Specified cast is not valid about privesccheck HOT 9 CLOSED

My work day is over now, but I might get a chance to access the system on Monday again. I'll try to collect the information.

from privesccheck.

Services without an explicit type are now ignored.

from privesccheck.

Does the error occur only once (or just a couple of times) during each check, or do you get a long list of errors?
In the first case, there is probably an issue with a specific service that has an unrecognized (or null) type.
In the second case, well, this would be a bit more problematic... :/

from privesccheck.

Thanks for the fast reply. The error occurs exactly once per check listed above (when running Invoke-Privesccheck with -ErrorAction Continue).

from privesccheck.

Ok, so I think my guess was correct.
Do you think you would have time for a simple debug? It's totally ok if not, of course.

Here is the procedure, just in case.

1. In the file 02_Helpers.ps1, edit the code of Get-ServiceList as follows.
2. From the project's folder, run the script Build.ps1, to generate an updated version of PrivescCheck.ps1.
3. Run the cmdlet Get-ServiceList in verbose mode: Get-ServiceList -Verbose (no need to run the script entirely).

try {
            $TypeMask = $ServiceTypeEnum::Win32OwnProcess -bor $ServiceTypeEnum::Win32ShareProcess -bor $ServiceTypeEnum::InteractiveProcess
            if (($ServiceItem.Type -band $TypeMask) -gt 0) {

                # FilterLevel = 2 - Add the service to the list if it's not a driver
                if ($FilterLevel -le 2) { $ServiceItem; continue }

                if (-not (Test-IsKnownService -Service $ServiceItem)) {

                    # FilterLevel = 3 - Add the service if it's not a built-in Windows service
                    if ($FilterLevel -le 3) { $ServiceItem; continue }
                }
            }
} catch {
    Write-Verbose $ServiceItem.Name
}

from privesccheck.

I needed to supply 3 as the filter level value, and now it hit something:

VERBOSE: WindowsAzureTelemetryService

from privesccheck.

Nice, thank you.
Yes, I forgot about the filter level, sorry.

Is it possible to get the service's detail from the registry?
The path should be HKLM\SYSTEM\CurrentControlSet\Services\WindowsAzureTelemetryService.

from privesccheck.

It seems there aren't many registry entries within that service. This is all:

from privesccheck.

Ok, I see....
All the usual service settings are missing, so the Type is null, hence the cast error. This was my initial guess.
It's really weird, first time I see this. 🤔
Anyway, thank you very much for taking the time to check. :)
The fix will be pretty simple.

from privesccheck.