It’s going to fun for me with automation being a key driver. Let’s hope they solve the inboxing problem for 7.8 so we can just all go back to relying on that.

My understanding of msix packaging (I could be wrong) is that it fundamentally doesn’t have a system wide installation option. You can provision it machine wide but that only works for new profiles created afterwards. Not sure how it could ever be used for some of the mentioned scenarios.

Definitely unfortunately especially since there are known problems with MSIX that haven’t had any fixes in the years they’ve been open. Time will tell if this is the impetus to actually fix them but great even more reasons for 7.7 to be delayed due to “build” changes yet again.

Might add a comment on the thread, worst case I get shamed into deleting my GH account :P

Thank god, this has been a major annoyance with .NET. Would have loved to have seen an option to specify the parent process but can understand how complicated that would make HANDLE inheritance and stdio pipe redirection if they did that.

Against my better judgement I decided to post the code for the directory service last night.

github.com/SteveSyfuhs/...

All good, just curious if you had a specific reason. It’s a common problem where people try and use aliases like bash aliases then come unstuck. In most cases people just need the function defined with that name.

Any reason why you use an alias here rather than just the functions those names? Are you relying on the alias beating any other command found?

Did all your desired changes go in? IIRC there was a slightly more controversial change that needed some WG review or something? Still I love the extra detail here, very useful.

CredSSP Test Server CredSSP Test Server. GitHub Gist: instantly share code, notes, and snippets.

I'm torn, I've started to use it a bit more during the prototyping phase. The latest thing was gist.github.com/jborean93/d9... where I used LLMs to do some of the boring work like defining the ASN.1 structs and packing/unpacking logic. Has allowed me to focus on analysing the problem itself.

At least MIT krb5 just doesn’t seem to support it at all. gss_accept_sec_context expects the first input buffer on Kerberos to be an InitialContextToken with the Kerberos mech. From there it also expects the underlying message to be an AP-REQ and nothing else.

CredSSP Test Server CredSSP Test Server. GitHub Gist: instantly share code, notes, and snippets.

in the negotiate exchange (SPNEGO NegTokenInit/InitialContextToken with Kerb MECH not U2U mech). Lastly I needed to setup a keytab with the TGT so the acceptor can decrypt the ticket. All of it is in my POC at gist.github.com/jborean93/d9....

I ended up getting something working but unfortunately it doesn't seem to be possible in pure GSSAPI. The underlying kerb bits don't support the TGT-REQ so I needed to extract the ticket data and return that. The subsequent AP-REQ needs to be rewrapped so it looks like the first AP-REQ...

New release of the #PowerShell module `TextMate` (0.2.1)

added a builtin pager and partial ALC.
supports search highlighting and sixel images.

Accessible via the `-Page` parameter or `Out-Page` cmdlet.
github.com/trackd/TextM...

The issue is really how does it all interop with GSSAPI. So far I’ve parsed the TGT-REQ from the initiator, used the krb5 API to request the ticket ala kinit, send back the ticket data. But now the hiccup is dealing with the AP-REQ that is encrypted with the TGT session key and GSSAPI cred objects.

I definitely need to create a debug build of mit krb5 and step through it to see why it’s failing. It’s most likely just my keytab or credential handling as it looks like I need an actual TGT than a keytab for a SPN. I do see the req with the U2U mech oid and service names from the initiator.

Thanks, I hadn’t thought of the remote assistance but makes sense if the acceptor in that scenario is the user principal and not a service principal with an SPN. I’ll continue playing around but ultimately I’m trying to do the acceptor side for U2U on GSSAPI but seems like it may not be supported

Hmm I traced InitializeSecurityContextW and it looks like maybe it's ISC_REQ_USE_SESSION_KEY and CredSSP just always sets that? Can you think of a reason why CredSSP would want to use U2U here, what are the advantages of doing so?

@syfuhs.net is there some configuration or API flag to set somewhere to tell SSPI to use Kerberos User to User from the initiator side? I'm trying to setup a test CredSSP acceptor for a WinRM server and Windows uses U2U but I'm curious how it does that and whether CredSSP itself just forces it.

Nice, I’ve been meaning to create a source generator that builds the scaffolding to make a cmdlet run the blocks as an async task. A lot of the newer IO based APIs are async only and is a massive pain to use in pwsg sometimes.

> This week is mostly AI stuff with a new autopilot agent mode

I feel like you could say that for the past couple of months :)

multi-pwsh 0.7.0 is out with initial #PowerShell virtual environment (venv) support, through runtime hooking of PowerShell, PowerShellGet and PSResourceGet! Try it out now, let me know what you think 👇

github.com/Devolutions/...

Update PSRP protocol to deprecate session key exchange between newer client and server by daxian-dbw · Pull Request #25774 · PowerShell/PowerShell PR Summary Today, a Session_Key is used to encrypt a SecureString before sending it on wire and decrypt it after receiving one. The PowerShell Remoting Protocol (PSRP) does the Session_Key exchange...

Just the FYI while they do use it for parameters to to avoid accidentially logging or to mask input for mandatory params that are "sensitive" the PSRemoting special case was removed in 7.6 github.com/PowerShell/P.... It's still special cased on Windows when serialized as CLIXML though.

GitHub - mdgrs-mei/AvaloniaUIShell: Cross-platform Desktop GUI framework for PowerShell powered by Avalonia UI. Cross-platform Desktop GUI framework for PowerShell powered by Avalonia UI. - mdgrs-mei/AvaloniaUIShell

Published a new module called AvaloniaUIShell, (the world's first?) cross-platform desktop GUI framework for PowerShell.

github.com/mdgrs-mei/Av...

It's using the same mechanism as WinUIShell and takes care of all threading and non-blocking UI operations.

#PowerShell

I would highly recommend using uv. Can manage Python installs as well as venvs and package installations. I’ve not used it on Windows yet but it’s streets ahead on nix and has replaced pyenv, pip, venv (at least the cli) for me in one nice and fast tool.

Environment.IsPrivilegedProcess Property (System) Gets a value that indicates whether the current process is authorized to perform security-relevant functions.

I think pwsh is trying to move away from marker vars like this. It’s slightly longer but there is now [Environment]::IsPrivilegedProcess you should be able to use now learn.microsoft.com/en-us/dotnet...

Yea Windows unfortunately has this problem, sorry based on your description I thought it was for *nix

You can always create a symlink in usr bin or local bin for your pwsh versioned suffixes. Ultimately the only builtin thing is pwsh and pwsh-preview and even then the rc releases seem to blur the lines between the 2.

GitHub - Devolutions/pwsh-host-rs: Rust PowerShell Hosting Library Rust PowerShell Hosting Library. Contribute to Devolutions/pwsh-host-rs development by creating an account on GitHub.

I cleaned up, modernized and improved an old pet project of mine: a .NET native host in Rust that can load and call PowerShell *in-process* from its install path, without a copy of the PowerShell SDK: github.com/Devolutions/...

Using predictors in PSReadLine - PowerShell This article describes the features and usage of Predictive IntelliSense in PSReadLine.

This is relatively new (7.3 or so) and is part of PowerShell predictors framework. PSReadLine is the one that actually implements it and does use your history. It's not part of the terminal/vscode here learn.microsoft.com/en-us/powers...