Jump to content

Recommended Posts

Posted

Here is another example.  This example shows how to remove a group (or user) from a DACL, and how to change a user's permission in the same DACL using an array created by _MergeDaclToArray to read the DACL from an object.  The array is then searched to find the specific group and user.  

#RequireAdmin
#include <Array.au3>
#include <Security.au3>
#include 'Permissions.au3'

_InitiatePermissionResources()

Global $sFile = @ScriptDir & '\test.txt'
FileWrite($sFile, 'test')
MsgBox(0, "File", "Created")

MsgBox(0, "StringSecurityDescriptor", _GetObjectStringSecurityDescriptor($sFile))

Global $aPerm[4][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL ;Full Control.
$aPerm[1][0] = 'Everyone'
$aPerm[1][1] = 1
$aPerm[1][2] = $FILE_AUTH_USERS_DEFAULT ;Modify.
$aPerm[2][0] = 'AD_Staff' ;AD Security Group.  Group must exist in AD.  
$aPerm[2][1] = 1
$aPerm[2][2] = $FILE_AUTH_USERS_DEFAULT ;Modify.
$aPerm[3][0] = "User01"
$aPerm[3][1] = 1
$aPerm[3][2] = BitOR($GENERIC_READ, $GENERIC_WRITE, $GENERIC_EXECUTE) ;Read, write & execute.

;~ _ArrayDisplay($aPerm,$sFile)
Global $iRet
Global $pDACL

;Add explicit permissions to newly created file.  
$iRet = _EditObjectPermissions($sFile, $aPerm)
MsgBox(0, '', '_EditObjectPermissions return value: ' & $iRet & @CRLF & _
        'Check the file permissons before closing the message box.')

MsgBox(0, "StringSecurityDescriptor", _GetObjectStringSecurityDescriptor($sFile))

;Get the file's DACL.
$pDACL = _GetObjectDacl($sFile)
If @error Then MsgBox(16, "ERROR", "Error _GetObjectDacl")

;Redeclare as an empty array to fill with the DACL read from the object.
Global $aPerm[0][3]
$iRet = _MergeDaclToArray($pDACL, $aPerm, 0)
;If there are no explicit permissions, and only inherited, the return valuse will be 0.  
MsgBox(0, '', '_MergeDaclToArray return value: ' & $iRet)

;SIDs are DLL structs so they show up as blank strings in the array.  Pemissions show up as signed integers.  
_ArrayDisplay($aPerm, $sFile)

;Search the DACL array.
Global $aAcct
Global $sAcct
For $i = UBound($aPerm, 1) - 1  To 0 Step -1
    ;Convert SIDs to be searchable.  
    $aAcct = _Security__LookupAccountSid(DllStructGetPtr($aPerm[$i][0]))
    $sAcct = ($aAcct[1] <> "" ? $aAcct[1] & "\" : "" ) & $aAcct[0]  
    
    If StringInStr($sAcct, 'AD_Staff') Then _ArrayDelete($aPerm, $i) ;Remove user permissions from DACL.
    If StringInStr($sAcct, 'User01') Then $aPerm[$i][2] = $FILE_AUTH_USERS_DEFAULT ;Change user's permissions in the DACL to Modify.
    
    ConsoleWrite($sAcct & "  _Security__IsValidSid: " & _Security__IsValidSid(DllStructGetPtr($aPerm[$i][0])) & @CRLF)
Next

;Group removed and permission changed for other user.
_ArrayDisplay($aPerm, $sFile)

;Since a SID was removed from the DACL array. The DACL must be cleared.
_ClearObjectDacl($sFile)

;Since the DACL was cleared.  Inherited permissions must be added back.  
_InheritParentPermissions($sFile)

;Add the new DACL array back to the object.  
$iRet = _EditObjectPermissions($sFile, $aPerm)
MsgBox(0, '', '_EditObjectPermissions return value: ' & $iRet & @CRLF & _
        'Check the file permissons before closing the message box.')

MsgBox(0, "StringSecurityDescriptor", _GetObjectStringSecurityDescriptor($sFile))

FileDelete($sFile)
MsgBox(0, "File", "Deleted")

_ClosePermissionResources()

 

Adam

Posted (edited)
On mercoledì 14 settembre 2016 at 9:28 PM, AdamUL said:

@Terenz Now with the change to the UDF above mentioned above.  Here is an example that I think will do what you need.

Hi Adam, i'm sorry for the delay. I'm still need this things to work but seems, also with the changes of _MergeDaclToArray of FredAI i don't have any success:

#RequireAdmin
#include 'Permissions.au3'

_InitiatePermissionResources()

Global $sFile = @WindowsDir & "\System32\aaclient.dll" ; random dll
;~ FileWrite($sFile, 'test')
;~ MsgBox(0, "File", "Created")
MsgBox(0, "File", $sFile & ":" & FileExists($sFile))

Global $aPerm[1][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL

Global $pDACL = _GetObjectDacl($sFile)

Global $iRet = _EditObjectPermissions($sFile, $aPerm)
MsgBox(0, '', '_EditObjectPermissions return value: ' & @CRLF & _
        'Check the file permissons before closing the message box.')

$iRet = _SetObjectSecurity($sFile, $SE_FILE_OBJECT, $DACL_SECURITY_INFORMATION, 0, 0, $pDACL, 0)
MsgBox(0, '', 'Restore all permissions' & @CRLF & @CRLF & _
        '_SetObjectSecurity return value: ' & $iRet & @CRLF & _
        'Check the file permissons before closing the message box.')

;~ FileDelete($sFile)
;~ MsgBox(0, "File", "Deleted")

_ClosePermissionResources()

I have take a random DLL from the system for a simple reason:

The "Admininistrators" - "SYSTEM" - "Users" has only "Read" and "Read and execute"

TrustedInstaller has full access and is the owner

In theory the script need to change/add my @Username ( is a part of Admininistrators Group ) and give him full access to the file? And then restore everything to the default situation? Well that's is my final goal.

I have also try to change "manually" via Windows interface the owner to my user and then run the script, nothing changes.

If i use for example something like:

ICACLS "C:\Windows\System32\aaclient.dll" /grant "MY_USERNAME":F

Work fine but i don't want to be Windows-tool dependent and on XP i don't have it and there is always the problem to restore the initial situation.

I'm really apprecciate your help with this, i can't resolve by myself :(

EDIT: Wait, work! But only if i compile x64 on the x64 system, not work if the executable is x86 on x64 system! I'll try to investigate.

x86 _GetObjectDacl return 0x009FF464

x64  _GetObjectDacl return 0x0000000000691280

x86 _EditObjectPermissions = 0 @error = 0 and _SetObjectSecurity = 0 @error = 5

x64 _EditObjectPermissions = 1 and _SetObjectSecurity = 1

It fail because _GetObjectDacl?

Edited by Terenz

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Posted

@Terenz I just noticed an issue with the script I posted for you.  I didn't have the return value for _EditObjectPermissions in the MsgBox.  I edited my post to add this.  

I think I was able to get it to work, give this a try.  You have to change the owner of the file, to set the permissions on a file, that you are not an owner of or in a group that is an owner.

#RequireAdmin
#include <Array.au3>
#include 'Permissions.au3'
#include <Security.au3>

_InitiatePermissionResources()

Global $sFile = "C:\Windows\System32\aaclient.dll"

Global $aPerm[1][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL ;Full Control.
;~ $aPerm[0][2] = $FILE_USERS_DEFAULT ;Read & execute.
;~ $aPerm[0][2] = $FILE_AUTH_USERS_DEFAULT ;Modify.

;~ _ArrayDisplay($aPerm,$sFile)

Global $pDACL = _GetObjectDacl($sFile)
Global $sOwner = _GetObjectOwner($sFile)
MsgBox(0, "Owner", "SID: " & $sOwner & @CRLF & @CRLF & "Name: " & _Security__LookupAccountSid($sOwner)[0])

Global $iRet = _SetObjectOwner($sFile, $SE_FILE_OBJECT, @UserName)
MsgBox(0, '', '_SetObjectOwner return value: ' & $iRet & @CRLF & _
        'Check the file permissons before closing the message box.')

$iRet = _EditObjectPermissions($sFile, $aPerm)
MsgBox(0, '', '_EditObjectPermissions return value: ' & $iRet & @CRLF & _
        'Check the file permissons before closing the message box.')

$iRet = _SetObjectSecurity($sFile, $SE_FILE_OBJECT, $DACL_SECURITY_INFORMATION, 0, 0, $pDACL, 0)
Global $iRet1 = _SetObjectOwner($sFile, $SE_FILE_OBJECT, $sOwner)
MsgBox(0, '', 'Restore all permissions' & @CRLF & @CRLF & _
        '_SetObjectSecurity return value: ' & $iRet & @CRLF & _
        '_SetObjectOwner return value: ' & $iRet1 & @CRLF & _
        'Check the file permissons before closing the message box.')

_ClosePermissionResources()

Adam

 

Posted

Hey @AdamUL, I noticed an issue I had with FredAl's updated _MergeDaclToArray function as shown in post #50. I renamed the old function and added the new function to do a side-by-side comparison test.

Here's my test:

#RequireAdmin
#include <Array.au3>
#include 'Permissions.au3'
#include <Security.au3>

Global $aNewArray[1][4]
Global $aOldArray[1][4]

_InitiatePermissionResources()

Global $sFile = "C:\log\folder1"

$pDACL = _GetObjectDacl($sFile)

_MergeDaclToArray_Old($pDacl, $aOldArray)
_MergeDaclToArray_New($pDacl, $aNewArray)

$iRows = UBound($aOldArray, $UBOUND_ROWS) - 1

For $i = 0 To $iRows
    $sUser = _Security__LookupAccountSid(_SidToStringSid(DllStructGetPtr($aOldArray[$i][0])))
    $aOldArray[$i][0] = $sUser[1] & "\" & $sUser[0] ; Domain\Username
    $aNewArray[$i][0] = $sUser[1] & "\" & $sUser[0] ; Domain\Username
Next

_ArrayDisplay($aOldArray, "_MergeDaclToArray_Old")
_ArrayDisplay($aNewArray, "_MergeDaclToArray_New")


_ClosePermissionResources()

I found 2 issues (see pics below):

  1. It changed the size of the array
  2. It left out the Inheritance flags

_MergeDaclToArray_Old.JPG_MergeDaclToArray_New.JPG

This was an issue since we have permissions that use "List Folder Contents" which needs the flag to be 2 not 3 otherwise it looks like "Read-Only". So I compared the differences between both functions and modified it to get the results I needed.

New Modified Function: (I commented on the changes I made)

Func _MergeDaclToArray(ByRef $Dacl, ByRef $aPerm, $Filter = 1)
    If Not IsArray($aPerm) Or UBound($aPerm,2) < 3 Then Return SetError(1,0,0)
    Local $_EXPLICIT_ACCESS, $t_EXPLICIT_ACCESS = 'DWORD;DWORD;DWORD;ptr;DWORD;DWORD;DWORD;ptr'
    Local $aCall = DllCall($h__Advapi32Dll,'DWORD','GetExplicitEntriesFromAcl','ptr',$Dacl,'ulong*',0,'ptr*',0)
    If @error Or $aCall[0] Then Return SetError(2,0,0)
    Local $uB = UBound($aPerm), $l = 0, $TrusteeExists, $E = $aCall[2], $eaSID, $aPermSid, $pEa = $aCall[3]
    Local $aAce, $uB2 = UBound($aPerm,2) ; Add This Line
    For $i = 2 To $E
        $t_EXPLICIT_ACCESS &= ';DWORD;DWORD;DWORD;ptr;DWORD;DWORD;DWORD;ptr'
    Next
    $_EXPLICIT_ACCESS = DllStructCreate($t_EXPLICIT_ACCESS, $pEa)
    For $i = 0 To $uB -1
        If Not IsDllStruct($aPerm[$i][0]) Then $aPerm[$i][0] = _GetSidStruct($aPerm[$i][0])
    Next
    For $i = 0 To $E ; Changed from '1' to '0'
        $eaSID = DllStructGetData($_EXPLICIT_ACCESS, $l+8)
        $aAce = _GetAce($Dacl, $i) ; Added This Line
        If $eaSID = 0 Then ContinueLoop
        $TrusteeExists = 0
        If $Filter Then
            For $c = 0 To $uB -1
                $aCall = DllCall($h__Advapi32Dll,'BOOL','EqualSid','ptr',$eaSID,'ptr',DllStructGetPtr($aPerm[$c][0]))
                If Not @error Then $TrusteeExists = $aCall[0]
                If $TrusteeExists Then ExitLoop
            Next
        EndIf
        If Not $TrusteeExists And _IsValidSid($eaSID) Then
            ReDim $aPerm[$uB+1][$uB2] ; Changed from '3' to '$uB2'
            $aPerm[$uB][0] = DllStructCreate('byte SID['&_GetLengthSid($eaSID)&']',$eaSID)
            $aPerm[$uB][1] = Number(DllStructGetData($_EXPLICIT_ACCESS,$l+2) = 1)
            $aPerm[$uB][2] = DllStructGetData($_EXPLICIT_ACCESS,$l+1)
            If $uB2 > 3 Then $aPerm[$uB][3] = $aAce[3] ; Added This Line
            $uB += 1
        EndIf
        $l += 8
    Next
    Return $pEa
EndFunc ;==> _MergeDaclToArray

 

Posted

@Surf243 Very good find.  I'm updating my copy of the UDF with your updated function.  I'm still working on testing this UDF, and plan to add some more example posts.  

 

Thanks again.

 

Adam

 

Posted

@Terenz  I'm currently running on 32-bit, so I'm unable to test.  It could be an issue with the DLL call and the OS bitness.  There is one thing I would like to you try, if you don't mind.  Could you add this to the top of your 32-bit script, and see if it runs correctly on 64-bit?  I'm not sure it will work, but I am curious to see.  

#include <WinAPIFiles.au3>

If @OSArch = "X64" And Not @AutoItX64 Then _WinAPI_Wow64EnableWow64FsRedirection(False)

 

Adam

 

Posted (edited)
12 hours ago, AdamUL said:

@Terenz  I'm currently running on 32-bit, so I'm unable to test.  It could be an issue with the DLL call and the OS bitness.  There is one thing I would like to you try, if you don't mind.  Could you add this to the top of your 32-bit script, and see if it runs correctly on 64-bit?

Adam about the redirection, you are correct the script always take another DLL instead of that i have put in the path.

You second script at post #143 work "partially" fine.

_GetObjectOwner give me the correct owner and also the SID is valid, i have check with CMD "sc showsid TrustedInstaller"

2w3xnkg.jpg

If i put:

FileMove("C:\Windows\System32\aaclient.dll", @ScriptDir)

After _EditObjectPermissions the file is moved in the @ScriptDir ( just for test, for see if the permission are all correct ) and until that everything goes in the right direction. The problem is here:

$iRet = _SetObjectSecurity(@ScriptDir & "\aaclient.dll", $SE_FILE_OBJECT, $DACL_SECURITY_INFORMATION, 0, 0, $pDACL, 0)
Global $iRet1 = _SetObjectOwner(@ScriptDir & "\aaclient.dll", $SE_FILE_OBJECT, $sOwner)
MsgBox(0, '', 'Restore all permissions' & @CRLF & @CRLF & _
        '_SetObjectSecurity return value: ' & $iRet & @CRLF & _
        '_SetObjectOwner return value: ' & $iRet1 & @error & @CRLF & @CRLF & _
        'Check the file permissons before closing the message box.')

It restore the original permission with _SetObjectSecurity but _SetObjectOwner FAIL! Give me 0 and the error is 87

Searching about this 87 i have see that is SetNamedSecurityInfo and the error is "Invalid Parameter". What? What parameter is invalid?

P.S If i change "TrustedInstaller" with "Administrators" group like owner _SetObjectOwner can correct restore the original owner after the FileMove so there is a problem with "TrustedInstaller" inside the script, maybe in  _GetSidStruct?

With "Administrators" SID return value inside  _SetObjectOwner are:

$SID = ""

$pSID = 0x034B7588

With "TrustedInstaller" SID taken from _GetObjectOwner

$SID = 0

$pSID = 0

That's why error 87, $pSID is 0 SetNamedSecurityInfo fail and i really don't know why.

This work fine:

_SetObjectOwner(@ScriptDir & "\aaclient.dll", $SE_FILE_OBJECT, "TrustedInstaller")

This NOT:

_SetObjectOwner(@ScriptDir & "\aaclient.dll", $SE_FILE_OBJECT, "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464")

So the problem is the SID processed by  _SetObjectOwner , i prefer don't use the Owner name in any case. Thanks for your help, i apprecciate it.

 

PROBLEM FOUND!

Was the damn, stupid StringRegExp, hours lost for this. The original _GetSidStruct identyfy the SID like a NAME! :(

Here you can see the difference between old and my version:

_GetSidStruct_Original("S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464")
_GetSidStruct_New("S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464")

Func _GetSidStruct_Original($AccountName)
    If $AccountName = 'TrustedInstaller' Then $AccountName = 'NT SERVICE\TrustedInstaller'
    If $AccountName = 'Everyone' Then
;~      Return _StringSidToSid('S-1-1-0')
    ElseIf $AccountName = 'Authenticated Users' Then
;~      Return _StringSidToSid('S-1-5-11')
    ElseIf $AccountName = 'System' Then
;~      Return _StringSidToSid('S-1-5-18')
    ElseIf $AccountName = 'Administrators' Then
;~      Return _StringSidToSid('S-1-5-32-544')
    ElseIf $AccountName = 'Users' Then
;~      Return _StringSidToSid('S-1-5-32-545')
    ElseIf $AccountName = 'Guests' Then
;~      Return _StringSidToSid('S-1-5-32-546')
    ElseIf $AccountName = 'Power Users' Then
;~      Return _StringSidToSid('S-1-5-32-547')
    ElseIf $AccountName = 'Local Authority' Then
;~      Return _StringSidToSid('S-1-2')
    ElseIf $AccountName = 'Creator Owner' Then
;~      Return _StringSidToSid('S-1-3-0')
    ElseIf $AccountName = 'NT Authority' Then
;~      Return _StringSidToSid('S-1-5-1')
    ElseIf $AccountName = 'Restricted' Then
;~      Return _StringSidToSid('S-1-5-12')
    ElseIf StringRegExp($AccountName, '\A(S-1-\d+(-\d+){0,5})\z') Then
        MsgBox(0,0,"SID")
    Else
        MsgBox(0,0,"NAME")
    EndIf
EndFunc   ;==>_GetSidStruct

Func _GetSidStruct_New($AccountName)
    If $AccountName = 'TrustedInstaller' Then $AccountName = 'NT SERVICE\TrustedInstaller'
    Select
        Case $AccountName = 'Everyone'
;~          Return _StringSidToSid('S-1-1-0')
        Case $AccountName = 'Auticated Users'
;~          Return _StringSidToSid('S-1-5-11')
        Case $AccountName = 'System'
;~          Return _StringSidToSid('S-1-5-18')
        Case $AccountName = 'Administrators'
;~          Return _StringSidToSid('S-1-5-32-544')
        Case $AccountName = 'Users'
;~          Return _StringSidToSid('S-1-5-32-545')
        Case $AccountName = 'Guests'
;~          Return _StringSidToSid('S-1-5-32-546')
        Case $AccountName = 'Power Users'
;~          Return _StringSidToSid('S-1-5-32-547')
        Case $AccountName = 'Local Authority'
;~          Return _StringSidToSid('S-1-2')
        Case $AccountName = 'Creator Owner'
;~          Return _StringSidToSid('S-1-3-0')
        Case $AccountName = 'NT Authority'
;~          Return _StringSidToSid('S-1-5-1')
        Case $AccountName = 'Restricted'
;~          Return _StringSidToSid('S-1-5-12')
        Case StringRegExp($AccountName, '\A(S-\d(-\d+){2,14})\z') ; is a SID
;~          Return _StringSidToSid($AccountName)
            MsgBox(0, 0, "SID")
        Case Else ; is an account name
;~          Local $SID = _LookupAccountName($AccountName)
;~          Return _StringSidToSid($SID)
            MsgBox(0, 0, "NAME")
    EndSelect
EndFunc   ;==>_GetSidStruct2

On the next post the working function.

Edited by Terenz

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Posted (edited)

New version of _GetSidStruct

Func _GetSidStruct($AccountName)
    If $AccountName = 'TrustedInstaller' Then $AccountName = 'NT SERVICE\TrustedInstaller'
    Select
        Case $AccountName = 'Everyone'
            Return _StringSidToSid('S-1-1-0')
        Case $AccountName = 'Authenticated Users'
            Return _StringSidToSid('S-1-5-11')
        Case $AccountName = 'System'
            Return _StringSidToSid('S-1-5-18')
        Case $AccountName = 'Administrators'
            Return _StringSidToSid('S-1-5-32-544')
        Case $AccountName = 'Users'
            Return _StringSidToSid('S-1-5-32-545')
        Case $AccountName = 'Guests'
            Return _StringSidToSid('S-1-5-32-546')
        Case $AccountName = 'Power Users'
            Return _StringSidToSid('S-1-5-32-547')
        Case $AccountName = 'Local Authority'
            Return _StringSidToSid('S-1-2')
        Case $AccountName = 'Creator Owner'
            Return _StringSidToSid('S-1-3-0')
        Case $AccountName = 'NT Authority'
            Return _StringSidToSid('S-1-5-1')
        Case $AccountName = 'Restricted'
            Return _StringSidToSid('S-1-5-12')
        Case StringRegExp($AccountName, '\A(S-\d(-\d+){2,14})\z') ; is a SID
            Return _StringSidToSid($AccountName)
        Case Else ; is an account name
            Local $SID = _LookupAccountName($AccountName)
            Return _StringSidToSid($SID)
    EndSelect
EndFunc   ;==>_GetSidStruct

 

Edited by Terenz

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Posted (edited)

Is this suppose to work in windows 10 (64) as well?

Or did i miss somethings?

/L

 

trying this code for fun.

#RequireAdmin
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Compile_Both=y
#AutoIt3Wrapper_UseX64=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****


Global $key7, $key8
If @OSArch = "X64" Then
    $key7 = "HKLM64"
    $key8 = "HKCU64"

Else
    $key7 = "HKLM"
    $key8 = "HKCU"
EndIf
#include <Array.au3>
#include 'Permissions.au3'
#include 'Permissions.au3'
_InitiatePermissionResources()

RegWrite($key7 & '\SOFTWARE\Example') ; write a registry key
Local $TI = TimerInit()
Local $ret = _DenyAllAccess($key7 & '\SOFTWARE\Example', $SE_REGISTRY_KEY, @UserName)
Local $TD = TimerDiff($TI)
MsgBox(0, '', 'Deny all access to HKLM\SOFTWARE\Example and take ownership:' & @CRLF & @CRLF & _
        '_DenyAllAccesss return value: ' & $ret & ' Time: ' & Round($TD, 2) & ' miliseconds.' & @CRLF & _
        'Check the registry key permissons before closing the message box.')

$TI = TimerInit()
$ret = _GrantReadAccess($key7 & '\SOFTWARE\Example', $SE_REGISTRY_KEY, 'Administrators')
$TD = TimerDiff($TI)
MsgBox(0, '', 'Grant everyone read access, all access to admins and system, and set the owner: Admins group' & @CRLF & @CRLF & _
        '_GrantReadAccesss return value: ' & $ret & ' Time: ' & Round($TD, 2) & ' miliseconds.' & @CRLF & _
        'Check the registry key permissons before closing the message box.')

$TI = TimerInit()
$ret = _GrantAllAccess($key7 & '\SOFTWARE\Example')
$TD = TimerDiff($TI)
MsgBox(0, '', 'Grant everyone access' & @CRLF & @CRLF & _
        '_GrantAllAccesss return value: ' & $ret & ' Time: ' & Round($TD, 2) & ' miliseconds.' & @CRLF & _
        'Check the registry key permissons before closing the message box.')

$TI = TimerInit()
$ret = _CopyFullDacl($key7 & '\SOFTWARE\Example', $SE_REGISTRY_KEY, @ScriptDir)
$TD = TimerDiff($TI)
MsgBox(0, '', 'Restore all inherited permissions' & @CRLF & @CRLF & _
        '_CopyFullDacl return value: ' & $ret & ' Time: ' & Round($TD, 2) & ' miliseconds.' & @CRLF & _
        'Check the registry key permissons before closing the message box.')

$TI = TimerInit()
Local $aPerm[2][3] = [['Restricted', 1, $GENERIC_ALL], ['Users', 1, $GENERIC_ALL]]
$ret = _EditObjectPermissions($key7 & '\SOFTWARE\Example', $aPerm)
$TD = TimerDiff($TI)
MsgBox(0, '', 'Add two granted access aces: Restricted and Users' & @CRLF & @CRLF & _
        '_EditObjectPermissions return value: ' & $ret & ' Time: ' & Round($TD, 2) & ' miliseconds.' & @CRLF & _
        'Check the registry key permissons before closing the message box.')

$TI = TimerInit()
Dim $aPerm[2][3] = [['Restricted', 1, $GENERIC_READ], ['Users', 1, $GENERIC_READ]]
$ret = _EditObjectPermissions($key7 & '\SOFTWARE\Example', $aPerm)
$TD = TimerDiff($TI)
MsgBox(0, '', 'Give only read access to the Restricted and Users groups' & @CRLF & @CRLF & _
        '_EditObjectPermissions return value: ' & $ret & ' Time: ' & Round($TD, 2) & ' miliseconds.' & @CRLF & _
        'Check the registry key permissons before closing the message box.')

$TI = TimerInit()
Dim $aPerm[2][3] = [['Restricted', 0, $GENERIC_ALL], ['Users', 0, $GENERIC_ALL]]
$ret = _EditObjectPermissions($key7 & '\SOFTWARE\Example', $aPerm)
$TD = TimerDiff($TI)
MsgBox(0, '', 'Deny access to the Restricted and Users groups' & @CRLF & @CRLF & _
        '_EditObjectPermissions return value: ' & $ret & ' Time: ' & Round($TD, 2) & ' miliseconds.' & @CRLF & _
        'Check the registry key permissons before closing the message box.')

$TI = TimerInit()
Local $Hndl = _Permissions_OpenProcess(@AutoItPID)
Local $SDBefore = _GetObjectStringSecurityDescriptor($Hndl, $SE_KERNEL_OBJECT)
Local $CODRet = _ClearObjectDacl($Hndl, $SE_KERNEL_OBJECT)
Local $DARet = _DenyAllAccess($Hndl, $SE_KERNEL_OBJECT)
Local $SDAfter = _GetObjectStringSecurityDescriptor($Hndl, $SE_KERNEL_OBJECT)
$TD = Round(TimerDiff($TI), 2)
MsgBox(0, '', 'Deny everyone access to the current process:' & @CRLF & @CRLF & _
        '@AutoItPID original security descriptor: ' & @CRLF & $SDBefore & @CRLF & @CRLF & _
        '_ClearObjectDacl return value: ' & $CODRet & @CRLF & @CRLF & _
        '_DenyAllAccess_ return value: ' & $DARet & @CRLF & @CRLF & _
        'New @AutoItPID security descriptor: ' & @CRLF & _
        $SDAfter & @CRLF & @CRLF & 'Time taken: ' & $TD & ' miliseconds.')
_Permissions_CloseHandle($Hndl)

RegDelete($key7 & '\SOFTWARE\Example')
_ClosePermissionResources()

 

Edited by lgvlgv
Posted (edited)

@lgvlgv With this UDF, "HKLM64" and "HKCU64" are not valid.  Have a look at the _Security_RegKeyName function for valid paths.  

 

Adam

 

Edited by AdamUL
Posted (edited)

@AdamUL LOL no a replacement issue. I have replace "then" with "" for the select...endselect and Authenticated Users has that word. I have edited the post, thanks for let me know.

Edited by Terenz

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

  • 1 month later...
Posted (edited)

I love the fact this UDF exists. However, after two days, I cannot get it to do what I want. Please help.

I want to give myself "Full Permission" to a registry key and its subkeys.

For example: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

I don't want to list all the code I've tried because it would just confuse the issue.

Thank you in advance to anyone who can shed some light on this.

taurus905

Edited by taurus905

"Never mistake kindness for weakness."-- Author Unknown --"The highest point to which a weak but experienced mind can rise is detecting the weakness of better men."-- Georg Lichtenberg --Simple Obfuscator (Beta not needed.), Random names for Vars and Funcs

Posted

Here is my code to take owner of a regkey "Metered connections" and change the values under it.

maybe its any use for u?

Case $ButtonWSUS
                        Local $reg1tmp = RegRead($key7 & "\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "AUOptions")

                        $sWindowsUpdate = GUICtrlRead($WindowsUpdate, $GUI_READ_EXTENDED)
                        $sCheckboxWiFi = GUICtrlRead($CheckboxWiFi)
                        $sCheckboxEthernet = GUICtrlRead($CheckboxEthernet)
                        ConsoleWrite(RegRead($key7 & "\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "AUOptions") & @CRLF)
                        ConsoleWrite($sWindowsUpdate & @CRLF)
                        ConsoleWrite($sCheckboxWiFi & @CRLF)
                        ConsoleWrite($sCheckboxEthernet & @CRLF)
                        ;               Exit
                        Local $TI = TimerInit()
                        Local $ret = _SetObjectOwner('HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost', $SE_REGISTRY_KEY, 'Administrators')
                        Local $TD = TimerDiff($TI)
                        ConsoleWrite('HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost Administrators take ownership: ' & $ret & ' Time: ' & Round($TD, 2) & ' miliseconds.' & @CRLF)
                        _DebugOut('HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost Administrators take ownership: ' & $ret & ' Time: ' & Round($TD, 2) & ' miliseconds.')

                        ConsoleWrite("$WindowsUpdate: " & GUICtrlRead($WindowsUpdate, 0) & @CRLF)

                        If GUICtrlRead($WindowsUpdate, 1) = "Notify for download and notify for install" Then
                            RegWrite($key7 & "\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "AUOptions", "REG_DWORD", "2")

                        ElseIf GUICtrlRead($WindowsUpdate, 1) = "Auto download and notify for install" Then
                            RegWrite($key7 & "\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "AUOptions", "REG_DWORD", "3")

                        ElseIf GUICtrlRead($WindowsUpdate, 1) = "Auto download and schedule install" Then
                            RegWrite($key7 & "\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "AUOptions", "REG_DWORD", "4")

                        Else
                            RegDelete($key7 & "\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "AUOptions")
                        EndIf

                        ConsoleWrite("$CheckboxNoReboot1: " & GUICtrlRead($CheckboxNoReboot1) & @CRLF)
                        If GUICtrlRead($CheckboxNoReboot1) = "1" Then
                            RegWrite($key7 & "\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "NoAutoRebootWithLoggedOnUsers", "REG_DWORD", "1")
                        Else
                            RegWrite($key7 & "\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "NoAutoRebootWithLoggedOnUsers", "REG_DWORD", "0")
                        EndIf

                        ConsoleWrite("$CheckboxTelemetry: " & GUICtrlRead($CheckboxTelemetry) & @CRLF)
                        If GUICtrlRead($CheckboxTelemetry) = "1" Then
                            RegWrite($key7 & "\SOFTWARE\Policies\Microsoft\Windows\DataCollection", "AllowTelemetry", "REG_DWORD", "1")
                        Else
                            RegWrite($key7 & "\SOFTWARE\Policies\Microsoft\Windows\DataCollection", "AllowTelemetry", "REG_DWORD", "0")
                        EndIf

                        ConsoleWrite("$CheckboxWiFi: " & GUICtrlRead($CheckboxWiFi) & @CRLF)
                        If GUICtrlRead($CheckboxWiFi) = "1" Then
                            RegWrite($key7 & "\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost", "WiFi", "REG_DWORD", "2")
                        Else
                            RegWrite($key7 & "\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost", "WiFi", "REG_DWORD", "1")
                        EndIf

                        ConsoleWrite("$CheckboxEthernet: " & GUICtrlRead($CheckboxEthernet) & @CRLF)
                        If GUICtrlRead($CheckboxEthernet) = "1" Then
                            RegWrite($key7 & "\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost", "Ethernet", "REG_DWORD", "2")
                        Else
                            RegWrite($key7 & "\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost", "Ethernet", "REG_DWORD", "1")
                        EndIf
                        GUIDelete($MuhApp1)
                        ExitLoop
                    Case $GUI_EVENT_CLOSE
                        GUIDelete($MuhApp1)
                        ExitLoop
                EndSwitch
            WEnd

            _Permissions_CloseHandle($Hndl)

 

Posted
On ‎11‎/‎5‎/‎2016 at 1:23 AM, lgvlgv said:

Here is my code to take owner of a regkey "Metered connections" and change the values under it.

maybe its any use for u?

Thank you, lgvlgv.

I'm still having issues performing this task.

My plan is to start a new topic where I can fully outline what I'm trying to accomplish, along with my code and what is not working.

taurus905

"Never mistake kindness for weakness."-- Author Unknown --"The highest point to which a weak but experienced mind can rise is detecting the weakness of better men."-- Georg Lichtenberg --Simple Obfuscator (Beta not needed.), Random names for Vars and Funcs

  • 4 months later...
Posted

Hi,

Is there a final version of Permissions.au3 ?

Like others when I update a permission with EditObjectPermissions, it works but all other permissions are deleted.

 

Thanks.

  • 1 month later...
Posted

@Biatu

Does this give you what you are looking for?

$sName = ObjName()

 

"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to build bigger and better idiots. So far, the universe is winning."- Rick Cook

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...