Why is SeDebugPrivilege enabled in PowerShell?
Mon, Mar 20, 2017
One-minute read
We sometimes get the question: Why is the SeDebugPrivilege enabled by default in PowerShell? This is enabled by .NET when PowerShell uses the System.Diagnostics.Process class in .NET, which it does for many reasons. One example is the Get-Process cmdlet. Another example is the method it invokes to get the current process PID for the $pid variable. Any .NET application that uses the System.Diagnostics.Process class also enables this privilege. You can see the .NET code that enables this here:
NativeMethods.LUID luid = default(NativeMethods.LUID);
if (!NativeMethods.LookupPrivilegeValue(null, "SeDebugPrivilege", out luid))
{
return;
}
IntPtr zero = IntPtr.Zero;
try
{
if (NativeMethods.OpenProcessToken(new HandleRef(null, NativeMethods.GetCurrentProcess()), 32, out zero))
{
NativeMethods.TokenPrivileges tokenPrivileges = new NativeMethods.TokenPrivileges();
tokenPrivileges.PrivilegeCount = 1;
tokenPrivileges.Luid = luid;
tokenPrivileges.Attributes = 2;
NativeMethods.AdjustTokenPrivileges(new HandleRef(null, zero), false, tokenPrivileges, 0, IntPtr.Zero, IntPtr.Zero);
}
}