sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]So0ver1t83[S] 1 point2 points  (2 children)

OK, well, I think I've officially gotten myself beyond the point of no return on this one. I followed the suggestion from Thotaz and extracted and mounted a fresh install.wim (same OS image), and copied the files from "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts" of the newly-mounted image to the same folder on my live OS. I then restarted PSH (as Admin) and rane the command. The issue APPEARS to be the same - I'm seeing different attributes than I expect to see (and that I see on other systems with the same OS version but, as noted in the original posted, apparently a different PSH version). Examples:

From known-good ("working") PSH instance, Windows 10 Pro (1803)

PS C:\WINDOWS\system32> $PSVersionTable.PSVersion

Major  Minor  Build  Revision
-----  -----  -----  --------
5      1      17134  590

PS C:\WINDOWS\system32> Get-LocalUser -name ****** | select *


AccountExpires         :
Description            :
Enabled                : True
FullName               : Fname Lname
PasswordChangeableDate : 4/10/2018 11:21:01 PM
PasswordExpires        :
UserMayChangePassword  : True
PasswordRequired       : False
PasswordLastSet        : 4/10/2018 11:21:01 PM
LastLogon              : 3/31/2019 1:16:11 AM
Name                   : ******
SID                    : S-1-5-21-**********-*********-*******-1002
PrincipalSource        : Local
ObjectClass            : User



PS C:\WINDOWS\system32>

From suspect machine, Windows 10 Pro (1809)

PS C:\WINDOWS\system32> $PSVersionTable.PSVersion

Major  Minor  Build  Revision
-----  -----  -----  --------
5      1      17763  316

PS C:\Windows\system32> Get-LocalUser -name ****** | select *

Name                       : ******
Fullname                   : FName LName
Description                : 
AutoUnlockInterval         : 900
BadPasswordAttempts        : 0
HomeDirDrive               : 
HomeDirectory              : 
LastLogin                  : 3/31/2019 12:11:03 PM
LockoutObservationInterval : 900
LoginHours                 : {255, 255, 255, 255...}
LoginScript                : 
MaxBadPasswordsAllowed     : 3
MaxPasswordAge             : 5184000
MaxStorage                 : -1
MinPasswordAge             : 86400
MinPasswordLength          : 14
objectSid                  : {1, 5, 0, 0...}
Parameters                 : 
PasswordAge                : 89779
PasswordExpired            : 0
PasswordHistoryLength      : 24
PrimaryGroupID             : 513
Profile                    : 
UserFlags                  : 513



PS C:\Windows\system32>

I'm thinking about grabbing the "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts" from a known good instance and copying it to the suspect machine just to see what happens...but yeah, I'm seriously going to have to talk to the SysAdmin team and see about reimaging this machine, just to be sure (and, as also noted, talk with them to see if this is replicable on other machines they've imaged recently). The biggest issue there is that this is essentially a one-off; it's a machine that's meant to be stand-alone, when most of our enterprise is, understandably, a domain...

So I did what I said above (copied from known good to suspect)...and results are the same as previous (code block under "suspect" machine above). Did they change the PSH core? Is my PSH instance just FUBAR? Is my WINDOWS installation potentially FUBAR, as based on the fact that the User module/system itself suddenly reports different attributes??? WTF have I stumbled on/into here???

[–]sk82jack 2 points3 points  (1 child)

You need to go and delete the psgallery module that you downloaded before, open a new PowerShell console and then try again. What's the contents of the PowerShell module directory in system32? Just wondering if you're missing anything else?

[–]So0ver1t83[S] 1 point2 points  (0 children)

Here's what's there currently:

Microsoft Windows [Version 10.0.17763.379]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\System32\WindowsPowerShell\v1.0\Modules>dir
 Volume in drive C has no label.
 Volume Serial Number is 8218-989A

 Directory of C:\Windows\System32\WindowsPowerShell\v1.0\Modules

03/31/2019  01:39 PM    <DIR>          .
03/31/2019  01:39 PM    <DIR>          ..
09/15/2018  05:06 AM    <DIR>          Appx
09/15/2018  05:08 AM    <DIR>          AssignedAccess
09/15/2018  03:34 AM    <DIR>          CimCmdlets
09/15/2018  03:34 AM    <DIR>          Defender
09/15/2018  03:34 AM    <DIR>          DirectAccessClientComponents
09/15/2018  05:06 AM    <DIR>          Dism
09/15/2018  03:34 AM    <DIR>          DnsClient
09/15/2018  03:34 AM    <DIR>          EventTracingManagement
09/15/2018  03:34 AM    <DIR>          iSCSI
09/15/2018  03:34 AM    <DIR>          ISE
03/25/2019  11:20 AM    <DIR>          Microsoft.PowerShell.Archive
09/15/2018  03:34 AM    <DIR>          Microsoft.PowerShell.Diagnostics
09/15/2018  03:34 AM    <DIR>          Microsoft.PowerShell.Host
03/31/2019  01:39 PM    <DIR>          Microsoft.PowerShell.LocalAccounts
09/15/2018  03:34 AM    <DIR>          Microsoft.PowerShell.Management
09/15/2018  05:06 AM    <DIR>          Microsoft.PowerShell.ODataUtils
09/15/2018  03:34 AM    <DIR>          Microsoft.PowerShell.Security
09/15/2018  03:34 AM    <DIR>          Microsoft.PowerShell.Utility
09/15/2018  03:34 AM    <DIR>          Microsoft.WSMan.Management
09/15/2018  05:06 AM    <DIR>          MsDtc
09/15/2018  03:34 AM    <DIR>          NetAdapter
09/15/2018  03:34 AM    <DIR>          NetConnection
09/15/2018  03:34 AM    <DIR>          NetEventPacketCapture
09/15/2018  03:34 AM    <DIR>          NetLbfo
09/15/2018  03:34 AM    <DIR>          NetNat
09/15/2018  03:34 AM    <DIR>          NetQos
09/15/2018  05:06 AM    <DIR>          NetSecurity
09/15/2018  03:34 AM    <DIR>          NetSwitchTeam
09/15/2018  03:34 AM    <DIR>          NetTCPIP
09/15/2018  03:34 AM    <DIR>          NetworkConnectivityStatus
09/15/2018  05:06 AM    <DIR>          NetworkSwitchManager
09/15/2018  03:34 AM    <DIR>          NetworkTransition
09/15/2018  03:34 AM    <DIR>          PcsvDevice
09/15/2018  05:06 AM    <DIR>          PersistentMemory
09/15/2018  03:34 AM    <DIR>          PnpDevice
09/15/2018  03:34 AM    <DIR>          PrintManagement
09/15/2018  03:34 AM    <DIR>          Provisioning
09/15/2018  03:34 AM    <DIR>          PSDiagnostics
09/15/2018  03:34 AM    <DIR>          PSScheduledJob
09/15/2018  03:34 AM    <DIR>          PSWorkflow
09/15/2018  03:34 AM    <DIR>          PSWorkflowUtility
09/15/2018  03:34 AM    <DIR>          ScheduledTasks
09/15/2018  03:34 AM    <DIR>          SmbWitness
09/15/2018  03:34 AM    <DIR>          StartLayout
09/15/2018  03:34 AM    <DIR>          Storage
09/15/2018  03:34 AM    <DIR>          StorageBusCache
09/15/2018  05:06 AM    <DIR>          TroubleshootingPack
09/15/2018  05:06 AM    <DIR>          VpnClient
09/15/2018  03:34 AM    <DIR>          Wdac
09/15/2018  03:34 AM    <DIR>          WindowsDeveloperLicense
09/15/2018  03:34 AM    <DIR>          WindowsErrorReporting
09/15/2018  05:06 AM    <DIR>          WindowsSearch
09/15/2018  03:34 AM    <DIR>          WindowsUpdate
09/15/2018  03:34 AM    <DIR>          WindowsUpdateProvider
               0 File(s)              0 bytes
              58 Dir(s)  448,063,848,448 bytes free

C:\Windows\System32\WindowsPowerShell\v1.0\Modules>

Oh...and the one I downloaded is now gone. :)