PowerShell access denied to cert:\CurrentUser\My

powershell certificate code-signing
14,228

Solution 1

Sounds like you have permissions issues.

Is this an admin account on this PC, are you subject to domain controls, and are there group policies enabled?

I'm guessing this PC is locked down more than PowerShell would like. Some admins won't allow it to run at all since it's possible to do some damage.

When you run Set-ExecutionPolicy RemoteSigned do you get any errors?

Solution 2

PowerShell runs through the .NET Framework. I've not used XP for a while, bit if I remember correctly, there is some weird .NET user in the user list. I never got around to figuring out what that was for, but maybe you need to give that user NTFS rights to the directory in question.

Solution 3

I discovered why this was happening. If I just run PowerShell from the menu I have problems accessing certificates and other resources. For example, if I just run it and navigate to my home directory and run "dir", I get this:

PS C:\Documents and Settings\username> dir
Get-ChildItem : Access to the path 'C:\Documents and Settings\username' is denied.
At line:1 char:3
+ dir <<<<
PS C:\Documents and Settings\username>

Yet I can use Windows Explorer or a DOS window to successfully list the contents.

What works is when I right click on PowerShell and select "Run As," leave it on the current user, and uncheck the "Protect my computer and data from unauthorized program activity." After this I can list my home directory and I can access the certificate I need to sign my code.

My DEP settings are grayed out, which means they are pushed by a group policy, or I need to elevate to Administrator to change it. I logged in as an Administrator and found that DEP is on for essential Windows programs and services only. I guess PowerShell falls into this category. Now that I can access the certificate I have discovered that the private key can't be found. I think this can be fixed by having the certificate reissued.

Share:
14,228

Related videos on Youtube

Bratch
Author by

Bratch

Updated on September 17, 2022

Comments

  • Bratch
    Bratch almost 2 years 
    PS cert:\currentuser\my> dir  
Get-ChildItem : Access is denied.
At line:1 char:3
+ dir <<<<

    I cannot access any of my code signing certificates to sign a PowerShell script. I can open MMC, Certificates, and see that my code signing certificates are installed and valid on my machine (Windows XP SP 3).

    The other weird thing is that I cannot access any of my mapped network drives from PowerShell, but I can see them fine in Windows Explorer and a DOS window.

    I've uninstalled PowerShell, rebooted, and re-installed PowerShell 1, but still have the same problem.

    EDIT: My day-to-day account on this machine is NOT an administrator, but I do have an administrator account I can use for tasks that require it. The code signing certificate is assigned to my day-to-day account, and I should not have to be an administrator to sign code. I'm not sure how to give this account rights to the certificate store.

    EDIT 2: I ran FileMon and RegMon to see what I am being denied access to. cert:CurrentUser\My is the folder C:\Documents and Settings\USERNAME\Application Data\Microsoft\SystemCertificates\My\Certificates. It also denied me access to C:\Documents and Settings\USERNAME\Local Settings\Temp. I can open Explorer and get to the files in these folders with no problem. I temporarily gave Everyone full rights to these folders and still received the access denied message from PowerShell.

    Google hasn't revealed much. What should I do?

    Message from Windows PowerShell event log:

    Provider Health: Attempting to perform the GetChildItems operation on  
the 'Certificate' provider failed for path '\currentuser\my'. Access is denied.

Details: 
ProviderName=Certificate
ExceptionClass=ProviderInvocationException
ErrorCategory=InvalidOperation
ErrorId=GetChildrenProviderException
ErrorMessage=Attempting to perform the GetChildItems operation on  
       the 'Certificate' provider failed for path '\currentuser\my'.  
       Access is denied.

Severity=Warning
SequenceNumber=146

HostName=ConsoleHost
HostVersion=1.0.0.0
     .....
    • boot13
      boot13 almost 14 years
      Maybe a dumb question, but is the folder actually named 'my'? It looks like a longer folder name that has been truncated at a space between 'my' and something else.
    • Bratch
      Bratch almost 14 years
      That is the folder name, you can open powershell and get to it, and it works as another user. PS D:\Projects> cd cert: PS cert:\> cd CurrentUser PS cert:\CurrentUser> cd My PS cert:\CurrentUser\My> dir Get-ChildItem : Access is denied.
  • Bratch
    Bratch almost 14 years
    Good points, I made an edit to the question about being an administrator. There are domain controls and group policies in effect, so I will need to check with I.S. about them. As a programmer I write scripts, and my admin account works fine, just not this user account. Setting the execution policy denied me access to the key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds‌​\Microsoft.PowerShel‌​l." I'm checking with I.S. now ...
  • Bratch
    Bratch almost 14 years
    I was able to edit that registry key by hand, but cannot set it from PowerShell. PowerShell is running as me, so I don't get why there is a difference.
  • Bratch
    Bratch almost 14 years
    This might be the case, but I'm not sure where to assign the user permissions for the certificate store. My XP box is getting replaced with a Windows 7 box soon, so I will have new issues to face, but until then I still need to sign scripts.
  • Bratch
    Bratch almost 14 years
    So PowerShell isn't really running as me? It shows my user name in the task manager.
  • Bratch
    Bratch almost 14 years
    No domain controls or group policies are in place that would prevent me from running powershell and getting access to the certificate store. It comes down to not having permissions to access the certificate store, and I'm not sure how to have those rights granted so that powershell can access the certs.
  • Naidim
    Naidim almost 14 years
    I was just trying to think of possibilities to why there seems to be a permissions issue.
  • Bratch
    Bratch over 12 years
    Accepted because of mention of group policies.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Generating an RSA key pair in powershell
Where to get private key for iPhone developer certificate?
Retrieving certificates installed under a different User. Get-ChildItem Cert:\<username>\My
How to sign an MSI?
How to trust a certificate in Windows Powershell
How to install authrootstl.cab offline?
How can I pull the thumbprint out of a SSL certificate FILE (not the windows cert store)?
Managing LetsEncrypt Certificate expiration and auto-renewals
Using powershell, how do I extract the thumbprint from an SSL Certificate without installing it?
How to sign a PowerShell script easily?