Popular Post FredAI Posted November 4, 2011 Popular Post Share Posted November 4, 2011 (edited) Hi.I've been working on this for a while. I think now it's good enough to post it here.Functions to do most everything with the DACL and ownership on all types of objects: Files or folders, Registry keys, services, Kernel and WMI objects, etc.Here's a good example to test:expandcollapse popup#include 'Permissions.au3' _InitiatePermissionResources() FileWrite(@ScriptDir&'test.txt','Test') Local $TI = TimerInit() Local $ret = _DenyAllAccess(@ScriptDir&'test.txt',$SE_FILE_OBJECT,@UserName) Local $TD = TimerDiff($TI) MsgBox(0,'','Deny all access to test.txt and take ownership:'&@CRLF&@CRLF& _ '_DenyAllAccesss return value: '&$ret&' Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _ 'Check the file permissons before closing the message box.') $TI = TimerInit() $ret = _GrantReadAccess(@ScriptDir&'test.txt',$SE_FILE_OBJECT,'Administrators') $TD = TimerDiff($TI) MsgBox(0,'','Grant everyone read access, all access to admins and system, and set the owner: Admins group'&@CRLF&@CRLF& _ '_GrantReadAccesss return value: '&$ret&' Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _ 'Check the file permissons before closing the message box.') $TI = TimerInit() $ret = _GrantAllAccess(@ScriptDir&'test.txt') $TD = TimerDiff($TI) MsgBox(0,'','Grant everyone access'&@CRLF&@CRLF& _ '_GrantAllAccesss return value: '&$ret&' Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _ 'Check the file permissons before closing the message box.') $TI = TimerInit() $ret = _CopyFullDacl(@ScriptDir&'test.txt',$SE_FILE_OBJECT,@ScriptDir) $TD = TimerDiff($TI) MsgBox(0,'','Restore all inherited permissions'&@CRLF&@CRLF& _ '_CopyFullDacl return value: '&$ret&' Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _ 'Check the file permissons before closing the message box.') $TI = TimerInit() Local $aPerm[2][3] = [['Restricted',1,$GENERIC_ALL],['Users',1,$GENERIC_ALL]] $ret = _EditObjectPermissions(@ScriptDir&'test.txt',$aPerm) $TD = TimerDiff($TI) MsgBox(0,'','Add two granted access aces: Restricted and Users'&@CRLF&@CRLF& _ '_EditObjectPermissions return value: '&$ret&' Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _ 'Check the file permissons before closing the message box.') $TI = TimerInit() Dim $aPerm[2][3] = [['Restricted',1,$GENERIC_READ],['Users',1,$GENERIC_READ]] $ret = _EditObjectPermissions(@ScriptDir&'test.txt',$aPerm) $TD = TimerDiff($TI) MsgBox(0,'','Give only read access to the Restricted and Users groups'&@CRLF&@CRLF& _ '_EditObjectPermissions return value: '&$ret&' Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _ 'Check the file permissons before closing the message box.') $TI = TimerInit() Dim $aPerm[2][3] = [['Restricted',0,$GENERIC_ALL],['Users',0,$GENERIC_ALL]] $ret = _EditObjectPermissions(@ScriptDir&'test.txt',$aPerm) $TD = TimerDiff($TI) MsgBox(0,'','Deny access to the Restricted and Users groups'&@CRLF&@CRLF& _ '_EditObjectPermissions return value: '&$ret&' Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _ 'Check the file permissons before closing the message box.') $TI = TimerInit() Local $Hndl = _Permissions_OpenProcess(@AutoItPID) Local $SDBefore = _GetObjectStringSecurityDescriptor($Hndl,$SE_KERNEL_OBJECT) Local $CODRet = _ClearObjectDacl($Hndl,$SE_KERNEL_OBJECT) Local $DARet = _DenyAllAccess($Hndl,$SE_KERNEL_OBJECT) Local $SDAfter = _GetObjectStringSecurityDescriptor($Hndl,$SE_KERNEL_OBJECT) $TD = Round(TimerDiff($TI),2) MsgBox(0,'', 'Deny everyone access to the current process:'&@CRLF&@CRLF& _ '@AutoItPID original security descriptor: '&@CRLF&$SDBefore&@CRLF&@CRLF& _ '_ClearObjectDacl return value: '&$CODRet&@CRLF&@CRLF& _ '_DenyAllAccess_ return value: '&$DARet&@CRLF&@CRLF& _ 'New @AutoItPID security descriptor: '&@CRLF& _ $SDAfter&@CRLF&@CRLF& 'Time taken: '&$TD&' miliseconds.') _Permissions_CloseHandle($Hndl) FileDelete(@ScriptDir&'test.txt') _ClosePermissionResources()I'm planning to add functions to deal with the Sacl in the future, even though I don't think it's very important.Edit: Let me know if you need an example for the registry.Updated: Fixed a bug in the _ClearObjectDacl function. I thought that adding a null DACL would work fine, but it causes problems later when adding a new DACL.Those who have downloaded, please update.Shoot! Now it wasn't clearing the DACL at all. Updated again. I think it's fixed now.Updated 9/11/2011 - Added the security descriptor functions and removed unnecessary constants.Updated 10/11/2011 - There were some functions missing in the index, and some parameters in the comments. Also removed the "MustDeclareVars" option. (About 50 total downloads before)Update 12/12/2011 - Added more functions: _SetDefaultFileAccess _EditObjectPermissions _MergeDaclToArray _CreateDaclFromArrayAdded more error handle and fixed a few bugsAdded the option to recurse only subfolders, only files or both.</li><li>Added more strings for universal SIDs : 'Authenticated Users', 'Users', 'Guests', 'Local Authority', 'Creator Owner', 'NT Authority', 'Restricted' and 'TrustedInstaller'The new _EditObjectPermissions function allows to set the desired permissions from an array just like _SetObjectPermissions but it will keep non inherited aces.Inherited aces are not deleted by any of the two functions, unless you set $ClearDacl to 1.The new _EditObjectPermissions function does not delete non inherited aces even if you set $ClearDacl to 1.If you want to clear the full Dacl you should use _SetObjectPermissions or call _ClearObjectDacl before calling _EditObjectPermissionsNew Update 12/12/2011 - Missing declaration keywords in 3 constants. SorryUpdate 16/12/2011 - Added support for all object types, including window and process handles. Added more functions, modified most of them, and removed one.Here's the new function list:_InitiatePermissionResources_ClosePermissionResources_CopyFullDacl_InheritParentPermissions_SetDefaultFileAccess_DenyAllAccess_GrantAllAccess_GrantReadAccess_GrantReadDenyWrite_SetObjectPermissions_EditObjectPermissions_MergeDaclToArray_CreateDaclFromArray_SetObjectSecurity_SetObjectSecurityDescriptor_TreeResetPermissions_Permissions_OpenProcess_Permissions_KillProcess_Permissions_CloseHandle_SetFileObjectSecurity_SetRegObjectSecurity_ClearObjectDacl_GetObjectDacl_GetObjectOwner_SetObjectOwner_GetSecurityDescriptorOwner_GetSecurityDescriptorGroup_GetSecurityDescriptorDacl_GetSecurityDescriptorSacl_GetObjectSecurityDescriptor_GetObjectStringSecurityDescriptor_SetObjectStringSecurityDescriptor_ConvertSecurityDescriptorToStringSecurityDescriptor_ConvertStringSecurityDescriptorToSecurityDescriptor_GetSidStruct_Security_RegKeyNameUpdated 22/2/2012.. This time I'm including SecurityConstants.au3 and FileConstants.au3 to prevent constants conflicts. Added a few more functions and fixed a few bugs.Also added the ability to include the inherited aces in the _EditObjectPermissions function.Now the permissions array can have four elements (optional). It will still work with three elements arrays though. The fourth element is intended to have the inheritance flag for the corresponding ace.Here's the new list of functions:_InitiatePermissionResources_ClosePermissionResources_CopyFullDacl_InheritParentPermissions_SetDefaultFileAccess_DenyAllAccess_GrantAllAccess_GrantReadAccess_GrantReadDenyWrite_SetObjectPermissions_EditObjectPermissions_MergeDaclToArray_GetDaclSizeInformation_GetAce_CreateDaclFromArray_SetObjectSecurity_IsValidAcl_SetObjectSecurityDescriptor_TreeResetPermissions_Permissions_OpenProcess_Permissions_KillProcess_Permissions_CloseHandle_SetFileObjectSecurity_SetRegObjectSecurity_ClearObjectDacl_GetObjectDacl_GetObjectOwner_SetObjectOwner_GetSecurityDescriptorOwner_GetSecurityDescriptorGroup_GetSecurityDescriptorDacl_GetSecurityDescriptorSacl_GetObjectSecurityDescriptor_GetObjectStringSecurityDescriptor_SetObjectStringSecurityDescriptor_ConvertSecurityDescriptorToStringSecurityDescriptor_ConvertStringSecurityDescriptorToSecurityDescriptor_GetSidStruct_Security_RegKeyName400 previous downloadsPermissions.au3 Edited February 23, 2012 by FredAI KaFu, Dellroc, Wiliat87 and 11 others 13 1 My UDFs: SetAcl permissions | System restore Examples: File version info editor | GetIp() improved Programs: UVK - Ultra virus killer | ExeFixer | Recent file seeker | SHIcon | Quick_Any2Ico Link to comment Share on other sites More sharing options...
DXRW4E Posted November 4, 2011 Share Posted November 4, 2011 Thank You, very useful Thanks Again Ciao. Link to comment Share on other sites More sharing options...
KaFu Posted November 4, 2011 Share Posted November 4, 2011 Definitely looks good , thanks a lot! OS: Win10-22H2 - 64bit - German, AutoIt Version: 3.3.16.1, AutoIt Editor: SciTE, Website: https://funk.eu AMT - Auto-Movie-Thumbnailer (2024-Oct-13) BIC - Batch-Image-Cropper (2023-Apr-01) COP - Color Picker (2009-May-21) DCS - Dynamic Cursor Selector (2024-Oct-13) HMW - Hide my Windows (2024-Oct-19) HRC - HotKey Resolution Changer (2012-May-16) ICU - Icon Configuration Utility (2018-Sep-16) SMF - Search my Files (2024-Oct-20) - THE file info and duplicates search tool SSD - Set Sound Device (2017-Sep-16) Link to comment Share on other sites More sharing options...
FredAI Posted November 4, 2011 Author Share Posted November 4, 2011 You're welcome guys! It was my contribution to the community, after taking so much Works much faster than SetAcl, and you can set the owner, clear the DACL and define all the desired permissions with one function call. My UDFs: SetAcl permissions | System restore Examples: File version info editor | GetIp() improved Programs: UVK - Ultra virus killer | ExeFixer | Recent file seeker | SHIcon | Quick_Any2Ico Link to comment Share on other sites More sharing options...
BrewManNH Posted November 4, 2011 Share Posted November 4, 2011 I really like the look of this UDF, I was looking for something exactly like this earlier today for an automation script I was creating. This will finish it off exactly as I need to. Thank you for this. If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag GudeHow to ask questions the smart way! I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from. Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays. - ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script. - Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label. - _FileGetProperty - Retrieve the properties of a file - SciTE Toolbar - A toolbar demo for use with the SciTE editor - GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI. - Latin Square password generator Link to comment Share on other sites More sharing options...
FredAI Posted November 4, 2011 Author Share Posted November 4, 2011 You're welcome, BrewManNH.If any of you find any bugs, please tell. My UDFs: SetAcl permissions | System restore Examples: File version info editor | GetIp() improved Programs: UVK - Ultra virus killer | ExeFixer | Recent file seeker | SHIcon | Quick_Any2Ico Link to comment Share on other sites More sharing options...
DXRW4E Posted November 5, 2011 Share Posted November 5, 2011 Hi FredAI, sorry for my englishit is possible to add these function http://msdn.microsoft.com/en-us/library/aa379570%28v=VS.85%29.aspx ConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor Ciao. Link to comment Share on other sites More sharing options...
IRON Posted November 5, 2011 Share Posted November 5, 2011 Not yet tested, but it looks good. Thanks a lot Link to comment Share on other sites More sharing options...
FredAI Posted November 5, 2011 Author Share Posted November 5, 2011 I fixed a bug and updated the file. Check the first post. it is possible to add these function ...Well, here they are: expandcollapse popup#include 'Permissions.au3' _InitiatePermissionResources() FileWrite(@ScriptDir&'\test.txt','test') Local $TI = TimerInit() ;************************************************************************************************ Local $ret = _GetObjectStringSecurityDescriptor(@ScriptDir&'\test.txt'); Put here the function to test Local $ret2 = _ConvertStringSecurityDescriptorToSecurityDescriptor($ret) ;************************************************************************************************ Local $TD = TimerDiff($TI) MsgBox(0,'','String security descriptor: '&$ret&@CRLF&'Stecurty descriptor pointer: '&$ret2&@CRLF&' Time: '&Round($TD,2)&' miliseconds.') FileDelete(@ScriptDir&'\test.txt') _ClosePermissionResources() Func _GetObjectStringSecurityDescriptor($oName, $_SE_OBJECT_TYPE = $SE_FILE_OBJECT) Local $SECURITY_INFORMATION = BitOR($DACL_SECURITY_INFORMATION,$OWNER_SECURITY_INFORMATION) Local $pSecDescriptor = _GetObjectSecurityDescriptor($oName, $_SE_OBJECT_TYPE) Local $strSecDescriptor = _ConvertSecurityDescriptorToStringSecurityDescriptor($pSecDescriptor) DllCall($h__Kernel32Dll,'handle','LocalFree','handle',$pSecDescriptor) Return $strSecDescriptor EndFunc ;==>_GetObjectStringSecurityDescriptor Func _ConvertSecurityDescriptorToStringSecurityDescriptor(ByRef $pSecDescriptor) Local $SECURITY_INFORMATION = BitOR($DACL_SECURITY_INFORMATION,$OWNER_SECURITY_INFORMATION) Local $aRet = DllCall($h__Advapi32Dll,'bool','ConvertSecurityDescriptorToStringSecurityDescriptor', _ 'ptr',$pSecDescriptor,'DWORD',1,'DWORD',$SECURITY_INFORMATION,'str*',0,'ptr',0) If @error Then Return SetError(1,0,'') Return $aRet[4] EndFunc ;==>_ConvertSecurityDescriptorToStringSecurityDescriptor Func _ConvertStringSecurityDescriptorToSecurityDescriptor(ByRef $strSecDescriptor) Local $aRet = DllCall($h__Advapi32Dll,'bool','ConvertStringSecurityDescriptorToSecurityDescriptor', _ 'str',$strSecDescriptor,'DWORD',1,'ptr*',0,'ptr',0) If @error Then Return SetError(1,0,0) Return $aRet[3] EndFunc ;==>_ConvertStringSecurityDescriptorToSecurityDescriptor Func _GetObjectSecurityDescriptor($oName, $_SE_OBJECT_TYPE = $SE_FILE_OBJECT) Local $SECURITY_INFORMATION = BitOR($DACL_SECURITY_INFORMATION,$OWNER_SECURITY_INFORMATION) If $ResourcesState = 0 Then _InitiatePermissionResources() If $_SE_OBJECT_TYPE = $SE_REGISTRY_KEY Then $oName = _Security_RegKeyName($oName) Local $aRet = DllCall($h__Advapi32Dll,'DWORD','GetNamedSecurityInfo','str',$oName,'int',$_SE_OBJECT_TYPE,'DWORD',$SECURITY_INFORMATION,'ptr',0,'ptr',0,'ptr',0,'ptr',0,'ptr*',0) If @error Then Return SetError(@error,0,0) Return SetError($aRet[0],0,$aRet[8]) EndFunc ;==>_GetObjectSecurityDescriptor I don't know why you need these functions, but if you're planning on using them to set the DACL permissions, let me tell you you don't need them. You can easily edit the DACL by calling the _SetObjectPermissions function. Imagine you want to give yourself all granted access to a file, but give everyone else only read and execute access. This can be very useful if you have kids, and you want them to be able to read and execute your files, but you don't want them to edit or delete them. Take a look at this code: #include 'Permissions.au3' _InitiatePermissionResources() Local $File = @ScriptDir&'\test.txt' FileWrite($File,'test') Local $TI = TimerInit() Local $aPerm[2][3] $aPerm[0][0] = @UserName $aPerm[0][1] = 1 $aPerm[0][2] = $GENERIC_ALL $aPerm[1][0] = 'Everyone' $aPerm[1][1] = 1 $aPerm[1][2] = $GENERIC_READ+$GENERIC_EXECUTE Local $ret = _SetObjectPermissions($File,$aPerm,$SE_FILE_OBJECT,@UserName,1,1) Local $TD = TimerDiff($TI) MsgBox(0,'','Function return value: '&$ret&@CRLF&' Time: '&Round($TD,2)&' miliseconds.') _ClosePermissionResources() You just have to create an array with the permissions you want to set: $array[0][0] - First ace user name or Sid string $array[0][1] - 1 or 0,whether to grant or deny the permissions defined in the access mask. ($array[0][2]) $array[0][2] - One or more access mask values. e.g. $GENERIC_READ+$GENERIC_EXECUTE $array[1][0] - Second ace user name or Sid string $array[1][1] - 1 or 0,whether to grant or deny the permissions defined in the access mask. ($array[1][2]) $array[1][2] - One or more access mask values. e.g. $GENERIC_READ+$GENERIC_EXECUTE And so on. You can add how many aces you want. The access denied aces have priority over the allowed ones. Then you can set the owner, clear the DACL and recurse containers and objects (for folders and registry keys), When recursing, the child objects will automatically inherit the permissions from the parent one. Don't know what else you can do by modifying the security descriptor. My UDFs: SetAcl permissions | System restore Examples: File version info editor | GetIp() improved Programs: UVK - Ultra virus killer | ExeFixer | Recent file seeker | SHIcon | Quick_Any2Ico Link to comment Share on other sites More sharing options...
DXRW4E Posted November 5, 2011 Share Posted November 5, 2011 (edited) Thank you very much, i needed those functions because I want to have a backup of the security of the registry\file\service (save all the inf file), to give users the possibility to restore the original settings, using Secedit.exe (the way that Microsoft sets everything in windows ect ect) Sorry again for my English Ciao Edited November 5, 2011 by DXRW4E Link to comment Share on other sites More sharing options...
DXRW4E Posted November 5, 2011 Share Posted November 5, 2011 (edited) I wanted to ask, even for one thing, using the _ConvertSecurityDescriptorToStringSecurityDescriptor, or this line $a = "O:BUD:PAI(A;;FA;;;BU)(A;;0x1200a9;;;WD)" after using the _ConvertStringSecurityDescriptorToSecurityDescriptor($a), how can I use that to set the _WriteDaclToObject, I'm doing wrong or something?, This is interesting because I shall be able to keep all the original settings, and add admin only right, for example "O:BUD:PAI(A;;FA;;;BU)(A;;0x1200a9;;;WD)(A;;FA;;;BA)" (This explains all about it http://msdn.microsoft.com/en-us/magazine/cc982153.aspx) I know from experience that this is not the safest way, because if "TrustedInstaller" and present, even if you have full admin right, sometimes "TrustedInstaller" still does not let you do everything there (for example if you want to work with files in "C:\Windows\WinSxS" and better remove remaining TrustedInstaller), so the best way and _SetObjectPermissions, However i am interested also this other way using the _ConvertStringSecurityDescriptorToSecurityDescriptor sorry for the trouble Thanks again, Ciao. Edited November 5, 2011 by DXRW4E Link to comment Share on other sites More sharing options...
FredAI Posted November 6, 2011 Author Share Posted November 6, 2011 after using the _ConvertStringSecurityDescriptorToSecurityDescriptor($a), how can I use that to set the _WriteDaclToObject, You have to get the DACL from the security descriptor. I'll take a look at the function and post back in a while. My UDFs: SetAcl permissions | System restore Examples: File version info editor | GetIp() improved Programs: UVK - Ultra virus killer | ExeFixer | Recent file seeker | SHIcon | Quick_Any2Ico Link to comment Share on other sites More sharing options...
FredAI Posted November 6, 2011 Author Share Posted November 6, 2011 Ok Here it is: expandcollapse popup#include 'Permissions.au3' _InitiatePermissionResources() FileWrite(@ScriptDir&'\test.txt','test') Local $TI = TimerInit() ;************************************************************************************************ Local $ret1 = _GetObjectSecurityDescriptor(@ScriptDir&'\test.txt') Local $ret2 = _ConvertSecurityDescriptorToStringSecurityDescriptor($ret1) Local $ret3 = _ConvertStringSecurityDescriptorToSecurityDescriptor($ret2) Local $ret4 = _GetSecurityDescriptorOwner($ret3) Local $ret5 = _GetSecurityDescriptorDacl($ret3) ;************************************************************************************************ Local $TD = TimerDiff($TI) MsgBox(0,'','Security descriptor pointer: '&$ret1&@CRLF& _ 'Converted to string: '&$ret2&@CRLF& _ 'Re-converted to pointer to security descriptor: '&$ret3&@CRLF& _ 'Owner SID: '&$ret4&@CRLF& _ 'Pointer to the DACL: '&$ret5&@CRLF& _ ' Time: '&Round($TD,2)&' miliseconds.') FileDelete(@ScriptDir&'\test.txt') _ClosePermissionResources() Func _GetSecurityDescriptorOwner(ByRef $pSecDescriptor) If Not IsPtr($pSecDescriptor) Then Return SetError(1,0,0) Local $aRet = DllCall($h__Advapi32Dll,'bool','GetSecurityDescriptorOwner', _ 'ptr',$pSecDescriptor,'ptr*',0,'bool*',0) If @error Then Return SetError(@error,0,0) Return _SidToStringSid($aRet[2]) EndFunc ;==>_GetSecurityDescriptorDacl Func _GetSecurityDescriptorDacl(ByRef $pSecDescriptor) If Not IsPtr($pSecDescriptor) Then Return SetError(1,0,0) Local $aRet = DllCall($h__Advapi32Dll,'bool','GetSecurityDescriptorDacl', _ 'ptr',$pSecDescriptor,'bool*',0,'ptr*',0,'bool*',0) If @error Then Return SetError(@error,0,0) If Not $aRet[2] Then Return SetError(1,0,0) Return $aRet[3] EndFunc ;==>_GetSecurityDescriptorDacl Func _GetObjectStringSecurityDescriptor($oName, $_SE_OBJECT_TYPE = $SE_FILE_OBJECT) Local $SECURITY_INFORMATION = BitOR($DACL_SECURITY_INFORMATION,$OWNER_SECURITY_INFORMATION) Local $pSecDescriptor = _GetObjectSecurityDescriptor($oName, $_SE_OBJECT_TYPE) Local $strSecDescriptor = _ConvertSecurityDescriptorToStringSecurityDescriptor($pSecDescriptor) DllCall($h__Kernel32Dll,'handle','LocalFree','handle',$pSecDescriptor) Return $strSecDescriptor EndFunc ;==>_GetObjectStringSecurityDescriptor Func _ConvertSecurityDescriptorToStringSecurityDescriptor(ByRef $pSecDescriptor) If Not IsPtr($pSecDescriptor) Then Return SetError(1,0,0) Local $SECURITY_INFORMATION = BitOR($DACL_SECURITY_INFORMATION,$OWNER_SECURITY_INFORMATION) Local $aRet = DllCall($h__Advapi32Dll,'bool','ConvertSecurityDescriptorToStringSecurityDescriptor', _ 'ptr',$pSecDescriptor,'DWORD',1,'DWORD',$SECURITY_INFORMATION,'str*',0,'ptr',0) If @error Then Return SetError(1,0,'') Return $aRet[4] EndFunc ;==>_ConvertSecurityDescriptorToStringSecurityDescriptor Func _ConvertStringSecurityDescriptorToSecurityDescriptor(ByRef $strSecDescriptor) If Not IsString($strSecDescriptor) Then Return SetError(1,0,0) Local $aRet = DllCall($h__Advapi32Dll,'bool','ConvertStringSecurityDescriptorToSecurityDescriptor', _ 'str',$strSecDescriptor,'DWORD',1,'ptr*',0,'ptr',0) If @error Then Return SetError(1,0,0) Return $aRet[3] EndFunc ;==>_ConvertStringSecurityDescriptorToSecurityDescriptor Func _GetObjectSecurityDescriptor($oName, $_SE_OBJECT_TYPE = $SE_FILE_OBJECT) Local $SECURITY_INFORMATION = BitOR($DACL_SECURITY_INFORMATION,$OWNER_SECURITY_INFORMATION) If $ResourcesState = 0 Then _InitiatePermissionResources() If $_SE_OBJECT_TYPE = $SE_REGISTRY_KEY Then $oName = _Security_RegKeyName($oName) Local $aRet = DllCall($h__Advapi32Dll,'DWORD','GetNamedSecurityInfo','str',$oName,'int',$_SE_OBJECT_TYPE, _ 'DWORD',$SECURITY_INFORMATION,'ptr',0,'ptr',0,'ptr',0,'ptr',0,'ptr*',0) If @error Then Return SetError(@error,0,0) Return SetError($aRet[0],0,$aRet[8]) EndFunc ;==>_GetObjectSecurityDescriptor Now that I know why you need the functions, I'm finding this very interesting, because it allows to make a full backup of the security descriptor, and restore it later. No need for secedit. When I have more time, I'll document the functions and add them to the UDF. My UDFs: SetAcl permissions | System restore Examples: File version info editor | GetIp() improved Programs: UVK - Ultra virus killer | ExeFixer | Recent file seeker | SHIcon | Quick_Any2Ico Link to comment Share on other sites More sharing options...
DXRW4E Posted November 6, 2011 Share Posted November 6, 2011 (edited) Thanks so much for all the support When you add function to UDF,better if you add a direct fuction as the _GetObjectStringSecurityDescriptor (ScriptDir @ & '\ test.txt'), for example add _SetObjectStringSecurityDescriptor(ScriptDir @ & '\ test.txt,',"O:BUD:PAI(A;;FA;;;BU)(A;;0x1200a9;;;WD)(A;;FA;;;BA)"), I do not know, see for yourself how and best Ciao. Edited November 6, 2011 by DXRW4E Link to comment Share on other sites More sharing options...
JScript Posted November 6, 2011 Share Posted November 6, 2011 Very complex, perfect! Thanks for sharing... João Carlos. http://forum.autoitbrasil.com/ (AutoIt v3 Brazil!!!) Somewhere Out ThereJames Ingram Download Dropbox - Simplify your life!Your virtual HD wherever you go, anywhere! Link to comment Share on other sites More sharing options...
Spiff59 Posted November 7, 2011 Share Posted November 7, 2011 I've always found calling icacls.exe very simple for changing permissions. Is the main difference between the UDF and icacls that icacls is restricted to modifying only files and folders? Link to comment Share on other sites More sharing options...
FredAI Posted November 7, 2011 Author Share Posted November 7, 2011 No, this is also much faster, and makes your script independent from external exes, which can be disabled or infected. Also AFAIK you can't set ownership using icacls. My UDFs: SetAcl permissions | System restore Examples: File version info editor | GetIp() improved Programs: UVK - Ultra virus killer | ExeFixer | Recent file seeker | SHIcon | Quick_Any2Ico Link to comment Share on other sites More sharing options...
FredAI Posted November 9, 2011 Author Share Posted November 9, 2011 I added the security descriptor functions to the UDF and updated. see the first post. My UDFs: SetAcl permissions | System restore Examples: File version info editor | GetIp() improved Programs: UVK - Ultra virus killer | ExeFixer | Recent file seeker | SHIcon | Quick_Any2Ico Link to comment Share on other sites More sharing options...
DXRW4E Posted November 9, 2011 Share Posted November 9, 2011 Thank You Link to comment Share on other sites More sharing options...
FredAI Posted November 10, 2011 Author Share Posted November 10, 2011 I updated again. This time I didn't change the code, just some faults in the comments. The _SetObjectPermissions function now supports setting the inheritance too, but remember you cannot create an ace with the flag $INHERIT_ONLY_ACE. This type of aces are automatically added from the parent upon the object's creation. Better use the flags $OBJECT_INHERIT_ACE (1), $CONTAINER_INHERIT_ACE ( 2), $SUB_CONTAINERS_AND_OBJECTS_INHERIT (3) and $NO_PROPAGATE_INHERIT_ACE (4) My UDFs: SetAcl permissions | System restore Examples: File version info editor | GetIp() improved Programs: UVK - Ultra virus killer | ExeFixer | Recent file seeker | SHIcon | Quick_Any2Ico Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now