Exchange PowerShell SnapIn issue

Frequent Visitor

Hello there,

 

we are using 3rd party SIEM software which keeps an eye on certain events in Exchange processes like msexchange rpc, w3wp, calls in exrpc32.dll and everything works fine with GUI or Exchage Management Shell, but when we use PowerShell via "Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;" and try something like "Search-Mailbox -Identity "username or alias" -SearchQuery 'Subject:" Your query "' -DeleteContent –force" (Administrator added to "Discovery Management" and "Mailbox Import Export" role added to the "Organization Management" - this must be done to use the -DeleteContent switch) we can`t register any events - which in our case a security issue. According to the "Process Monitor" it seems that exrpc32.dll is being called by PowerShell but much later then the actual event happened. So, how those commands work under the hood and what we can do to resolve this issue or maybe find some workaround. Any thougths where to look ?

 

 

Call stack in debugger looks like this:
at System.DirectoryServices.Interop.UnsafeNativeMethods.IDirectorySearch.GetFirstRow(IntPtr hSearchResult)
at System.DirectoryServices.SearchResultCollection.ResultsEnumerator.MoveNext()
at System.DirectoryServices.DirectorySearcher.FindOne()
at Microsoft.Exchange.Sqm.SqmSession.GetOptInStatus()
at Microsoft.Exchange.Sqm.SqmSession.UpdateData(Boolean flushToDisk, Boolean closing)
at Microsoft.Exchange.Sqm.SqmSession.OnCreate()
at Microsoft.Exchange.Sqm.SqmSession.Open()
at Microsoft.Exchange.Configuration.SQM.CmdletSqmSession..ctor()
at Microsoft.Exchange.Configuration.SQM.CmdletSqmSession.get_Instance()
at Microsoft.Exchange.Configuration.Tasks.TaskModuleFactory.RegisterModules()
at Microsoft.Exchange.Configuration.Tasks.ADObjectTaskModuleFactory..ctor()
at Microsoft.Exchange.Configuration.Tasks.RecipientObjectActionTask`2.CreateTaskModuleFactory()
at Microsoft.Exchange.Configuration.Tasks.Task.InitTaskModule()
at Microsoft.Exchange.Configuration.Tasks.Task.<BeginProcessing>b__83_0()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeNonRetryableFunc(Action func, Boolean terminatePipelineIfFailed)
at Microsoft.Exchange.Configuration.Tasks.Task.ProcessTaskStage(TaskStage taskStage, Action initFunc, Action mainFunc, Action completeFunc)
at Microsoft.Exchange.Configuration.Tasks.Task.BeginProcessing()
at System.Management.Automation.Cmdlet.DoBeginProcessing()
at System.Management.Automation.CommandProcessorBase.DoBegin()
at System.Management.Automation.CommandProcessor.DoBegin()
at System.Management.Automation.Internal.PipelineProcessor.Start(Boolean incomingStream)
at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(Object input)
at System.Management.Automation.PipelineOps.InvokePipeline(Object input, Boolean ignoreInput, CommandParameterInternal[][] pipeElements, CommandBaseAst[] pipeElementAsts, CommandRedirection[][] commandRedirections, FunctionContext funcContext)
at System.Management.Automation.Interpreter.ActionCallInstruction`6.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.Interpreter.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.LightLambda.RunVoid1[T0](T0 arg0)
at System.Management.Automation.DlrScriptCommandProcessor.RunClause(Action`1 clause, Object dollarUnderbar, Object inputToProcess)
at System.Management.Automation.DlrScriptCommandProcessor.Complete()
at System.Management.Automation.CommandProcessorBase.DoComplete()
at System.Management.Automation.Internal.PipelineProcessor.DoCompleteCore(CommandProcessorBase commandRequestingUpstreamCommandsToStop)
at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(Object input)
at System.Management.Automation.Runspaces.LocalPipeline.InvokeHelper()
at System.Management.Automation.Runspaces.LocalPipeline.InvokeThreadProc()
at System.Management.Automation.Runspaces.PipelineThread.WorkerProc()
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()

0 Replies