Windows Blog

Windows Containers - Docker Introduction

2026-04-25T00:00:00+02:00

Note that absolutely none of this is authoritative or directly based on relevant documentation. It is mostly what I found and figured out and guessed and (in some cases) made up. Some of it may be wrong or dangerous or lead to disaster or confusion. I am not taking responsibility here for anything, not even spelling or the weather. Read and follow at your own peril! Bring an umbrella. Don’t let anyone see you with the umbrella in front of a computer screen!

They are called zones (Solaris), workload partitions or WPARs (AIX), “secure resource partitions” or SRPs (HP-UX), jails (FreeBSD), or containers (Linux).

Windows chose the Linux rather than the FreeBSD jargon for this technology.

Let’s go for a walk to the harbour.

Containers

In theory, and explained in a way that the writer of this blog can understand, the purpose of a container (or a jail etc.) is to contain (or imprison) all components of an application. This is a very unixy thing.

In DEC-style operating systems (like OpenVMS and, indeed, Windows) the usual idea was that all parts of an application go into one directory:

DKA0:[APPLICATIONWHATEVER]

This directory then contains files like

DKA0:[APPLICATIONWHATEVER]WHATEVER.EXE
DKA0:[APPLICATIONWHATEVER]WHATEVER.DAT

ACLs on individual files settle the issue what should be writable and by whom (configuration files), what should never be writable (program images), and what is user-writable (settings files of various types).

In Windows this has changed a bit and there are now places for program images and places for data and settings files:

C:\Program Files\Application Whatever
C:\ProgramData\Application Whatever

In Unix-like systems instead, files are not grouped by application, but by file type:

/bin (program images, some of them)
/usr/bin (program images, some others)
/etc (global configuration files)
/lib (libraries, some of them)
/usr/lib (libraries, others)
/opt (room for more bin and lib directories)

The result is that a single application is likely distributed through five or six directories or more.

A container solves this problem (and others) by isolating all those files in a single place and then making the application believe the files are in their proper locations indeed.

Smart people would say things like “containers virtualise namespace” and that means that an application running “in” a container does not (necessarily) see the same /whatever or C:\whatever as an application running “outside” that container. This is called “operating system-level virtualisation” and looks to me similar to session virtualistion, which pretends that a SSH deamon is a VT100 terminal that can safely be talked to.

Windows Containers

To enable Windows containers you have to enable Windows containers:

PS C:\> Add-WindowsFeature Containers

Success Restart Needed Exit Code      Feature Result
------- -------------- ---------      --------------
True    Yes            SuccessRest... {Containers}
WARNING: You must restart this server to finish the installation process.

PS C:\>

Docker

One program that created, configured, and starts (and stops) containers is Docker. It is available for Linux and Windows. (It is also available for Mac OS X but on Mac OS X it only controls Linux containers in a Linux VM not Mac OS X containers.)

You can find it here: Download Docker

Pick a reasonable recent version. I seem to have ended up with 29.3.1.

In the archive you should find two files, docker.exe and dockerd.exe. The first is the Docker client, the second is the Docker server (deamon). The Docker client connects to the Docker server (on the same machine) and tells it to create, modify, start, and stop Windows containers. It also creates and configured container images. Copy both files into the C:\Windows\System32 directory. (You can copy them elsewhere, but let’s do it the Unix way for now.)

While you can simply run dockerd.exe, you should probably configure dockerd as a Windows service:

PS C:\WINDOWS\system32> .\dockerd.exe --register-service
PS C:\WINDOWS\system32> Get-Service docker*

Status   Name               DisplayName
------   ----               -----------
Stopped  docker             Docker Engine

PS C:\WINDOWS\system32>

This service runs as LocalSystem because it actually is a system service.

All relevant data files appear to be stored in C:\ProgramData\docker.

You can create a group Docker-Users, tell Docker about it, and add accounts to it that will then have full permissions to create and modify containers. Note that this is essentially giving those accounts full administrator privileges because they can build images or run containers that allow escaping to the host system.

Creating such a group and adding user benoit to it:

PS C:\ProgramData\docker> New-LocalGroup Docker-Users

Name         Description
----         -----------
Docker-Users

PS C:\ProgramData\docker> Add-LocalGroupMember Docker-Users benoit
PS C:\ProgramData\docker> md config

    Directory: C:\ProgramData\docker

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         4/25/2026   8:19 PM                config

PS C:\ProgramData\docker> '{ "group": "docker-users" }'|Out-File .\config\daemon.json
PS C:\ProgramData\docker> Restart-Service Docker
PS C:\ProgramData\docker>

I recommend using this group anyway to avoid embarassing mistakes when confusing being inside a container and being outside a container. (This falls into the “type hostname before you type shutdown” category of computer safety.) It also potentially limits the effect of malware that travels with strange container images.

Container Images

A “container image” is to a container what a “program image” is to a program: it’s a file (or rather a bunch of files) that represents the running application unstarted on disk.

Container images are created or downloaded or modified based on a downloaded or created base image. Base images typically represent plain operating systems or operating systems with some software pre-installed.

You can find base images on Docker Hub, specifically on Docker Hub Microsoft for Windows.

The interesting base images are Windows Server Core image and Windows Nano Server image. Each page is good enough to give us the command needed to “pull” (download) the image. You need to pull the image matching your operating system version exactly!

PS C:\> docker pull mcr.microsoft.com/windows/servercore:ltsc2025
ltsc2025: Pulling from windows/servercore
97e96e9cbeb1: Downloading [>                                                  ]   10.8MB/1.482GB
f82b995f31e7: Downloading [===>                                               ]  39.99MB/593MB

It takes a while to pull a base image.

PS C:\> docker pull mcr.microsoft.com/windows/servercore:ltsc2025
ltsc2025: Pulling from windows/servercore
97e96e9cbeb1: Pull complete
f82b995f31e7: Pull complete
Digest: sha256:83374b6927f7945bb0933d03f158f84b03182017e2694fa23aedd24ea51434e4
Status: Downloaded newer image for mcr.microsoft.com/windows/servercore:ltsc2025
mcr.microsoft.com/windows/servercore:ltsc2025
PS C:\> docker pull mcr.microsoft.com/windows/nanoserver:ltsc2025
ltsc2025: Pulling from windows/nanoserver
d7986950dcd8: Downloading [============================>                      ]  109.2MB/193.9MB

You can see that the Nano Server image is much smaller than the Server Core image.

PS C:\> docker pull mcr.microsoft.com/windows/servercore:ltsc2025
ltsc2025: Pulling from windows/servercore
97e96e9cbeb1: Pull complete
f82b995f31e7: Pull complete
Digest: sha256:83374b6927f7945bb0933d03f158f84b03182017e2694fa23aedd24ea51434e4
Status: Downloaded newer image for mcr.microsoft.com/windows/servercore:ltsc2025
mcr.microsoft.com/windows/servercore:ltsc2025
PS C:\>
PS C:\> docker pull mcr.microsoft.com/windows/nanoserver:ltsc2025
ltsc2025: Pulling from windows/nanoserver
d7986950dcd8: Pull complete
Digest: sha256:af9cf5183e68ff0beee87a795e5761ef9143fc6ee7e3d785b5920eda6f5e03fb
Status: Downloaded newer image for mcr.microsoft.com/windows/nanoserver:ltsc2025
mcr.microsoft.com/windows/nanoserver:ltsc2025
PS C:\>

And we have two base images.

Docker Commands

docker pull downloads an image
docker images shows installed images

PS C:\> docker images
IMAGE                                           ID             DISK USAGE   CONTENT SIZE   EXTRA
mcr.microsoft.com/windows/nanoserver:ltsc2025   299c3c7db826        487MB             0B
mcr.microsoft.com/windows/servercore:ltsc2025   a5c9d9f8dc6e       4.94GB             0B
PS C:\>

docker tag gives an image a nicer name

PS C:\> docker tag mcr.microsoft.com/windows/nanoserver:ltsc2025 nanoserver
PS C:\> docker tag mcr.microsoft.com/windows/servercore:ltsc2025 servercore
PS C:\> docker images
                                                                                                                                                                                                        i Info →   U  In Use
IMAGE                                           ID             DISK USAGE   CONTENT SIZE   EXTRA
mcr.microsoft.com/windows/nanoserver:ltsc2025   299c3c7db826        487MB             0B
mcr.microsoft.com/windows/servercore:ltsc2025   a5c9d9f8dc6e       4.94GB             0B
nanoserver:latest                               299c3c7db826        487MB             0B
servercore:latest                               a5c9d9f8dc6e       4.94GB             0B
PS C:\>

docker run starts a container based on an image
docker run -d starts a container as a detached process
docker run -i starts a container with ability to be used interactively
docker run -t starts a container with a terminal attached to it
docker run -dit starts a container as a detached process with a terminal attached to it and the ability to be used interactively
docker ps shows running containers
docker exec -it executes a command inside a container interactively via a terminal
docker stop stops a running container
docker ps -a shows all containers, running and not

PS C:\Users\benoit> docker run -dit servercore cmd
b8ac6cb6c16924405f90b371b430b675aeaf5ef4284e9d1505b185cf88e31a59
PS C:\Users\benoit> docker ps
CONTAINER ID   IMAGE        COMMAND   CREATED          STATUS         PORTS     NAMES
b8ac6cb6c169   servercore   "cmd"     11 seconds ago   Up 8 seconds             elegant_leavitt
PS C:\Users\benoit> docker exec -it elegant_leavitt hostname
b8ac6cb6c169
PS C:\Users\benoit> hostname
Champignac
PS C:\Users\benoit> docker stop elegant_leavitt
elegant_leavitt
PS C:\Users\benoit> docker ps
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES
PS C:\Users\benoit> docker ps -a
CONTAINER ID   IMAGE        COMMAND   CREATED              STATUS                               PORTS     NAMES
b8ac6cb6c169   servercore   "cmd"     About a minute ago   Exited (3221226219) 11 seconds ago             elegant_leavitt
PS C:\Users\benoit>

You can see that the running container has a different hostname that the host.

The docker run command above starts a container for running cmd using the servercore image.

docker start starts an existing container (visible with ps -a)

Note what happens when starting a container.

Processes running inside the container (here cmd) are also visible outside the container.
Processes running inside the container run in a different session than processes running outside the container (here session 3 while the calling user is in session 2).
Processes running outside the container (here winver) are not visible inside the container.
The account inside the countainer is user manager\containeradministrator.
That account is a member of the (container’s) Administrators group.

PS C:\Users\benoit> docker start elegant_leavitt
elegant_leavitt
PS C:\Users\benoit> Get-Process cmd

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
     76       7     5136       5096              4020   3 cmd


PS C:\Users\benoit> query session
 SESSIONNAME               USERNAME                 ID  STATE   TYPE        DEVICE
 services                                            0  Disc
>console                   benoit                    2  Active
 rdp-tcp                                         65536  Listen
PS C:\Users\benoit> docker exec -it elegant_leavitt powershell Get-Process cmd

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
     76       6     4108       5084       0.02   4020   3 cmd


PS C:\Users\benoit> winver
PS C:\Users\benoit> Get-Process winver

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    184      14     2336      16500       0.08   3928   2 winver


PS C:\Users\benoit> docker exec -it elegant_leavitt powershell Get-Process winver
Get-Process : Cannot find a process with the name "winver". Verify the process name and call the cmdlet again.
At line:1 char:1
+ Get-Process winver
+ ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (winver:String) [Get-Process], ProcessCommandException
    + FullyQualifiedErrorId : NoProcessFoundForGivenName,Microsoft.PowerShell.Commands.GetProcessCommand

PS C:\Users\benoit> docker exec -it elegant_leavitt whoami
user manager\containeradministrator
PS C:\Users\benoit> docker exec -it elegant_leavitt whoami /groups

GROUP INFORMATION
-----------------

Group Name                           Type             SID          Attributes
==================================== ================ ============ ===============================================================
Mandatory Label\High Mandatory Level Label            S-1-16-12288
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                 Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators               Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
                                     Unknown SID type S-1-5-93-0   Mandatory group, Enabled by default, Enabled group
PS C:\Users\benoit>

And what’s even worse, processes running inside the container do not have associated account names:

PS C:\> Get-Process cmd -IncludeUserName

Handles      WS(K)   CPU(s)     Id UserName               ProcessName
-------      -----   ------     -- --------               -----------
     76       5172     0.02   4020                        cmd
     76       5084     0.02   4200                        cmd

PS C:\

docker run -p runs a container with a port mapping, host to container
docker run -v runs a container a directory mapping, host to container

Imagine -v like this:

PS C:\> md foo

    Directory: C:\

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         4/25/2026  11:49 PM                foo

PS C:\> ni .\foo\bar

    Directory: C:\foo

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         4/25/2026  11:49 PM              0 bar

PS C:\> docker run -dit -v "C:\foo:C:\foofromhost" servercore cmd
9eac0388e2ca4cb6aaa4560a14d47c1696b41e35d9069210860daaf6751f3530
PS C:\> docker ps
CONTAINER ID   IMAGE        COMMAND   CREATED         STATUS         PORTS     NAMES
9eac0388e2ca   servercore   "cmd"     9 seconds ago   Up 6 seconds             adoring_allen
PS C:\> docker exec -it adoring_allen cmd /c dir c:\
 Volume in drive C has no label.
 Volume Serial Number is 1001-F4AE

 Directory of c:\

04/25/2026  11:49 PM              foofromhost
01/11/2026  11:44 AM              inetpub
01/11/2026  11:35 AM             5,647 License.txt
04/13/2026  09:05 AM              Program Files
04/13/2026  08:59 AM              Program Files (x86)
04/13/2026  09:05 AM              Users
04/25/2026  11:50 PM              Windows
               1 File(s)          5,647 bytes
               6 Dir(s)  136,177,917,952 bytes free
PS C:\> docker exec -it adoring_allen cmd /c dir c:\foofromhost
 Volume in drive C has no label.
 Volume Serial Number is 1001-F4AE

 Directory of c:\foofromhost

04/25/2026  11:49 PM              .
04/25/2026  11:49 PM                 0 bar
               1 File(s)              0 bytes
               1 Dir(s)  28,357,349,376 bytes free
PS C:\>

I will go into details on port forwarding in a future article on running Internet Information Server in a container.

docker commit “commits” a container into a new image

PS C:\> docker commit adoring_allen newimage
Error response from daemon: windows does not support commit of a running container
PS C:\> docker stop adoring_allen
adoring_allen
PS C:\> docker commit adoring_allen newimage
sha256:15e6323e548c0044e70dddf1094594c1f72f2ba4a33855f8aa6f15d4bd5ec9cb
PS C:\> docker images
IMAGE                                           ID             DISK USAGE   CONTENT SIZE   EXTRA
mcr.microsoft.com/windows/nanoserver:ltsc2025   299c3c7db826        487MB             0B
mcr.microsoft.com/windows/servercore:ltsc2025   a5c9d9f8dc6e       4.94GB             0B    U
nanoserver:latest                               299c3c7db826        487MB             0B
newimage:latest                                 15e6323e548c       5.01GB             0B
servercore:latest                               a5c9d9f8dc6e       4.94GB             0B    U
PS C:\>

The idea is that you take a base image, run a container based on it, do whatever you want with it, and then create a new image from the resulting state.

docker rm removes a (non-running) container
docker rmi removes an image

PS C:\Users\benoit> docker ps
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES
PS C:\Users\benoit> docker ps -a
CONTAINER ID   IMAGE        COMMAND   CREATED         STATUS                              PORTS     NAMES
9eac0388e2ca   servercore   "cmd"     7 minutes ago   Exited (3221226219) 4 minutes ago             adoring_allen
PS C:\Users\benoit> docker rm adoring_allen
adoring_allen
PS C:\Users\benoit> docker ps -a
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES
PS C:\Users\benoit> docker images
IMAGE                                           ID             DISK USAGE   CONTENT SIZE   EXTRA
mcr.microsoft.com/windows/nanoserver:ltsc2025   299c3c7db826        487MB             0B
mcr.microsoft.com/windows/servercore:ltsc2025   a5c9d9f8dc6e       4.94GB             0B
nanoserver:latest                               299c3c7db826        487MB             0B
newimage:latest                                 15e6323e548c       5.01GB             0B
servercore:latest                               a5c9d9f8dc6e       4.94GB             0B
PS C:\Users\benoit> docker rmi newimage
Untagged: newimage:latest
Deleted: sha256:15e6323e548c0044e70dddf1094594c1f72f2ba4a33855f8aa6f15d4bd5ec9cb
Deleted: sha256:4d419e6b12c4947b1a0ed5465f19d031fc0acec3913ea8cf8314aa2a905511c8
PS C:\Users\benoit> docker images
IMAGE                                           ID             DISK USAGE   CONTENT SIZE   EXTRA
mcr.microsoft.com/windows/nanoserver:ltsc2025   299c3c7db826        487MB             0B
mcr.microsoft.com/windows/servercore:ltsc2025   a5c9d9f8dc6e       4.94GB             0B
nanoserver:latest                               299c3c7db826        487MB             0B
servercore:latest                               a5c9d9f8dc6e       4.94GB             0B
PS C:\Users\benoit>

Differences between Server Core and Nano Server Images

Running a quick dir in both variants shows a huge difference quickly:

S C:\Users\benoit> docker run -dit servercore cmd
64e832fe43e5946c3efcf06ccd5ff81821b2336df517803b6d975fd99a6542a3
PS C:\Users\benoit> docker ps
CONTAINER ID   IMAGE        COMMAND   CREATED         STATUS         PORTS     NAMES
64e832fe43e5   servercore   "cmd"     6 seconds ago   Up 4 seconds             eager_gagarin
PS C:\Users\benoit> docker exec -it eager_gagarin cmd /c dir c:\
 Volume in drive C has no label.
 Volume Serial Number is 1001-F4AE

 Directory of c:\

01/11/2026  11:44 AM              inetpub
01/11/2026  11:35 AM             5,647 License.txt
04/13/2026  09:05 AM              Program Files
04/13/2026  08:59 AM              Program Files (x86)
04/13/2026  09:05 AM              Users
04/25/2026  11:59 PM              Windows
               1 File(s)          5,647 bytes
               5 Dir(s)  136,177,942,528 bytes free
PS C:\Users\benoit> docker run -dit nanoserver cmd
98399bd440816470a335d9b9dc6e6d7e6ff252c0d7a9d616b4a0297ac352bd0b
PS C:\Users\benoit> docker ps
CONTAINER ID   IMAGE        COMMAND   CREATED          STATUS          PORTS     NAMES
98399bd44081   nanoserver   "cmd"     5 seconds ago    Up 2 seconds              brave_fermat
64e832fe43e5   servercore   "cmd"     43 seconds ago   Up 41 seconds             eager_gagarin
PS C:\Users\benoit> docker exec -it brave_fermat cmd /c dir c:\
 Volume in drive C has no label.
 Volume Serial Number is 76D0-1E23

 Directory of c:\

04/13/2026  08:36 AM             5,647 License.txt
04/13/2026  08:39 AM              Users
04/25/2026  11:59 PM              Windows
               1 File(s)          5,647 bytes
               2 Dir(s)  136,183,414,784 bytes free
PS C:\Users\benoit>

Server Core	Nano Server
PowerShell	-
WoW (32 bit emulation)	-
.NET and .NET Framework	.NET only
Can run stand-alone	Container only
Meant for complete Windows Server applications	Suitable only for applications developed for the Nano Server container
5 GB image size	500 MB image size
No GUI applications, no RDP	No GUI applications, no RDP

Exporting and Importing Containers

docker save saves an image into a tarball (commit the container to an image to save)
docker load loads an image from a tarball

PS C:\Users\benoit> docker commit brave_fermat brave_fermat
sha256:18972e6d20078a7fa3bfb701e451153c833f4fef588bec8f639a7cb64c85f672
PS C:\Users\benoit> docker images
                                                                                                                                                                              i Info →   U  In Use
IMAGE                                           ID             DISK USAGE   CONTENT SIZE   EXTRA
brave_fermat:latest                             18972e6d2007        489MB             0B
mcr.microsoft.com/windows/nanoserver:ltsc2025   299c3c7db826        487MB             0B    U
mcr.microsoft.com/windows/servercore:ltsc2025   a5c9d9f8dc6e       4.94GB             0B    U
nanoserver:latest                               299c3c7db826        487MB             0B    U
servercore:latest                               a5c9d9f8dc6e       4.94GB             0B    U
PS C:\Users\benoit> docker save brave_fermat -o brave_fermat.tar
PS C:\Users\benoit> docker rmi brave_fermat
Untagged: brave_fermat:latest
Deleted: sha256:18972e6d20078a7fa3bfb701e451153c833f4fef588bec8f639a7cb64c85f672
Deleted: sha256:653f586307eb57d859a8f172075d849734123db34291f5ada26506ef7b0377d8
PS C:\Users\benoit> docker load -i brave_fermat.tar
cb6a8faeb776: Loading layer [==================================================>]  2.018MB/2.018MB
Loaded image: brave_fermat:latest
PS C:\Users\benoit>

Next: TBD

Windows - OpenSSH Server

2026-04-12T00:00:00+02:00

First, if you don’t know what ssh is, go and read this book: SSH Mastery. It’s the seminal book on ssh as far as I can tell.

Second, if you do what ssh is, go and the read the book anyway, if you haven’t yet.

Return here for Windows-specific uses of ssh.

You are back? Good. Let’s begin.

You will likely find the sshd service already installed on modern versions of Windows Server. To enable it and start it and start it automatically at boot, do this:

PS C:\> Get-Service sshd

Status   Name               DisplayName
------   ----               -----------
Stopped  sshd               OpenSSH SSH Server

PS C:\> Set-Service sshd -StartupType Automatic
PS C:\> sc.exe qc sshd
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: sshd
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\WINDOWS\System32\OpenSSH\sshd.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : OpenSSH SSH Server
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
PS C:\> Start-Service sshd
PS C:\> Get-Service sshd

Status   Name               DisplayName
------   ----               -----------
Running  sshd               OpenSSH SSH Server

PS C:\>

The sshd service runs as LocalSystem and, as an actual system service, is supposed to run as LocalSystem.

The sshd service is configured in C:\ProgramData\ssh (where Windows emulates the Unix-style /etc directory):

PS C:\> cd .\ProgramData\ssh\
PS C:\ProgramData\ssh> dir


    Directory: C:\ProgramData\ssh


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         4/12/2026   3:52 PM                logs
-a----         4/12/2026   3:52 PM              6 sshd.pid
-a----         3/31/2024   6:08 PM           2343 sshd_config
-a----         4/12/2026   3:52 PM            513 ssh_host_ecdsa_key
-a----         4/12/2026   3:52 PM            180 ssh_host_ecdsa_key.pub
-a----         4/12/2026   3:52 PM            411 ssh_host_ed25519_key
-a----         4/12/2026   3:52 PM            100 ssh_host_ed25519_key.pub
-a----         4/12/2026   3:52 PM           2602 ssh_host_rsa_key
-a----         4/12/2026   3:52 PM            572 ssh_host_rsa_key.pub


PS C:\ProgramData\ssh>

In the file sshd_config you will find everything you need, with two Windows-specific elements.

AllowGroups administrators "openssh users"

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

There is a group OpenSSH Users to which you must add all users that should be allowed to access the computer via ssh. The Administrators group is also allowed.

There is also one common authorised keys file for all members of the Administrators group here in C:\ProgramData\ssh\administrators_authorized_keys which is used for any ssh logon with a user that is in the Administrators group. Personally, I like commenting this out. It is perhaps best practice though better to keep track of administrators who can log in without a password.

Now, let’s have a look at an ssh session.

Microsoft Windows [Version 10.0.26100.32522]
(c) Microsoft Corporation. All rights reserved.

benoit@CHAMPIGNAC C:\Users\benoit>whoami/groups

GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes
====================================== ================ ============ ==================================================
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\OpenSSH Users                  Alias            S-1-5-32-585 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                   Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192

benoit@CHAMPIGNAC C:\Users\benoit>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Users\benoit> Get-Process -Id $PID

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    640      31    55936      73720       0.33   3628   0 powershell


PS C:\Users\benoit>

Note the following odditites:

The standard shell for an ssh session is cmd. I recommend not even trying to change it to PowerShell.
The logon type (as seen in the membership of the associated well-known group NT AUTHORITY\NETWORK is network and not interactive)
The process runs in session 0, the services session

Compared to PowerShell remoting ssh is more powerful. It allows for the actual use of the computer and running interactive programs, albeit obviously not GUI programs (there being no obvious GUI to use).

In fact, since I like tables, here is a table:

“Session type”	Well-known group membership	Required privilege	Possible programs
Console	INTERACTIVE	SeInteractiveLogonRight (likely granted by Users group)	Any (filters, interactive and GUI)
Remote Desktop	INTERACTIVE and REMOTE INTERACTIVE LOGON	SeRemoteInteractiveLogonRight (from Remote Desktop Users group)	Essentially any
Secondary Logon (via runas.exe)	INTERACTIVE	SeInteractiveLogonRight (for some reason)	Same as Console or Remote Desktop
PowerShell remoting	NETWORK	Remote Managements Users membership (for microsoft.powershell configuration)	filters only
ssh	NETWORK	OpenSSH Users (per configuration file)	filters and interactive programs

“Filters” are programs that take input from their command line and standard input and provide output to standard output. They cannot otherwise stop and ask the user for input. Examples are cmd.exe with the “/c” parameter, all PowerShell cmdlets, and programs like compilers.

“Interactive” programs are programs that interact with the user (ask him questions, react to key presses etc.). Examples are edit.exe, diskpart.exe, vim.exe, amd cmd.exe with no parameter or the “/k” parameter. Some of those programs can receive mouse input (edit.exe).

GUI programs are programs that use their own custom windows (i.e. do not just display everything in a terminal window). Examples are notepad.exe and explorer.exe. These do not work in ssh (or rather they start and disappear into nothingness somewhere in session 0.)

So you might say that the session types form a hiearchy.

From a console logon you can do everything you can do in RDP, ssh, and PowerShell remoting; and you can also ssh and PowerShell remote into the local machine (although with PowerShell and local users this can be difficult).
From an RDP logon you can do everything you can do in ssh and PowerShell remoting as well.
In an ssh session you can do everything you can do in a PowerShell remoting session too.
In a PowerShell remoting session you are limited to filters, i.e. PowerShell cmdlets and very simple non-interactive external programs.

Next: Docker

Windows Privileges - Trusted Computing Base

2026-04-11T00:00:00+02:00

“Act as part of the operating system”

That is the legal name of a privilege with the technical name SeTcbPrivilege or SE_TCB_NAME. The official description is

This privilege identifies its holder as part of the trusted computer base. Some trusted protected subsystems are granted this privilege.

I cannot see how one can be clearer than that!

I am myself not very familiar with SeTcbPrivilege. It is not something one runs into daily and or something that many applications would need for normal operation. In fact is it not even held by the Administrators group (and therefor also not by members of that group, usually) and Microsoft themselves apparently recommend not assinging it to any account and run services that need this privilege under the LocalSystem account which has this privilege.

As far as I know it allows a process to assume any identity and is meant to be used by the Local Security Authority to log on accounts (users and services likewise).

Thus it is required by many Lsa* APIs but also by some uses of the SetTokenInformation API which manipulates access tokens.

For example, to create a process in an arbitrary session (not the session of the process-creating process), SeTcbPrivilege is needed, among other things.

What else is needed:

the process-creating process has to run in the services session (session 0) and
the process-creating process has to run in a service or batch logon context (i.e. not interactive or network) and
the process-creating process has to hold SeAssignPrimaryTokenPrivilege as well (to create the process with the manipulated token)

Alternatively, the procress-creating service has to run under LocalSystem, in which case it will have all the necessary privileges and does not matter how it logged on or in which session it runs.

The easiest way to accomplish this feat is to equip an account with SeTcbPrivilege and SeAssignPrimaryTokenPrivilege and create a scheduled task to create a process.

Remember that privileges have to be enabled before they can be used.

// we need a handle to a token, let's use the current process' primary token
HANDLE hToken;
ok = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);

// we need a copy of the token to modify it and use it elsewhere
HANDLE hModifiedToken;
ok = DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &hModifiedToken);

// this next step requires SeTcbPrivilege, it changes the session id of the token to iSessionId (maybe 2)
ok = SetTokenInformation(hModifiedToken, TokenSessionId, &iSessionId, sizeof(DWORD));

The call to SetTokenInformation() will fail with an error 1314 (“privilege not held”) if the process does not hold SeTcbPrivilege:

PS B:\> .\TcbDemo.exe C:\windows\system32\winver.exe 2
Image [C:\windows\system32\winver.exe] in session with id [2].
OpenProcessToken        OK: [1] STATUS: [0], Error: [0]
DuplicateTokenEx        OK: [1] STATUS: [0], Error: [0]
SetTokenInformation     OK: [0] STATUS: [0], Error: [1314]
PS B:\> certutil /error 1314
0x522 (WIN32: 1314 ERROR_PRIVILEGE_NOT_HELD) -- 1314 (1314)
Error message text: A required privilege is not held by the client.
CertUtil: -error command completed successfully.
PS B:\>

Now that we have a modified second token, we can start a process with it. And if everything else is perfect (session 0, service or batch logon, SeAssignPrimaryTokenPrivilege held, moon in conjunction with venus etc.) this will start an unusable program in the requested session. (It is unusable because it does not belong into the session it runs in and is missing permissions. A window will appear though. See Scheduled Task to Start Privileged Application which describes a program that implements exactly this mechanism.)

// creating the process, this step requires SeAssignPrimaryTokenPrivilege to, well, assign the primary token
ok = CreateProcessAsUserW(hModifiedToken, pathImage, NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);

Running this without holding SeAssignPrimaryTokenPrivilege leads to disaster again:

PS B:\> .\TcbDemo.exe c:\windows\system32\cmd.exe 2
Image [c:\windows\system32\cmd.exe] in session with id [2].
OpenProcessToken        OK: [1] STATUS: [0], Error: [0]
DuplicateTokenEx        OK: [1] STATUS: [0], Error: [0]
SetTokenInformation     OK: [1] STATUS: [0], Error: [0]
CreateProcessAsUserW    OK: [0] STATUS: [0], Error: [1314]
PS B:\>

And with SeAssignPrimaryTokenPrivilege:

PS B:\> .\TcbDemo.exe c:\windows\system32\cmd.exe 2
Image [c:\windows\system32\cmd.exe] in session with id [2].
OpenProcessToken        OK: [1] STATUS: [0], Error: [0]
DuplicateTokenEx        OK: [1] STATUS: [0], Error: [0]
SetTokenInformation     OK: [1] STATUS: [0], Error: [0]
CreateProcessAsUserW    OK: [0] STATUS: [0], Error: [5]
PS B:\>

The privilege works but creating a process in another session fails due to missing permissions. That’s where running in session 0 comes in.

A scheduled task defined as cmd.exe with arguments /c C:\TcbDemo\TcbDemo.exe C:\Windows\System32\cmd.exe 2 2> C:\Temp\TcbDemo.log produces an error log file

PS C:\> Get-Content .\Temp\TcbDemo.log
OpenProcessToken        OK: [1] STATUS: [0], Error: [0]
DuplicateTokenEx        OK: [1] STATUS: [0], Error: [0]
SetTokenInformation     OK: [1] STATUS: [0], Error: [0]
CreateProcessAsUserW    OK: [1] STATUS: [0], Error: [0]
PS C:\>

and a window running cmd.exe in session 2. In fact, the process still remembers where it comes from and runs inside a batch logon:

PS C:\> whoami /groups|Select-String "NT Authority"

NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH                                            Well-known group S-1-5-3                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                                Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account                                    Well-known group S-1-5-113                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group

PS C:\>

Note the NT AUTHORITY\BATCH pseudo group. The PowerShell process is a daughter of the cmd.exe process is a daughter of the scheduled task which logged in as a batch job.

Examples of how this mechanism can be used (but shouldn’t be):

In real life it is generally completely unnecessary to start processes in arbitrary sessions unless you are writing malware.

And if you are writing malware you should really find a vulnerability and exploit it and not rely on idiots granting your process system privileges.

Although you likely can.

Next: OpenSSH on Windows

Windows History - Application Specification for Microsoft Windows 2000

2026-04-10T00:00:00+02:00

Some time ago I found an interesting document from 1999. The [Application Specification for Microsoft Windows 2000] is a document published by Microsoft that documents proper application design for Windows Server. I never found a newer version or replacement document. But even this old document gives an interesting insight into how enterprise applications should be developed. It is more least-privilege than today’s standard by far.

Its purpose was clear:

The Application Specification for Windows 2000 defines the technical requirements for applications to earn the “Certified for Microsoft Windows” logo. Applications may carry the “Certified for Microsoft Windows” logo, once they have passed compliance testing and have executed a logo license agreement with Microsoft. This logo lets your customers know that your application offers a high quality computing experience available on Windows.

Since the document is from 1999 it features a few oddities when seen from today’s point of view. Some are outdated, some can be translated into the current situation.

Among those are

Obviously references to exlusively Windows 2000 Server (and not newer versions)
Instructions for how to deal with 16-bit dependencies of 32-bit programs (today I suppose this is less relevant for 64-bit programs and 32-bit dependencies)
References to the Alpha CPU (as apparently Windows 2000 was developed for Alpha until Compaq withdrew support)
References to best practices that use APIs now deprecated (SHGetFolderPath())
A complete lack of anything about .NET or PowerShell (which did not exist yet)

But there are also points that were new then and are very current still today:

Active Directory
Win64 (then for Alpha, now very much alive on x64 and ARM64)
SSO (Single Sign-On was already something people tried to achieve, it’s still the new thing)
“Browser-Hosted Applications”
Terminal Services compatibility considerations

This specification is intended for vendors and corporate developers building multi- user applications that run on any of the Windows 2000 Server family of operating systems.

Chapter 5 covers security requirements.

In order for Client/Sever applications to provide secure access to resources and security for their interactions, the application must configure and run the client and server portions in the correct security contexts. This provides access to the resources needed in a secure manner and provides a secure communication channel between the client and the server

It mentions specifically what has apparently been forgotten in modern times:

If a service or service account password is compromised, then the scope of damage that can occur is limited to the capabilities of the account under which the service is running.

It defines the security requirements for certification:

Document services that require more than User level privileges to run
Win32 clients running in the context of a trusted domain account must support Single Sign-On

Wow. We are still far from that.

For each service account that requires more than User-level privileges, the following must be documented:
1) The specific system resources that normal Users do not have sufficient access to by default.
2) The specific User Rights that normal Users do not have by default in order for the service to run properly.
3) The minimum permissions to the resources identified in #1 that the service account must have in order to run properly.

Of course, today the answer many vendors give for 1, 2, and 3 is “our application has been designed to run with administrator rights”, comically extending the absurd into a farce.

(My April 1st post describes how to conform to such a design and how to run a server in [Enterprise Mode].)

Finally, the chapter ends with the clarification that certification does not require applications to run completely unprivileged or even with defined security requirements. But it does explain that the customer must be told about the situation he will face, giving him the three options of running the application with well-configured permissions, running the application with administrator rights and accept the risk, or buy an alternative product that does not have those problems.

I fear that a lot of today’s enterprise software for Windows would not be able to become certified for Windows Server 2000.

Next: Trusted Computing Base Privilege

Windows - Run As Administrator

2026-04-01T01:00:00+02:00

Note that absolutely none of this is authoritative or directly based on relevant documentation. It’s mostly what I found and figured out and guessed and (in some cases) made up. Some of it may be wrong or dangerous or lead to disaster or confusion. I am not taking responsibility here for anything. Read and act on it at your own peril! Especially now.

This is a more enterprisey post than most. It deals with a very common issue with enterprise software and what many vendors consider best practice.

How to make every user an administrator:

PS C:\WINDOWS\system32> Get-LocalUser
Name               Enabled Description
----               ------- -----------
Administrator      True    Built-in account for administering the computer/domain
benoit             True
DefaultAccount     False   A user account managed by the system.
Guest              False   Built-in account for guest access to the computer/domain
legrand            True
WDAGUtilityAccount False   A user account managed and used by the system for Windows Defender Application Guard scenarios.


PS C:\WINDOWS\system32> Get-LocalUser|ForEach-Object{Add-LocalGroupMember Administrators $_}
Add-LocalGroupMember : Administrator is already a member of group Administrators.
At line:1 char:30
+ Get-LocalUser|ForEach-Object{Add-LocalGroupMember Administrators $_}
+                              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceExists: (Administrators:LocalGroup) [Add-LocalGroupMember], MemberExistsException
    + FullyQualifiedErrorId : MemberExists,Microsoft.PowerShell.Commands.AddLocalGroupMemberCommand

PS C:\WINDOWS\system32> Get-LocalGroupMember Administrators

ObjectClass Name                          PrincipalSource
----------- ----                          ---------------
User        CHAMPIGNAC\Administrator      Local
User        CHAMPIGNAC\benoit             Local
User        CHAMPIGNAC\DefaultAccount     Local
User        CHAMPIGNAC\Guest              Local
User        CHAMPIGNAC\legrand            Local
User        CHAMPIGNAC\WDAGUtilityAccount Local

PS C:\WINDOWS\system32>

For domain users:

PS C:\WINDOWS\system32> Add-LocalGroupMember Administrators "Domain Users@${env:ADDomain}"
PS C:\WINDOWS\system32>

Now the server is ready to run enterprise software as per the requirements of many enterprise software vendors.

But to be on the safe side, you can also make all services run as administrator. This will allow services that were designed to run as administrator run as administrator even if the account they run under has insufficient rights:

PS C:\WINDOWS\system32> Get-Service|ForEach-Object{$name=$_.Name;sc.exe sidtype $name unrestricted;Add-LocalGroupMember Administrators "NT Service\$name"}
[SC] ChangeServiceConfig2 SUCCESS
[SC] ChangeServiceConfig2 SUCCESS
[SC] ChangeServiceConfig2 SUCCESS
[SC] ChangeServiceConfig2 SUCCESS
[SC] ChangeServiceConfig2 SUCCESS
[SC] ChangeServiceConfig2 SUCCESS
[SC] ChangeServiceConfig2 SUCCESS
[...]
PS C:\WINDOWS\system32>

And don’t forget to disable the firewall:

PS C:\WINDOWS\system32> netsh advfirewall set allprofiles state off
Ok.

PS C:\WINDOWS\system32>

Now your server is absolutely enterprise-ready.

Next: Application Specification for Microsoft Windows 2000

WSL - Ubuntu Issue

2026-03-28T00:00:00+01:00

If this happens to your Ubuntu installation in WSL:

Failed to take /etc/passwd lock: Invalid argument
dpkg: error processing package systemd (--configure):
 installed systemd package post-installation script subprocess returned error exit status 1
dpkg: dependency problems prevent configuration of systemd-timesyncd:
 systemd-timesyncd depends on systemd; however:
  Package systemd is not configured yet.

dpkg: error processing package systemd-timesyncd (--configure):
 dependency problems - leaving unconfigured
dpkg: dependency problems prevent configuration of udev:
 udev depends on systemd | systemd-standalone-sysusers | systemd-sysusers; however:
  Package systemd is not configured yet.
  Package systemd-standalone-sysusers is not installed.
  Package systemd-sysusers is not installed.
  Package systemd which provides systemd-sysusers is not configured yet.

The solution (or workaround) might be these commands:

sudo sed -i -e '/systemd-sysusers/s/\.conf$/.conf || true/' /var/lib/dpkg/info/*.postinst
sudo dpkg --configure -a

at least this is what Chatgippity told me.

If it turns out that it doesn’t work, I’ll correct or update this post as necessary.

Next: Run As Administrator

Windows History - Comparing Shells

2026-03-07T00:00:00+01:00

Showing all files in all subdirectories in order of last write time, newest last. Probably.

Bash (Linux)

find "$(pwd)" -type f -printf '%TY-%Tm-%Td %TH:%TM:%TS %p\n' | sort

DCL (OpenVMS)

DIRECTORY [...]*.*;* /FULL /DATE=MODIFIED /SORT=DATE

PowerShell (Windows)

Get-ChildItem -Recurse -File | Sort-Object LastWriteTime | Select-Object LastWriteTime, FullName

This is what people mean when they are talking about why their favourite command line shell is superior to other shells.

And if you find PowerShell or DCL too wordy (or too readable), you can do this:

PowerShell (using aliases and abbreviations)

gci -r -fi | sort LastWriteTime | select LastWriteTime,FullName

DCL (using abbreviations and despacing)

DIR[...]*.*;*/F/D=M/S=D

Next: WSL Ubuntu Issue

Windows - Sudo

2026-01-17T00:00:00+01:00

This article is on Windows sudo.

See the post Privileged Scheduled Task for a scheduled task-based JEA mechanism to emulate Unix-style sudo on Windows.

In a previous post Unprivileged Accounts I attempted to describe the concept of non-privileged accounts in Windows, a concept very foreign to modern enterprise computing on servers.

Go and read it as a primer, especially the part about User Account Control, I will wait here.

Are you back? Good.

With Windows 11 (or rather some time after Windows 11 first appeared) Microsoft introduced a sudo command for Windows that is entirely unsimilar to the famous Unix sudo command.

Let me first explain, very quickly and horribly non-precise, how Unix sudo works.

In Unix there is one user called the superuser who normally has the user name root.
In Unix one of the permissions bit on a file is the so-called setuid bit. If this bit is set, the file, if executed, will run with the identity of its owner rather than of the user who executes it.
One of those programs marked with the setuid bit is a program called sudo. It is owned by the superuser. If started, it will run with the identity of root.
The program sudo is configured in a file /etc/sudoers.
In that file it is outlined which user or group may start which program as what user.

This is it, essentially.

Imagine a Unix-compatible system, here the Windows Subsystem for Linux, with a sudo configuration allowing the start of the program whoami as root. There is no particular purpose in running this program. But it will show the effect of using sudo best and without doing any damage.

benoit@paris:~$ ls -l `which sudo`
-rwsr-xr-x 1 root root 277936 Jun 25  2025 /usr/bin/sudo
benoit@paris:~$ which whoami
/usr/bin/whoami
benoit@paris:~$ ls -l `which whoami`
-rwxr-xr-x 1 root root 35336 Jun 22  2025 /usr/bin/whoami
benoit@paris:~$

The first command checks that the sudo program is indeed marked setuid root. The s in the permissions indicates it. (It would be x for execute otherwise.)

The second command shows the whoami program file.

And the third command checks for its permissions, to demonstrate that it is not marked setuid at all. (There actually is an x in the permissions for the file owner.)

There is a program visudo that starts an editor (not vi but nano on Ubuntu, for some reason) that allows editing the /etc/sudoers file. (The file can only be edited by root, we should assume.)

benoit  ALL=(root) NOPASSWD:/usr/bin/whoami

After adding user benoit, user benoit should be able to run whoami both as benoit (directly) and as root (via sudo):

benoit@paris:~$ whoami
benoit
benoit@paris:~$ sudo whoami
root
benoit@paris:~$

And this is it. Permissions management is overriden in the hope that the allowed program does not do anything it is not expected to do. This is as irresponsible as JEA but more flexible in its simplicity (it can start GUI programs, for example).

Windows sudo is not like that at all. Windows does not have a setuid mechanism.

Do note that “sudo” actually stands for “superuser do” and Windows sudo is very loyal to the concept of the name. While on Unix there is indeed a specific superuser (and it is one account that can be configured to be used by sudo), on Windows there is no such account. There is a group.

Very unfortunately in Windows there is an Administrators group and anyone added to it becomes a superuser. This is in effect one of the biggest problems for Windows security: it is easier to give an account all rights and privileges than it is to give an account just the rights and privileges it needs, a daily attack on the principle of least-privilege.

A lot of “enterprise” software sees security from the perspective of someone who can ignore permissions because the account can just be added to the Administrators group.

Many home and office users also find themselves with superuser rights because of the ease of adding a user to the Administrators group and the assumption by software that, of course, the user has superuser status.

This led to issues when users did stupid things. With superuser rights. To themselves. A lot.

So Microsoft invented “User Account Control” to alert users every time they are doing something potentially stupid. This was very inconvenient, and it was supposed to be.

To make the inconvenience less inconvenient Microsoft finally introduced a tool for users to allow them to do stupid user things better: sudo.

You can enable sudo as a superuser:

C:\>whoami
paris\administrator

C:\>sudo help config
Get current configuration information of sudo

Usage: sudo config [OPTIONS]

Options:
      --enable <enable>  [possible values: disable, enable, forceNewWindow, disableInput, normal, default]

C:\>sudo config --enable default
Sudo is currently in Inline mode on this machine

C:\>

“Inline mode” means that sudo will run in the same terminal/console as the calling program (usually cmd or PowerShell). It is “normal” and “default”, I guess.

“forceNewWindow” does the same as the traditional Start-Process -Verb RunAs someprogram.exe did and opens a new console window for the program.

And “disableInput” runs sudo-started programs in the same terminal window as the calling program but does not allow for any interactivity.

Windows sudo does not run programs as another user. It does not run them as the superuser, like in Unix. It runs programs as the calling user, but with superuser rights. Let me demonstrate in the most intelligent way I can:

PS C:\> whoami
paris\benoit
PS C:\> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled
PS C:\> sudo whoami
paris\benoit
PS C:\> sudo whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Disabled
SeSecurityPrivilege                       Manage auditing and security log                                   Disabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Disabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Disabled
SeSystemProfilePrivilege                  Profile system performance                                         Disabled
SeSystemtimePrivilege                     Change the system time                                             Disabled
SeProfileSingleProcessPrivilege           Profile single process                                             Disabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Disabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Disabled
SeBackupPrivilege                         Back up files and directories                                      Disabled
SeRestorePrivilege                        Restore files and directories                                      Disabled
SeShutdownPrivilege                       Shut down the system                                               Disabled
SeDebugPrivilege                          Debug programs                                                     Disabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Disabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Disabled
SeUndockPrivilege                         Remove computer from docking station                               Disabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Disabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Disabled
SeTimeZonePrivilege                       Change the time zone                                               Disabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled
PS C:\>

If you try this out you will notice, assuming User Account Control is configured properly, that every time sudo is used, Windows will ask the user to confirm that he wants do something superuser-like. This remains the idea of User Account Configuration.

If you need superuser rights for several commands, you can just start a shell using sudo, like so:

PS C:\> sudo powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\> whoami
paris\benoit
PS C:\> exit
PS C:\>

And exit it when you are done being superuser-like.

Do note that it is still not advisable to use a computer with an account with superuser rights all the time. The reason it is done on Windows is, of course, for compatibility reasons:

First, which is quite reasonable, for running programs that predate any such permissions or multiuser environments.
Second, which is less reasonable, for running programs made by software vendors, typically advertising themselves as “enterprise software” vendors, that assume that all users are superusers and that security issues created by such software are the customer’s problem.

Until Microsoft somehow fully virtualises the experience of the superuser, we will have to live with sudo.

Next: Comparing Shells

Windows Unprivileged - Scheduled Tasks JEA

2026-01-07T00:00:00+01:00

As partly explained in the post on Scheduled Tasks, setting permissions on scheduled tasks is not trivial.

So what is more obvious than avoiding those permissions using Just Enough Admin again?

The immediate problem is that allowing non-privileged users to create and modify scheduled tasks using a virtual administrator account will allow those users to create scheduled tasks running as LocalSystem that will then do whatever those users want, perhaps just add them to the Administrators group.

Any JEA configuration for scheduled tasks would have to disallow creation or modification of scheduled tasks that use privileged accounts. Perhaps it is sufficient to stop creation of scheduled tasks that run as a system account (LocalSystem, LocalService, or NetworkService). Scheduled tasks to be modified can then simply be recreated, then being subject to the same restriction.

This requires two cmdlets to be available:

Get-ScheduledTask to get any scheduled task as a PowerShell object (so that it can then be modified in PowerShell)
Register-RestrictedScheduledTask as a wrapper for Register-ScheduledTask that makes the -Password parameter a required parameter (to disallow creation of scheduled tasks that use accounts without passwords)

As a bonus, another cmdlet can annex and permission a scheduled task for the calling user, to allow manipulation in the Task Scheduler GUI (taskschd.msc) as a non-privileged user.

Claim-ScheduledTask changes the owner of a scheduled task to the calling user and adds the user to the scheduled task’s ACL with Full Access before any other entry (to preempt deny entries as well, also, it’s easier).
Get-ScheduledTaskPermissions shows the permissions of a scheduled task. Set-ScheduledTaskPermissions sets the permissions.

And as a further bonus, the ability simply to enable or disable any scheduled task is included.

Enable-ScheduledTask and Disable-ScheduledTask

Get ScheduledTasks.pssc and ScheduledTasts.psrc from GitHub, register ScheduledTasks.pssc, and create the associated JEA group:

PS C:\Program Files\WindowsPowerShell\Modules\JEA> New-LocalGroup JEA_ScheduledTasks

Name               Description
----               -----------
JEA_ScheduledTasks


PS C:\Program Files\WindowsPowerShell\Modules\JEA> Add-LocalGroupMember JEA_ScheduledTasks benoit
PS C:\Program Files\WindowsPowerShell\Modules\JEA> Register-PSSessionConfiguration ScheduledTasks -Path .\ScheduledTasks.pssc
WARNING: Register-PSSessionConfiguration may need to restart the WinRM service if a configuration using this name has recently been unregistered, certain system data structures may still be cached. In that case, a restart of WinRM may be required.
All WinRM sessions connected to Windows PowerShell session configurations, such as Microsoft.PowerShell and session configurations that are created with the Register-PSSessionConfiguration cmdlet, are disconnected.


   WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Plugin

Type            Keys                                Name
----            ----                                ----
Container       {Name=ScheduledTasks}               ScheduledTasks
WARNING: Set-PSSessionConfiguration may need to restart the WinRM service if a configuration using this name has recently been unregistered, certain system data structures may still be cached. In that case, a restart of WinRM may be required.
All WinRM sessions connected to Windows PowerShell session configurations, such as Microsoft.PowerShell and session configurations that are created with the Register-PSSessionConfiguration cmdlet, are disconnected.
WARNING: Register-PSSessionConfiguration may need to restart the WinRM service if a configuration using this name has recently been unregistered, certain system data structures may still be cached. In that case, a restart of WinRM may be required.
All WinRM sessions connected to Windows PowerShell session configurations, such as Microsoft.PowerShell and session configurations that are created with the Register-PSSessionConfiguration cmdlet, are disconnected.


PS C:\Program Files\WindowsPowerShell\Modules\JEA>

Note that this configuration gives access to two cmdlets Get-ScheduledTask and Get-Help. The latter is included to allow showing help for the two exposed functions.

It also gives access to three functions Register-RestrictedScheduledTask, Get-ScheduledTaskPermissions, and Claim-ScheduledTask. (The latter cmdlet might need a cooler name.)

Register-RestrictedScheduledTask is simple: it just calls Register-ScheduledTask but will insist that the -Password parameter exists and that something is given as argument for it. (See Parameters and Arguments. It’s never quite clear to me.) Since system accounts don’t take a password, the user cannot register a scheduled task that runs as a system account. (The user can still register a scheduled task that runs as another privileged account, like a member of the Administrators group, but if the user knows such an account, then why does he bother using this JEA configuration?)

Get-ScheduledTaskPermissions uses a COM (Component Object Model) API to read scheduled task permissions and gets an SDDL (Security Descriptor Definition Language) representation of the scheduled task’s security descriptor which it will then produly display. Set-ScheduledTaskPermissions uses the same API to set scheduled task permissions.

Claim-ScheduledTask is a bit pseudo-clever. It also uses the COM API to modify scheduled task permissions . It gets an SDDL representation of the scheduled task’s security descriptor and modifies it by a) replacing the owner and b) inserting an entry at the beginning of the access control list giving the new owner full access. Then it writes the SDDL back into the scheduled task COM object.

Note that you understood correctly: This does allow the user to annex any scheduled task he wants. (Modify the cmdlet code if you want to prevent this.) But he cannot change what it does and and keep it running under an account of which he does not know the password. So, yes, the user can cause damage with this cmdlet. Deploy with care!

Make sure your user is in both the Remote Management Users and JEA_ScheduledTasks groups and:

PS C:\> whoami
achaemenes\benoit
PS C:\> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled
PS C:\> $scheduledtasks=New-PSSession -ConfigurationName ScheduledTasks
PS C:\> $action=New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c cls"
PS C:\> $task=New-ScheduledTask -Action $action -Settings (New-ScheduledTaskSettingsSet)
PS C:\> Invoke-Command $scheduledtasks {param($task); Register-RestrictedScheduledTask -TaskName BenoitTask -User benoit -InputObject $task} -ArgumentList $task

cmdlet Register-RestrictedScheduledTask at command pipeline position 1
Supply values for the following parameters:
Password: BenoitsSecretPassword

TaskPath                                       TaskName                          State      PSComputerName
--------                                       --------                          -----      --------------
\                                              BenoitTask                        Ready      localhost

PS C:\> Invoke-Command $scheduledtasks {Get-ScheduledTask -TaskName BenoitTask}

TaskPath                                       TaskName                          State      PSComputerName
--------                                       --------                          -----      --------------
\                                              BenoitTask                        Ready      localhost

PS C:\> Invoke-Command $scheduledtasks {Get-ScheduledTaskPermissions -TaskName BenoitTask}
O:S-1-5-94-3G:S-1-5-94-3D:(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FA;;;S-1-5-94-3)(A;;FR;;;S-1-5-21-2059049455-1877585131-3415813230-1007)
PS C:\> Invoke-Command $scheduledtasks {Claim-ScheduledTask -TaskName BenoitTask}
Writing security descriptor [O:S-1-5-21-2059049455-1877585131-3415813230-1007G:S-1-5-94-3D:(A;;FA;;;S-1-5-21-2059049455-1877585131-3415813230-1007)(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FA;;;S-1-5-94-3)(A;;FR;;;S-1-5-21-2059049455-1877585131-3415813230-1007)] into scheduled task [BenoitTask]. Press ctrl+c to cancel.:

PS C:\> Invoke-Command $scheduledtasks {Get-ScheduledTaskPermissions -TaskName BenoitTask}
O:S-1-5-21-2059049455-1877585131-3415813230-1007G:S-1-5-94-3D:AI(A;;FA;;;S-1-5-21-2059049455-1877585131-3415813230-1007)(A;;FR;;;S-1-5-21-2059049455-1877585131-3415813230-1007)(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FA;;;S-1-5-94-3)
PS C:\>

Observe how user benoit can register a scheduled task. With the the -Force parameter set, it will also overwrite an existing scheduled task.

To modify a task, benoit can Get-ScheduledTask it, modify the task object and then Register-RestrictedScheduledTask -Force it:

PS C:\> $task1=Invoke-Command $scheduledtasks {Get-ScheduledTask -TaskName BenoitTask}
PS C:\> $task1

TaskPath                                       TaskName                          State      PSComputerName
--------                                       --------                          -----      --------------
\                                              BenoitTask                        Ready      localhost

PS C:\> $task1.Actions

Id               :
Arguments        : /c cls
Execute          : cmd.exe
WorkingDirectory :
PSComputerName   :

PS C:\> $action=New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c echo foo"
PS C:\> $task1.Actions=$action

TaskPath                                       TaskName                          State      PSComputerName
--------                                       --------                          -----      --------------
\                                              BenoitTask                        Ready      localhost

PS C:\> $task1.Actions

Id               :
Arguments        : /c echo foo
Execute          : cmd.exe
WorkingDirectory :
PSComputerName   :

PS C:\> Invoke-Command $scheduledtasks {param($task); Register-RestrictedScheduledTask -TaskName BenoitTask -User benoit -Password BenoitsSecretPassword -InputObject $task -Force} -ArgumentList $task

TaskPath                                       TaskName                          State      PSComputerName
--------                                       --------                          -----      --------------
\                                              BenoitTask                        Ready      localhost


PS C:\>

The task now does a “cmd.exe /c echo foo” instead of the original “cmd.exe /c cls”. (But it is running as the account given to it when registering it after modification.)

And if user benoit needs to have access to this (or any other) scheduled task in the Task Scheduler GUI (or with PowerShell but without JEA) Claim-ScheduledTask annexes the scheduled task to him and grants him access.

Note again that absolutely none of this is authoritative or directly based on relevant documentation. It’s mostly what I found and figured out and guessed and (in some cases) made up. Some of it is wrong or dangerous or will lead to disaster or confusion. I am not taking responsibility here for anything.

Happy new year, everyone!

P.S.: In case you ever wondered. The “Run with highest privileges” checkbox in Task Scheduler does nothing to non-interactive scheduled tasks (batch jobs). What it does do is affect interactive scheduled tasks. It only becomes relevant when “Run only when user is logged on” is selected (instead of “Run whether user is logged on or not”). It acts as a preemptive OK to a UAC prompt that might otherwise prevent the interactive process from running elevated. I don’t know where this is properly documented.

Next: Windows Sudo

Windows - Help

2025-12-28T00:00:00+01:00

Windows Help is not always up-to-date.

You have probably seen something like this:

PS C:\> Get-Help Get-VM

NAME
    Get-VM

SYNTAX
    Get-VM [[-Name] <string[]>] [-CimSession <CimSession[]>] [-ComputerName <string[]>] [-Credential <pscredential[]>]  [<CommonParameters>]

    Get-VM [[-Id] <guid>] [-CimSession <CimSession[]>] [-ComputerName <string[]>] [-Credential <pscredential[]>]  [<CommonParameters>]

    Get-VM [-ClusterObject] <ClusterObject>  [<CommonParameters>]


ALIASES
    gvm


REMARKS
    Get-Help cannot find the Help files for this cmdlet on this computer. It is displaying only partial help.
        -- To download and install Help files for the module that includes this cmdlet, use Update-Help.

Apparently the idea is that Windows does not ship with the help files for PowerShell cmdlets because they might be outdated. That is, the help files would be of the same (by then outdated) version as the cmdlets they describe.

By forcing you to Update-Help, MSFT make sure that you have the current version of help files, i.e. help files for newer versions of the cmdlets which you likely don’t have, unless you have also updated the cmdlets.

But this is not the only oddity concerning PowerShell help files. Look at this:

PS C:\> Get-Help New-ScheduledTask

NAME
    New-ScheduledTask

SYNOPSIS
    Creates a scheduled task instance.


SYNTAX
    New-ScheduledTask [[-Action] <CimInstance[]>] [-AsJob <SwitchParameter>] [-CimSession <CimSession[]>] [[-Description] <String>] [[-Principal] <CimInstance>] [[-Settings] <CimInstance>] [-ThrottleLimit
    <Int32>] [[-Trigger] <CimInstance[]>] [<CommonParameters>]


DESCRIPTION
    The **New-ScheduledTask** cmdlet creates an object that contains the definition of a scheduled task. **New-ScheduledTask** does not automatically register the object with the Task Scheduler service.

    You can register a task to run any of the following application or file types: Win32 applications, Win16 applications, OS/2 applications, MS-DOS applications, batch files (*.bat), command files (*.cmd),
    or any properly registered file type.

Really? You can register a scheduled task of the application type “OS/2 applications”? Even Win16 applications are not working on 64 bit Windows. But OS/2 applications have not been supported by Windows NT since Windows 2000. I am not sure if there even was a version of Windows that supported both the OS/2 subsystem and PowerShell.

Windows-on-Windows-64

For some reason Server Manager thinks that removing WoW64 (the system component that runs 32 bit programs) would remove the entire GUI.

But it does not.

Of course, some people would love to be able to convert a desktop server into a core server.

Next: Scheduled Tasks JEA