Why is SeDebugPrivilege enabled in PowerShell?

We sometimes get the question: Why is the SeDebugPrivilege enabled by default in PowerShell?

This is enabled by .NET when PowerShell uses the System.Diagnostics.Process class in .NET, which it does for many reasons. One example is the Get-Process cmdlet. Another example is the method it invokes to get the current process PID for the $pid variable. Any .NET application that uses the System.Diagnostics.Process class also enables this privilege.

 

You can see the .NET code that enables this here:

            NativeMethods.LUID luid = default(NativeMethods.LUID);
            
if (!NativeMethods.LookupPrivilegeValue(null, "SeDebugPrivilege", out luid))
            
{
                
return;
            
}
            
IntPtr zero = IntPtr.Zero;
            
try
            
{
                
if (NativeMethods.OpenProcessToken(new HandleRef(null, NativeMethods.GetCurrentProcess()), 32, out zero))
                
{
                    
NativeMethods.TokenPrivileges tokenPrivileges = new NativeMethods.TokenPrivileges();
                    
tokenPrivileges.PrivilegeCount = 1;
                    
tokenPrivileges.Luid = luid;
                    
tokenPrivileges.Attributes = 2;
                    
NativeMethods.AdjustTokenPrivileges(new HandleRef(null, zero), false, tokenPrivileges, 0, IntPtr.Zero, IntPtr.Zero);
                
}
            
}

https://github.com/dotnet/corefx/blob/master/src/System.Diagnostics.Process/src/System/Diagnostics/ProcessManager.Windows.cs#L129

 

One Response to “Why is SeDebugPrivilege enabled in PowerShell?”

  1. Dew Drop - March 21, 2017 (#2444) - Morning Dew writes:

    […] Why is SeDebugPrivilege enabled in PowerShell? (Lee Holmes) […]

Leave a Reply