HowTo use setACL.exe from AutoIt...

[cherdeg]

Hi alltogether,

I would like to contribute some lines of my code to the community (as I have noticed that several people had problems using setacl.exe from within AutoIt). Probably there are more includes than neccessary...feel free to cleanup here as well as in other areas...

To use it you will have to copy the x86 and x64 versions of setacl.exe to a tools-directory with the following names: "SetACL-x64.exe" and "SetACL-x32.exe".

expandcollapse popup

#include <Constants.au3>
#include <GUIConstants.au3>
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
#include <StaticConstants.au3>
#include <String.au3>
#include <file.au3>
#include <Array.au3>

; Define global variables
; ==================================================================================================
Global $s_ini_file = "setacls.ini"
Global $s_ini_sections = IniReadSectionNames($s_ini_file)


; Run da shi-i-iiit!
; ==================================================================================================
_setACLs()





; Function _setACLs to harden ACLs on security relevant files and directories specified in the INI-File
; ==============================================================================================
Func _setACLs()
    ; Create an array for the objects to change the ACLs on
    ; Check how many of the 20 possible Objects are defined in the INI-File ($counter)
    Local $counter = 0
    For $j = 0 To 19
        $actualACLobject = "ACLobject_" & $j
        If IniRead($s_ini_file, "Settings", $actualACLobject, "") <> '' Then
            $counter = $counter + 1
        EndIf
    Next

    ; Create the array $arrACLobjects (dynamically in size depending on $counter's value)
    Local $arrACLobjects[$counter]
    For $j = 0 To $counter
        $actualACLobject = "ACLobject_" & $j
        If IniRead($s_ini_file, "Settings", $actualACLobject, "") <> '' Then
            $arrACLobjects[$j] = IniRead($s_ini_file, "Settings", $actualACLobject, "")
        EndIf
    Next
    
    ; Set a variable containing the right filename for SetACL.exe depending on the local machines bit count (x32 or x64)
    $s_ToolsShare = IniRead($s_ini_file, "Settings", "ToolsShare", "")
    If Not _OSBits() = 32 Then 
        $s_ACLtool = "SetACL-x64.exe"
    Else
        $s_ACLtool = "SetACL-x32.exe"
    EndIf

    ; Set the ACLs for all objects specified in the INI-File
    For $i = 0 To UBound($arrACLobjects) - 1
        $InfoValue = "Setting File and Directory ACLs..."
        _InfoGui($InfoValue)
        ; revoke AllAccess for  "Everyone", "Users" and "Power Users"
        ; set FullAccess for    "Administrators" and "System" 
        ; remove inherited permissions 
        ; inherit the new ones recursivly
        $cmd = $s_ToolsShare & "\" & $s_ACLtool & " -on """ & $arrACLobjects[$i] & """ -ot file -actn ace -ace ""n:everyone;m:revoke"" -ace ""n:users;m:revoke"" -ace ""n:power users;m:revoke"" -ace ""n:S-1-5-32-544;p:full;s:y"" -ace ""n:S-1-5-18;p:full;s:y"" -actn setprot -op ""dacl:p_nc;sacl:p_nc"" -rec cont_obj"
        RunWait(@ComSpec & " /c " & $cmd, "", @SW_SHOW)
        GUIDelete()
    Next
EndFunc   ;==>_setACLs

; Function _OSBits to check if the host's OS is 32 or 64bits, returns "64" or "32"
; ==============================================================================================
Func _OSBits()
    Local $tOS = DllStructCreate("char[256]")
    Local $aGSWD = DllCall("Kernel32.dll", "int", "GetSystemWow64Directory", "ptr", DllStructGetPtr($tOS), "int", 256)
    If IsArray($aGSWD) And DllStructGetData($tOS, 1) Then Return 64
    Return 32
EndFunc   ;==>_OSBits

; Function _InfoGUI to display an info about the task currently processed.
; ==============================================================================================
Func _InfoGUI($InfoValue)
    GUICreate("", 300, 100, -1, -1, $WS_Popup, $WS_EX_TOOLWINDOW, "")
    GUICtrlCreateLabel($InfoValue, 0, 45, 300, -1, $SS_Center)
    GUISetState(@SW_SHOW)
    Sleep(500)
EndFunc   ;==>_InfoGUI

Also you would need an INI-file looking like this:

CODE

;####################################ACL Settings####################################

; Here up to 20 objects may be defined to set ACLs on. The ACLs of the objects defined

; here are set to to the following ITSC104 compliant values:

;

; "COMPUTERNAME\System" = FullAccess

; "COMPUTERNAME\Administrators" = FullAccess

; "COMPUTERNAME\Users" = NoAccess

; "COMPUTERNAME\PowerUsers" = NoAccess

; "COMPUTERNAME\Everyone" = NoAccess

;

[settings]

ACLobject_0=c:\AUTOEXEC.BAT

ACLobject_1=c:\boot.ini

ACLobject_2=c:\CONFIG.SYS

ACLobject_3=c:\IO.SYS

ACLobject_4=c:\MSDOS.SYS

ACLobject_5=c:\NTDETECT.COM

ACLobject_6=c:\ntldr

ACLobject_7=c:\WINDOWS\repair

ACLobject_8=c:\WINDOWS\security

ACLobject_9=c:\WINDOWS\system32\config

ACLobject_10=c:\WINDOWS\system32\dllcache

ACLobject_11=c:\WINDOWS\system32\GroupPolicy

ACLobject_12=

ACLobject_13=

ACLobject_14=

ACLobject_15=

ACLobject_16=

ACLobject_17=

ACLobject_18=

ACLobject_19=

;

; The "ToolsShare" item shouldn't end with a \ or your would have to change the $cmd = [...] line accordingly!

;

ToolsShare=\\server\share\directory

Best Regards,

Chris

Edited June 26, 2008 by cherdeg

[engine]

Hi.

Last time I used SetACL I suddenly lost permissions for everything under Windows XP. Even under the default Administrator account. I didn't even had permissions to restart my computer! I entered into safe mode. Deleted the folder I have set permissions on with SetACL. And finally my computer was usable again.

[maydayy]

Hello. I am tryng to give privilages for all users on a folder. I can't make it work.

Can you please help me?

this is the code

#include <Constants.au3> 
#include <GUIConstants.au3> 
#include <GUIConstantsEx.au3> 
#include <WindowsConstants.au3> 
#include <StaticConstants.au3> 
#include <String.au3> 
#include <file.au3> 
#include <Array.au3>     
$set = @DesktopDir & "/setacl/SetACL.exe" 
$dir = @ProgramFilesDir & "/oracle" 
msgbox(0, "", @error) 
$cmd = $set "-on """ & $dir & """-ot file -actn ace -ace ""n:users;p:full"" 
RunWait(@ComSpec & " /c " & $cmd, "", @SW_SHOW) 
msgbox(0, "", @error)

the error I get is:

"C:\Documents and Settings\User\Desktop\setacl\setacl_pilot.au3 (24) : ==> Unterminated string.:

$cmd = $set "-on """ & $dir & """-ot file -actn ace -ace ""n:users;p:full"" "

[wakillon]

give privilages for all users on a folder.

Try this

$set = @DesktopDir & "\setacl\SetACL.exe" 
$dir = @ProgramFilesDir & "\oracle"
$user = 'everyone' ; 'tout le monde'
$cmd = FileGetShortName ( $set ) & ' -on ' & '"' & $dir & '"' & ' -ot file -actn ace -ace "n:' & $user & ';p:full"' 
_SetACL ( $cmd, @Homedrive & '\SetACL.log' ) 
Exit 

Func _SetACL ( $cmd, $_OutputLogPath ) 
    FileDelete ( $_OutputLogPath ) 
    ConsoleWrite ( "+---- $cmd : " & $cmd & @Crlf ) 
    RunWait ( @ComSpec & " /c " & $cmd & ' >' & $_OutputLogPath, '', @SW_HIDE ) 
    ConsoleWrite ( "+---- ReadOutPutLog : " & @Crlf & _ReadOutPutLog ( $_OutputLogPath ) & @Crlf )
EndFunc ;==> _SetACL ( ) 

Func _ReadOutPutLog ( $_AclOutputFile )
    $_FileOpen = FileOpen ( $_AclOutputFile, 0 ) 
    If @error Then Return '' 
    $_Return = FileRead ( $_FileOpen )
    If @error Then Return '' 
    FileClose ( $_FileOpen ) 
    Return $_Return 
EndFunc ;==> _ReadOutPutLog ( )

Edited March 25, 2010 by wakillon