Copy-Item fails in Powershell WF

Hello, i have a really simple powershell WF

Workflow Gather-SecurityLogs {
    parallel {
        sequence {
            InlineScript {
                cmd /k 'wevtutil epl security /q:"*[System[TimeCreated[timediff(@SystemTime) <= 7862400000]]]" c:\%computername%.evtx /ow:true'
            }
Copy-Item c:\output.evtx \\dc\share\$pscomputername.evtx
        }
    }
}

which errors out with permission denied. I tried with domain admin acc, powershell started from admin, tried granting everyone all access to share (including security permissions)… no good. Any ideas?
Copy-Item works outside powershell wf, what am i missing?

Workflows aren’t scripts in the usual sense. Workflows get translated to XAML, and then passed off to Windows Workflow Foundation to execute. So regardless of how you opened PowerShell, the code is actually being executed, usually, by SYSTEM, which doesn’t have the ability to access network resources. “Everyone” on the share permissions (and you’d also need to look at the underlying NTFS file permissions) doesn’t include non-authenticated (Anonymous) users, which is probably what’s happening.

Try adding the -PSCredential common parameter when you run Gather-SecurityLogs. That should let you specify a credential for the workflow to run under.

Oh, and Gather isn’t a good verb. See https://technet.microsoft.com/en-us/library/ms714428(v=vs.85).aspx for the list of approved verbs. I suspect you want to use Get. Maybe Join. :slight_smile:

In case or -credential, i suppose i need to construct variable before hand, right? let me see

Workflow Gather-SecurityLogs {
    $user = 'xxxxx'
    $PlainPassword = 'xxxxx'
    $SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force
    $cred = New-Object System.Management.Automation.PSCredential -ArgumentList $User, $SecurePassword
    
    parallel {
        sequence {
            InlineScript {
                cmd /k 'wevtutil epl security /q:"*[System[TimeCreated[timediff(@SystemTime) <= 7862400000]]]" c:\%computername%.evtx /ow:true'
                New-PSDrive -Name X -PSProvider FileSystem -Root "\\msk-dc-02\C$" -Credential $using:cred
                Copy-Item c:\$pscomputername.evtx X:\$pscomputername.evtx
                Remove-PSDrive -Name X
            }
        }
    }
}

works like this
ps. that for the verb info, didn’t think about it when doing this :wink:
pps. is there any easy way to secure password string?
ppps. how to mark an answer?