topten Posted May 10, 2014 Posted May 10, 2014 PS At the same time on my pc I have fake McAfee firewall Core Service- which is constantly sending popups, asking to "activate their services"- which had been installed even without my aknowledgement. So every time I try to kill this process via tskmngr - I have this "Unsufficient rights popup" or "access denied"- I just wonder how do they do that?
step887 Posted May 12, 2014 Posted May 12, 2014 Sorry if I was inattentive while reading posts, could you please explain, how can I solve this Say, I have running program "test.exe" . How can I prevent user killing this process in the tskmngr? I was trying this example #RequireAdmin #include 'Permissions.au3' _InitiatePermissionResources() $TI = TimerInit() Local $Hndl = _Permissions_OpenProcess(@AutoItPID) Local $SDBefore = _GetObjectStringSecurityDescriptor($Hndl,$SE_KERNEL_OBJECT) Local $CODRet = _ClearObjectDacl($Hndl,$SE_KERNEL_OBJECT) Local $DARet = _DenyAllAccess($Hndl,$SE_KERNEL_OBJECT) Local $SDAfter = _GetObjectStringSecurityDescriptor($Hndl,$SE_KERNEL_OBJECT) $TD = Round(TimerDiff($TI),2) MsgBox(0,'', 'Deny everyone access to the current process:'&@CRLF&@CRLF& _ '@AutoItPID original security descriptor: '&@CRLF&$SDBefore&@CRLF&@CRLF& _ '_ClearObjectDacl return value: '&$CODRet&@CRLF&@CRLF& _ '_DenyAllAccess_ return value: '&$DARet&@CRLF&@CRLF& _ 'New @AutoItPID security descriptor: '&@CRLF& _ $SDAfter&@CRLF&@CRLF& 'Time taken: '&$TD&' miliseconds.') _Permissions_CloseHandle($Hndl) But anyway, if I write this code into my test.exe and then run it and then if I try killing in tskmngr- it is killed very easily. Thanx in advance!!! you will need to compile for it to work. It work for me PS At the same time on my pc I have fake McAfee firewall Core Service- which is constantly sending popups, asking to "activate their services"- which had been installed even without my aknowledgement. So every time I try to kill this process via tskmngr - I have this "Unsufficient rights popup" or "access denied"- I just wonder how do they do that? They create an driver that monitors API calls and then they stop them before it gets to the OS
FKFK Posted May 21, 2014 Posted May 21, 2014 (edited) Thank you very much for this UDF! I have a question about using this UDF. I want to add some persmissions on a folder: Local $Array[1][3] = [['Test-Group', 1, $GENERIC_ALL]] _SetObjectPermissions($sPath, $Array, $SE_FILE_OBJECT, '', 0, 1) But my problem is that all other permissions entries are deleted. Only permissions are not deleted which the parent folder passes on. What I have to do to that _SetObjectPermissions only add some permissions without changing the existing //edit: I have detected the failure: _GetDaclSizeInformation is only working if I am the administrator and so _MergeDaclToArray works only I am the administrator, too. Why does it do so? //edit2: Another question: I want that inherited permissions still inherited, that other existing permissions still there, too, and that I can add new permission? I have detected only two possiblities: 1. kepp inherited permissions, delete exisiting permissions and add some new. 2. copy inherited permissions into normal permissions, kepp existing permissions and add some new. Edited May 22, 2014 by FKFK
Biatu Posted June 14, 2014 Posted June 14, 2014 For some reason this always returns 0 #Include <Permissions.au3> #Include <File.au3> $Timer=TimerInit() $StartDir=@ScriptDir&"\Source\InstallWim" $aList=_FileListToArrayRec($StartDir,"*",1+4+8,1,2,1) ConsoleWrite(TimerDiff($Timer)&@CRLF) ;_ArrayDisplay($aList) $CounterFmt=StringLen($aList[0]) For $Index=1 To $aList[0] ConsoleWrite(StringFormat("%0"&$CounterFmt&"d",$Index)&"|"&$StartDir&"\"&$aList[$Index]&"|") $Ret=_GrantAllAccess(@ScriptDir&"\"&$aList[$Index]) ConsoleWrite($Ret&@CRLF) Next What is what? What is what.
Virgus Posted October 9, 2014 Posted October 9, 2014 (edited) Hello everybody, I wanted to learn something testing how to modify the ACLs of my drives and I made a little mess in my computer: I run this script: #include <Permissions.au3> _InitiatePermissionResources() $drives = DriveGetDrive( "FIXED" ) If NOT @error Then MsgBox(4096,"", "Found " & $drives[0] & " drives",1) $TI = TimerInit() For $i = 1 to $drives[0] MsgBox(4096,"Drive " & $i, $drives[$i],1) $ret = _GrantAllAccess($drives[$i]) MsgBox(0,'','Grant everyone access'&@CRLF&@CRLF& _ '_GrantAllAccesss return value: '&$ret&' Time: '&Round($TD,2)&' miliseconds.'&@CRLF,1) Next $TD = TimerDiff($TI) EndIf _ClosePermissionResources() Exit and I got most of my folders inaccessible. I tried to fix things drive by drive / folder by folder with this script (drag&drop compiled script) but results are random (sometimes I recover the folder ownership sometimes not, the inherit recursion not always working): #include <Permissions.au3> _InitiatePermissionResources() If @Compiled AND ($CmdLine[0] > 0) Then $TI = TimerInit() For $i = 2 to UBound($CmdLine) - 1 $ret = _SetDefaultFileAccess($CmdLine[$i],1) ; $ret = _InheritParentPermissions($CmdLine[$i], $SE_FILE_OBJECT, 1) Next $TD = TimerDiff($TI) MsgBox(0,'','Execution Time: '&Round($TD,2)&' miliseconds.'&@CRLF,1) EndIf _ClosePermissionResources() Exit Could anybody suggest / point me to the correct solution to get my files' ownership back? Regards, V. EDIT: Solution found with a batch file: SET ACLPATH=%~1 subinacl /subdirectories "%ACLPATH%" /setowner=%USERNAME% subinacl /subdirectories %ACLPATH% /grant=administrators=f icacls "%ACLPATH%*" /reset /T /C Edited October 9, 2014 by Virgus
ViciousXUSMC Posted March 3, 2015 Posted March 3, 2015 This is most likely going to come in handy for me Tagging Is this built on the COM of SetACL?
topten Posted March 16, 2015 Posted March 16, 2015 Thank you very much for this great udf. It is doing magic! A small question $ret = _CopyFullDacl("c:\pathtofile\somefile",$SE_FILE_OBJECT,@ScriptDir) This works excellent when I put the script into the same directory with the file to grant permission I wanted to make it working remotely, and tried replacing @scriptdir with the path to the file $ret = _CopyFullDacl("c:\pathtofile\somefile",$SE_FILE_OBJECT, "c:\pathtofile\somefile") That won't work Then I just programmatically copy the exe script with this code into the same directory $ret = _CopyFullDacl("c:\pathtofile\somefile",$SE_FILE_OBJECT,@ScriptDir) And from another script run that script : run ("c:pathtofilemyscript.exe"). The script would make the exe work (I see it by message box for a test) but it wont change the permissions What can be the reason for that? (both files have #requireadmin) Great thanx in advance!
zalomalo Posted March 18, 2015 Posted March 18, 2015 (edited) Be sure the object to change is local and have permissions to change permissions (domain accounts?). Execute it locally from another computer the easier is using PsExec from SysInternals. So you do Run: PseXec.exe -copyexetoremote -yourexe localobinremotetochangeACL youractualPC->ACLSource. Older versisons like 1.63 works even better than actual 2.11. Edited March 18, 2015 by zalomalo My english shucks, i know it.
nigthlord Posted September 4, 2015 Posted September 4, 2015 Hi guys, =)I have a question and maybe someone may help me out ..I need to list the NTFS permissions of different fileshares OR certain file and Folder where either AD users and/or AD Groups can be in.Since this UDF can copy ACLs I am sure it can read them as well it somehow has to ).Unfortuantely it seems I am too stupid to figure out how to do so...So I would need a simple example how to list persmissions of a certain file or Folder ... Thanks in advance for any help or hints! cheers
AdamUL Posted September 4, 2015 Posted September 4, 2015 I was going to go this route your are trying to take. This UDF will pull the ACE strings, but then you need to convert them to readable user names and groups. This is a language unto itself. Here some link, if you are interested. https://msdn.microsoft.com/en-us/library/windows/desktop/aa374928(v=vs.85).aspxhttps://msdn.microsoft.com/en-us/library/windows/desktop/aa379570(v=vs.85).aspxhttp://blogs.technet.com/b/askds/archive/2008/04/18/the-security-descriptor-definition-language-of-love-part-1.aspxhttp://blogs.technet.com/b/askds/archive/2008/04/18/the-security-descriptor-definition-language-of-love-part-2.aspxIn the UDF you would use, _GetSecurityDescriptor* functions along with the _ConvertSecurityDescriptorToStringSecurityDescriptor function, and then work on converting the string using Security Descriptor Definition Language (SDDL) and _Security__GetAccountSid from the Security UDF in AutoIt.I got lazy, and needed a way to get them without writing a SDDL UDF, which I currently don't have time to do. I would like to eventually write a UDF. I have pieces of one, but not complete or working correctly. I found a nice free utility NTFS Permissions Reporter. You can work with local drives, as well as remote server shares. You can also limit the depth of the directories and exclude directories. This only works on directories, and not files. The free version allows you to export a report as HTML, which I then use AutoIt and the HTMLTable2Array UDF to work with. Hope that helps. Adam
nigthlord Posted September 7, 2015 Posted September 7, 2015 Hi,many thanks for your informative reply and sorry for my late one ...I was not aware about the complexity of this topic. silly me However I ll give it a shot maybe I can compile something useful.Thanks againso long,
Proph Posted October 6, 2015 Posted October 6, 2015 I have been using this UDF and it is awesome, I ran into an issueon win 7 64 bit 32 bit compiled app does not modify reg permissions on HKLM64$out = _GrantAllAccess('HKEY_LOCAL_MACHINE64SOFTWAREtest',4) returns 0 $out = _GrantAllAccess('HKEY_LOCAL_MACHINESOFTWAREtest',4) returns 1but modifies HKEY_LOCAL_MACHINESOFTWAREWow6432Nodetestany ideas I can confirm that there seems to be an issue with _GrantAllAccess on HKLM64 when the exe is compiled as x86.
Anteaus Posted November 25, 2015 Posted November 25, 2015 (edited) I'm trying to use this UDF to add Full permissions for a specific user to a given folder.The folder may have existing local permissions, which must be retained. It also inherits Administrator and System (full) permissions from the root. Which is pretty-much a standard situation.Firstly, I presume that the _SetObjectPermissions() function is unsuitable, since this would seem to always remove any existing local permissions, replacing them with the new one. Can anyone confirm that? If I use the _EditObjectPermissions() function, I hit a peculiar combination of effects in that:If $InHerit is zero, the new permission and all existing Full local permissions are trashed. Specifically, they become rewritten as 'This folder only' permissions.If the $InHerit is flag non-zero, all of the inherited permissions are duplicated as local permissions. So you then have two Administrator permissions, two of SYSTEM, etc.Within this scope:If $Inherit is 1, local permissions are made 'This folder-only' as for zero. If $InHerit is 2, local permissions are made 'This folder and subfolder' permissions.If the $InHerit flag is 3, the new new permission is added correctly and existing local permissions are unaffected.(Which would be fine if it were not for the side-effect)$Recurse has no identifiable effect on the outcome, for the toplevel folder anyway.$ClearDACL=1 with $InHerit=3 has the effect that inherited permissions are then made local, and the inheritance flag set to false. Sample code: Local $pArray[1][3] $pArray[0][0]='TestUser'; (Or 'S-1-5-21-789336058-764733703-1177238915-1006') $pArray[0][1]=1 ; Grant $pArray[0][2]=$GENERIC_ALL ; (Or 0x1F01FF for full generic and specific rights, makes no odds.) $SetOwner="TestUser" $ClearDACL=0 ; $Recurse=1 ; $InHerit = [As detailed above] $rtn=_EditObjectPermissions($oName, $pArray, $SE_FILE_OBJECT, $SetOwner, $ClearDacl, $Recurse, $InHerit) $rtn returns 1.Seems there is definitely something amiss here. Since _EditObjectPermissions() loads the existing DACL into an array containing the new permissions, then submits the result to _Set[Reg/File]ObjectSecurity - The same handlers used by _SetObjectPermissions() which does work correctly - I'd hazard a guess that the permissions are somehow being corrupted in the array merge. Just a guess, though.Most testing done on XP SP3 VM, some on Win7/10. AI version 3.14.2If anyone has thoughts on this, would be welcome.Update:_SetObjectPermissions() has two parameters reversed in the syntax. (Line 519)I did notice that at the time, and thought it unlikely they would differ. Seems like if you have illegal values due to the reversal, it can cause the computer to do strange things thereafter. Which I think was why the _EditObjectPermissions() call was acting up the way it did.That, and there's a fourth array element which determines the scope of the permission. With that in, you get proper Full permissions.Once those two are fixed, seems to work fine. Unfortunately, no. Full permissions are now set correctly, but there are still issues with inherited permissions being duplicated locally. Seems to happen at random even with no change of test parameters. I'm wondering if there's a memory overflow/over-read involved. Edited November 26, 2015 by Anteaus Update
legend Posted March 15, 2016 Posted March 15, 2016 (edited) How to set it for denying acess to the process for only the logged in user? I'm making a script that restores some files from a network share, and while doing so, I want it to remove it's permissions from itself. I tried this, but it will only work if i use it with #requireadmin, I tried from a non admin user with process explorer, witch was able to deny permissions on the process for the current logged in user, without admin right #include 'Permissions.au3' Local $Hndl = _Permissions_OpenProcess(@AutoItPID) _DenyAllAccess($Hndl, $SE_KERNEL_OBJECT,@UserName) MsgBox(0,'', _GetObjectStringSecurityDescriptor($Hndl, $SE_KERNEL_OBJECT)) this is how it should look like: http://prntscr.com/afrdbj Edited March 15, 2016 by legend
Valnurat Posted April 11, 2016 Posted April 11, 2016 I have tried to use your exampel, but I get an error: "C:\Users\DKSOKVK\Documents\AutoIT\MyIncludeUDF\Permissions.au3"(100,51) : error: $ACCESS_SYSTEM_SECURITY previously declared as a 'Const'. Global Const $ACCESS_SYSTEM_SECURITY = 0x01000000 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~^ C:\PermissionTest.au3 - 1 error(s), 0 warning(s) !>13:36:44 AU3Check ended. Press F4 to jump to next error.rc:2 +>13:36:44 AutoIt3Wrapper Finished. >Exit code: 2 Time: 0.9929 Do I have an old UDF? Yours sincerely Kenneth.
AmolT Posted April 11, 2016 Posted April 11, 2016 Hi all, Could anyone guide me to direction for a problem, I need to remove Everyone group from folder permissions. How could I achieve this using this UDF ? I used successfully to add a user to folder permissions using _EditObjectPermissions but unable to find a way to remove 'Everyone' group. Thanks, Amol
Developers Jos Posted April 11, 2016 Developers Posted April 11, 2016 3 hours ago, Valnurat said: Do I have an old UDF? Just remove the duplicate Global definition from your UDF version. Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past.
Developers Jos Posted April 11, 2016 Developers Posted April 11, 2016 10 minutes ago, AmolT said: I need to remove Everyone group What have you tried that isn't working? Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past.
Valnurat Posted April 12, 2016 Posted April 12, 2016 (edited) 19 hours ago, Jos said: Just remove the duplicate Global definition from your UDF version. Jos Done and I can compile it. But the exampel from post#1 have problems. 1,5,6,7 is ok 2,3,4 not ok. Nothing happens. no. 8 I don't know what do. How do you add "modify" to a folder for a group? Edited April 12, 2016 by Valnurat Yours sincerely Kenneth.
AmolT Posted April 13, 2016 Posted April 13, 2016 On 4/11/2016 at 8:28 PM, Jos said: What have you tried that isn't working? Jos, The thing is I am not able to think of a way to try to make it work. Definately if I set $ClearDacl flag in _EditObjectPermissions it will clear everything. One thing I can think of is to get array of Permissions on folder object and remove 'Everyone' group from the array, and to set all the remaining permissions back on object. But still I can't figure out how should I able to do it. Amol
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now