PowerShell fails to start in case of weird permissions in TEMP/strange behavior of antivirus #15523
Description
On some of our client's servers, PowerShell sometimes throws an UnauthoziedAccessException when starting.
Issue is practically the same as mentioned in #8627 , however we're not getting an IOException, but an UnauthorizedAccessException.
Root cause analysis showed a particular antivirus package (Sophos) was changing the attributes on the _PSScriptPolicyTest*.psm1 file (and only on that file), presumably to prevent access while the file is being scanned. PowerShell seems to crash if this attribute change happens between the moment that the OS returns a handle for the DELETE operation, and an attempt is made to delete the file.
As a workaround, we adding an exception on __PSScriptPolicyTest* files in the antivirus, after which the issue was resolved. However, this is not a good idea from a security point of view, because an attacker might use this file naming scheme to install a malicious workload.
So this exception (or maybe any exception) should be caught here too:
Steps to reproduce
- Open CMD on the affected (Windows) system
- Start pwsh
Expected behavior
PowerShell should start
Actual behavior
About 3 out of 10 times, pwsh.exe crashes with the exception
Process terminated. The type initializer for 'System.Management.Automation.Runspaces.InitialSessionState' threw an exception.
at System.Environment.FailFast(System.String, System.Exception)
at Microsoft.PowerShell.UnmanagedPSEntry.Start(System.String[], Int32)
at Microsoft.PowerShell.ManagedPSEntry.Main(System.String[])
System.TypeInitializationException: The type initializer for 'System.Management.Automation.Runspaces.InitialSessionState' threw an exception.
---> System.UnauthorizedAccessException: Access to the path _TempFolderName_\\\_\_PSScriptPolicyTest\__RandomString_.psm1' is denied.
at System.IO.FileSystem.DeleteFile(String fullPath)
at System.IO.File.Delete(String path)
at System.Management.Automation.PathUtils.TryDeleteFile(String filepath)
at System.Management.Automation.Security.SystemPolicy.GetAppLockerPolicy(String path, SafeHandle handle)
at System.Management.Automation.Security.SystemPolicy.GetLockdownPolicy(String path, SafeHandle handle)
at System.Management.Automation.Security.SystemPolicy.GetSystemLockdownPolicy()
at System.Management.Automation.Runspaces.InitialSessionState..cctor()
--- End of inner exception stack trace ---
at System.Management.Automation.Runspaces.InitialSessionState.CreateDefault2()
at Microsoft.PowerShell.UnmanagedPSEntry.Start(String[] args, Int32 argc)
At the time of crashing a _PSScriptPolicyTest*.psm1 file is left in the $ENV:TMP folder.
Environment data
Name Value
---- -----
PSVersion 7.1.3
PSEdition Core
GitCommitId 7.1.3
OS Microsoft Windows 10.0.14393
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0