerSploit.psd1 +++ b/PowerSploit.psd1 @@ -25,27 +25,29 @@ FunctionsToExport = @( 'Add-NetUser', 'Add-ObjectAcl', 'Add-Persistence', + 'Add-ServiceDacl', 'Convert-NameToSid', 'Convert-NT4toCanonical', 'Convert-SidToName', 'Copy-ClonedFile', 'Find-AVSignature', 'Find-ComputerField', - 'Find-DLLHijack', 'Find-ForeignGroup', 'Find-ForeignUser', 'Find-GPOComputerAdmin', 'Find-GPOLocation', 'Find-InterestingFile', 'Find-LocalAdminAccess', + 'Find-PathDLLHijack', + 'Find-ProcessDLLHijack', 'Find-ManagedSecurityGroups', - 'Find-PathHijack', 'Find-UserField', 'Get-ADObject', 'Get-ApplicationHost', 'Get-CachedRDPConnection', 'Get-ComputerDetails', 'Get-ComputerProperty', + 'Get-CurrentUserTokenGroupSid', 'Get-DFSshare', 'Get-DomainPolicy', 'Get-ExploitableSystem', @@ -53,6 +55,11 @@ FunctionsToExport = @( 'Get-HttpStatus', 'Get-Keystrokes', 'Get-LastLoggedOn', + 'Get-ModifiablePath', + 'Get-ModifiableRegistryAutoRun', + 'Get-ModifiableScheduledTaskFile', + 'Get-ModifiableService', + 'Get-ModifiableServiceFile', 'Get-NetComputer', 'Get-NetDomain', 'Get-NetDomainController', @@ -79,21 +86,19 @@ FunctionsToExport = @( 'Get-ObjectAcl', 'Get-PathAcl', 'Get-Proxy', - 'Get-RegAlwaysInstallElevated', - 'Get-RegAutoLogon', + 'Get-RegistryAlwaysInstallElevated', + 'Get-RegistryAutoLogon', 'Get-SecurityPackages', 'Get-ServiceDetail', - 'Get-ServiceFilePermission', - 'Get-ServicePermission', 'Get-ServiceUnquoted', + 'Get-SiteListPassword', + 'Get-System', 'Get-TimedScreenshot', 'Get-UnattendedInstallFile', 'Get-UserEvent', 'Get-UserProperty', 'Get-VaultCredential', 'Get-VolumeShadowCopy', - 'Get-VulnAutoRun', - 'Get-VulnSchTask', 'Get-Webconfig', 'Install-ServiceBinary', 'Install-SSP', @@ -133,6 +138,8 @@ FunctionsToExport = @( 'Set-CriticalProcess', 'Set-MacAttribute', 'Set-MasterBootRecord', + 'Set-ServiceBinPath', + 'Test-ServiceDaclPermission', 'Write-HijackDll', 'Write-ServiceBinary', 'Write-UserAddMSI' diff --git a/Privesc/PowerUp.ps1 b/Privesc/PowerUp.ps1 index 6e473d6..4071f6a 100644 --- a/Privesc/PowerUp.ps1 +++ b/Privesc/PowerUp.ps1 @@ -2361,7 +2361,7 @@ function Find-ProcessDLLHijack { } -function Find-PathHijack { +function Find-PathDLLHijack { <# .SYNOPSIS @@ -2379,7 +2379,7 @@ function Find-PathHijack { .EXAMPLE - PS C:\> Find-PathHijack + PS C:\> Find-PathDLLHijack Finds all %PATH% .DLL hijacking opportunities. @@ -2720,8 +2720,7 @@ function Get-RegistryAutoLogon { } } - -function Get-RegistryAutoRun { +function Get-ModifiableRegistryAutoRun { <# .SYNOPSIS @@ -2736,7 +2735,7 @@ function Get-RegistryAutoRun { .EXAMPLE - PS C:\> Get-RegistryAutoRun + PS C:\> Get-ModifiableRegistryAutoRun Return vulneable autorun binaries (or associated configs). #> @@ -3571,7 +3570,7 @@ function Invoke-AllChecks { # DLL hijacking "`n`n[*] Checking %PATH% for potentially hijackable DLL locations..." - $Results = Find-PathHijack + $Results = Find-PathDLLHijack $Results | Foreach-Object { $AbuseString = "Write-HijackDll -DllPath '$($_.Path)\wlbsctrl.dll'" $_ | Add-Member Noteproperty 'AbuseFunction' $AbuseString @@ -3604,8 +3603,8 @@ function Invoke-AllChecks { } - "`n`n[*] Checking for registry autoruns and configs..." - $Results = Get-RegistryAutoRun + "`n`n[*] Checking for modifidable registry autoruns and configs..." + $Results = Get-ModifiableRegistryAutoRun $Results | Format-List if($HTMLReport) { $Results | ConvertTo-HTML -Head $Header -Body "

Registry Autoruns

" | Out-File -Append $HtmlReportFile diff --git a/Privesc/Privesc.psd1 b/Privesc/Privesc.psd1 index e4222bf..97b7652 100644 --- a/Privesc/Privesc.psd1 +++ b/Privesc/Privesc.psd1 @@ -24,17 +24,17 @@ PowerShellVersion = '2.0' # Functions to export from this module FunctionsToExport = @( 'Add-ServiceDacl', - 'Find-PathHijack', + 'Find-PathDLLHijack', 'Find-ProcessDLLHijack', 'Get-ApplicationHost', 'Get-CurrentUserTokenGroupSid', 'Get-ModifiablePath', + 'Get-ModifiableRegistryAutoRun', 'Get-ModifiableScheduledTaskFile', 'Get-ModifiableService', 'Get-ModifiableServiceFile', 'Get-RegistryAlwaysInstallElevated', 'Get-RegistryAutoLogon', - 'Get-RegistryAutoRun', 'Get-ServiceDetail', 'Get-ServiceUnquoted', 'Get-SiteListPassword', diff --git a/Privesc/README.md b/Privesc/README.md index 8e4b75d..7f57768 100644 --- a/Privesc/README.md +++ b/Privesc/README.md @@ -41,13 +41,13 @@ Optional Dependencies: None ### DLL Hijacking: Find-ProcessDLLHijack - finds potential DLL hijacking opportunities for currently running processes - Find-PathHijack - finds service %PATH% .dll hijacking opportunities - Write-HijackDll - writes out a hijackable .dll + Find-PathDLLHijack - finds service %PATH% DLL hijacking opportunities + Write-HijackDll - writes out a hijackable DLL ### Registry Checks: Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set Get-RegistryAutoLogon - checks for Autologon credentials in the registry - Get-RegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns + Get-ModifiableRegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns ### Miscellaneous Checks: Get-ModifiableScheduledTaskFile - find schtasks with modifiable target files diff --git a/Tests/Privesc.tests.ps1 b/Tests/Privesc.tests.ps1 index 3641ece..62aad67 100644 --- a/Tests/Privesc.tests.ps1 +++ b/Tests/Privesc.tests.ps1 @@ -873,10 +873,10 @@ Describe 'Find-ProcessDLLHijack' { } -Describe 'Find-PathHijack' { +Describe 'Find-PathDLLHijack' { if(-not $(Test-IsAdmin)) { - Throw "'Find-PathHijack' Pester test needs local administrator privileges." + Throw "'Find-PathDLLHijack' Pester test needs local administrator privileges." } It 'Should find a hijackable %PATH% folder.' { @@ -887,22 +887,22 @@ Describe 'Find-PathHijack' { $OldPath = $Env:PATH $Env:PATH += ';C:\PowerUpTest\' - $Output = Find-PathHijack | Where-Object {$_.Path -like "*PowerUpTest*"} | Select-Object -First 1 + $Output = Find-PathDLLHijack | Where-Object {$_.Path -like "*PowerUpTest*"} | Select-Object -First 1 $Env:PATH = $OldPath $Output.Path | Should Be 'C:\PowerUpTest\' if ($Output.PSObject.Properties.Name -notcontains 'Path') { - Throw "Find-PathHijack result doesn't contain 'Path' field." + Throw "Find-PathDLLHijack result doesn't contain 'Path' field." } if ($Output.PSObject.Properties.Name -notcontains 'Permissions') { - Throw "Find-PathHijack result doesn't contain 'Permissions' field." + Throw "Find-PathDLLHijack result doesn't contain 'Permissions' field." } if ($Output.PSObject.Properties.Name -notcontains 'IdentityReference') { - Throw "Find-PathHijack result doesn't contain 'IdentityReference' field." + Throw "Find-PathDLLHijack result doesn't contain 'IdentityReference' field." } } catch { @@ -952,14 +952,14 @@ Describe 'Get-RegistryAutoLogon' { } -Describe 'Get-RegistryAutoRun' { +Describe 'Get-ModifiableRegistryAutoRun' { if(-not $(Test-IsAdmin)) { - Throw "'Get-RegistryAutoRun' Pester test needs local administrator privileges." + Throw "'Get-ModifiableRegistryAutoRun' Pester test needs local administrator privileges." } It 'Should not throw.' { - {Get-RegistryAutoRun} | Should Not Throw + {Get-ModifiableRegistryAutoRun} | Should Not Throw } It 'Should find a vulnerable autorun.' { @@ -968,28 +968,28 @@ Describe 'Get-RegistryAutoRun' { $Null | Out-File -FilePath $FilePath -Force $Null = Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name PowerUp -Value "vuln.exe -i '$FilePath'" - $Output = Get-RegistryAutoRun | Where-Object {$_.Path -like "*$FilePath*"} | Select-Object -First 1 + $Output = Get-ModifiableRegistryAutoRun | Where-Object {$_.Path -like "*$FilePath*"} | Select-Object -First 1 $Output.ModifiableFile.Path | Should Be $FilePath if ($Output.PSObject.Properties.Name -notcontains 'Key') { - Throw "Get-RegistryAutoRun result doesn't contain 'Key' field." + Throw "Get-ModifiableRegistryAutoRun result doesn't contain 'Key' field." } if ($Output.PSObject.Properties.Name -notcontains 'Path') { - Throw "Get-RegistryAutoRun result doesn't contain 'Path' field." + Throw "Get-ModifiableRegistryAutoRun result doesn't contain 'Path' field." } if ($Output.PSObject.Properties.Name -notcontains 'ModifiableFile') { - Throw "Get-RegistryAutoRun result doesn't contain 'ModifiableFile' field." + Throw "Get-ModifiableRegistryAutoRun result doesn't contain 'ModifiableFile' field." } if ($Output.ModifiableFile.PSObject.Properties.Name -notcontains 'Path') { - Throw "Get-RegistryAutoRun ModifiableFile result doesn't contain 'Path' field." + Throw "Get-ModifiableRegistryAutoRun ModifiableFile result doesn't contain 'Path' field." } if ($Output.ModifiableFile.PSObject.Properties.Name -notcontains 'Permissions') { - Throw "Get-RegistryAutoRun ModifiableFile result doesn't contain 'Permissions' field." + Throw "Get-ModifiableRegistryAutoRun ModifiableFile result doesn't contain 'Permissions' field." } if ($Output.ModifiableFile.PSObject.Properties.Name -notcontains 'IdentityReference') { - Throw "Get-RegistryAutoRun ModifiableFile result doesn't contain 'IdentityReference' field." + Throw "Get-ModifiableRegistryAutoRun ModifiableFile result doesn't contain 'IdentityReference' field." } $Null = Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name PowerUp -- cgit v1.2.3