AdamUL Posted September 21, 2016 Posted September 21, 2016 Here is another example. This example shows how to remove a group (or user) from a DACL, and how to change a user's permission in the same DACL using an array created by _MergeDaclToArray to read the DACL from an object. The array is then searched to find the specific group and user. expandcollapse popup#RequireAdmin #include <Array.au3> #include <Security.au3> #include 'Permissions.au3' _InitiatePermissionResources() Global $sFile = @ScriptDir & '\test.txt' FileWrite($sFile, 'test') MsgBox(0, "File", "Created") MsgBox(0, "StringSecurityDescriptor", _GetObjectStringSecurityDescriptor($sFile)) Global $aPerm[4][3] $aPerm[0][0] = @UserName $aPerm[0][1] = 1 $aPerm[0][2] = $GENERIC_ALL ;Full Control. $aPerm[1][0] = 'Everyone' $aPerm[1][1] = 1 $aPerm[1][2] = $FILE_AUTH_USERS_DEFAULT ;Modify. $aPerm[2][0] = 'AD_Staff' ;AD Security Group. Group must exist in AD. $aPerm[2][1] = 1 $aPerm[2][2] = $FILE_AUTH_USERS_DEFAULT ;Modify. $aPerm[3][0] = "User01" $aPerm[3][1] = 1 $aPerm[3][2] = BitOR($GENERIC_READ, $GENERIC_WRITE, $GENERIC_EXECUTE) ;Read, write & execute. ;~ _ArrayDisplay($aPerm,$sFile) Global $iRet Global $pDACL ;Add explicit permissions to newly created file. $iRet = _EditObjectPermissions($sFile, $aPerm) MsgBox(0, '', '_EditObjectPermissions return value: ' & $iRet & @CRLF & _ 'Check the file permissons before closing the message box.') MsgBox(0, "StringSecurityDescriptor", _GetObjectStringSecurityDescriptor($sFile)) ;Get the file's DACL. $pDACL = _GetObjectDacl($sFile) If @error Then MsgBox(16, "ERROR", "Error _GetObjectDacl") ;Redeclare as an empty array to fill with the DACL read from the object. Global $aPerm[0][3] $iRet = _MergeDaclToArray($pDACL, $aPerm, 0) ;If there are no explicit permissions, and only inherited, the return valuse will be 0. MsgBox(0, '', '_MergeDaclToArray return value: ' & $iRet) ;SIDs are DLL structs so they show up as blank strings in the array. Pemissions show up as signed integers. _ArrayDisplay($aPerm, $sFile) ;Search the DACL array. Global $aAcct Global $sAcct For $i = UBound($aPerm, 1) - 1 To 0 Step -1 ;Convert SIDs to be searchable. $aAcct = _Security__LookupAccountSid(DllStructGetPtr($aPerm[$i][0])) $sAcct = ($aAcct[1] <> "" ? $aAcct[1] & "\" : "" ) & $aAcct[0] If StringInStr($sAcct, 'AD_Staff') Then _ArrayDelete($aPerm, $i) ;Remove user permissions from DACL. If StringInStr($sAcct, 'User01') Then $aPerm[$i][2] = $FILE_AUTH_USERS_DEFAULT ;Change user's permissions in the DACL to Modify. ConsoleWrite($sAcct & " _Security__IsValidSid: " & _Security__IsValidSid(DllStructGetPtr($aPerm[$i][0])) & @CRLF) Next ;Group removed and permission changed for other user. _ArrayDisplay($aPerm, $sFile) ;Since a SID was removed from the DACL array. The DACL must be cleared. _ClearObjectDacl($sFile) ;Since the DACL was cleared. Inherited permissions must be added back. _InheritParentPermissions($sFile) ;Add the new DACL array back to the object. $iRet = _EditObjectPermissions($sFile, $aPerm) MsgBox(0, '', '_EditObjectPermissions return value: ' & $iRet & @CRLF & _ 'Check the file permissons before closing the message box.') MsgBox(0, "StringSecurityDescriptor", _GetObjectStringSecurityDescriptor($sFile)) FileDelete($sFile) MsgBox(0, "File", "Deleted") _ClosePermissionResources() Adam
Terenz Posted September 22, 2016 Posted September 22, 2016 (edited) On mercoledì 14 settembre 2016 at 9:28 PM, AdamUL said: @Terenz Now with the change to the UDF above mentioned above. Here is an example that I think will do what you need. Hi Adam, i'm sorry for the delay. I'm still need this things to work but seems, also with the changes of _MergeDaclToArray of FredAI i don't have any success: #RequireAdmin #include 'Permissions.au3' _InitiatePermissionResources() Global $sFile = @WindowsDir & "\System32\aaclient.dll" ; random dll ;~ FileWrite($sFile, 'test') ;~ MsgBox(0, "File", "Created") MsgBox(0, "File", $sFile & ":" & FileExists($sFile)) Global $aPerm[1][3] $aPerm[0][0] = @UserName $aPerm[0][1] = 1 $aPerm[0][2] = $GENERIC_ALL Global $pDACL = _GetObjectDacl($sFile) Global $iRet = _EditObjectPermissions($sFile, $aPerm) MsgBox(0, '', '_EditObjectPermissions return value: ' & @CRLF & _ 'Check the file permissons before closing the message box.') $iRet = _SetObjectSecurity($sFile, $SE_FILE_OBJECT, $DACL_SECURITY_INFORMATION, 0, 0, $pDACL, 0) MsgBox(0, '', 'Restore all permissions' & @CRLF & @CRLF & _ '_SetObjectSecurity return value: ' & $iRet & @CRLF & _ 'Check the file permissons before closing the message box.') ;~ FileDelete($sFile) ;~ MsgBox(0, "File", "Deleted") _ClosePermissionResources() I have take a random DLL from the system for a simple reason: The "Admininistrators" - "SYSTEM" - "Users" has only "Read" and "Read and execute" TrustedInstaller has full access and is the owner In theory the script need to change/add my @Username ( is a part of Admininistrators Group ) and give him full access to the file? And then restore everything to the default situation? Well that's is my final goal. I have also try to change "manually" via Windows interface the owner to my user and then run the script, nothing changes. If i use for example something like: ICACLS "C:\Windows\System32\aaclient.dll" /grant "MY_USERNAME":F Work fine but i don't want to be Windows-tool dependent and on XP i don't have it and there is always the problem to restore the initial situation. I'm really apprecciate your help with this, i can't resolve by myself EDIT: Wait, work! But only if i compile x64 on the x64 system, not work if the executable is x86 on x64 system! I'll try to investigate. x86 _GetObjectDacl return 0x009FF464 x64 _GetObjectDacl return 0x0000000000691280 x86 _EditObjectPermissions = 0 @error = 0 and _SetObjectSecurity = 0 @error = 5 x64 _EditObjectPermissions = 1 and _SetObjectSecurity = 1 It fail because _GetObjectDacl? Edited September 22, 2016 by Terenz Nothing is so strong as gentleness. Nothing is so gentle as real strength
AdamUL Posted September 22, 2016 Posted September 22, 2016 @Terenz I just noticed an issue with the script I posted for you. I didn't have the return value for _EditObjectPermissions in the MsgBox. I edited my post to add this. I think I was able to get it to work, give this a try. You have to change the owner of the file, to set the permissions on a file, that you are not an owner of or in a group that is an owner. expandcollapse popup#RequireAdmin #include <Array.au3> #include 'Permissions.au3' #include <Security.au3> _InitiatePermissionResources() Global $sFile = "C:\Windows\System32\aaclient.dll" Global $aPerm[1][3] $aPerm[0][0] = @UserName $aPerm[0][1] = 1 $aPerm[0][2] = $GENERIC_ALL ;Full Control. ;~ $aPerm[0][2] = $FILE_USERS_DEFAULT ;Read & execute. ;~ $aPerm[0][2] = $FILE_AUTH_USERS_DEFAULT ;Modify. ;~ _ArrayDisplay($aPerm,$sFile) Global $pDACL = _GetObjectDacl($sFile) Global $sOwner = _GetObjectOwner($sFile) MsgBox(0, "Owner", "SID: " & $sOwner & @CRLF & @CRLF & "Name: " & _Security__LookupAccountSid($sOwner)[0]) Global $iRet = _SetObjectOwner($sFile, $SE_FILE_OBJECT, @UserName) MsgBox(0, '', '_SetObjectOwner return value: ' & $iRet & @CRLF & _ 'Check the file permissons before closing the message box.') $iRet = _EditObjectPermissions($sFile, $aPerm) MsgBox(0, '', '_EditObjectPermissions return value: ' & $iRet & @CRLF & _ 'Check the file permissons before closing the message box.') $iRet = _SetObjectSecurity($sFile, $SE_FILE_OBJECT, $DACL_SECURITY_INFORMATION, 0, 0, $pDACL, 0) Global $iRet1 = _SetObjectOwner($sFile, $SE_FILE_OBJECT, $sOwner) MsgBox(0, '', 'Restore all permissions' & @CRLF & @CRLF & _ '_SetObjectSecurity return value: ' & $iRet & @CRLF & _ '_SetObjectOwner return value: ' & $iRet1 & @CRLF & _ 'Check the file permissons before closing the message box.') _ClosePermissionResources() Adam Terenz 1
Surf243 Posted September 23, 2016 Posted September 23, 2016 Hey @AdamUL, I noticed an issue I had with FredAl's updated _MergeDaclToArray function as shown in post #50. I renamed the old function and added the new function to do a side-by-side comparison test. Here's my test: #RequireAdmin #include <Array.au3> #include 'Permissions.au3' #include <Security.au3> Global $aNewArray[1][4] Global $aOldArray[1][4] _InitiatePermissionResources() Global $sFile = "C:\log\folder1" $pDACL = _GetObjectDacl($sFile) _MergeDaclToArray_Old($pDacl, $aOldArray) _MergeDaclToArray_New($pDacl, $aNewArray) $iRows = UBound($aOldArray, $UBOUND_ROWS) - 1 For $i = 0 To $iRows $sUser = _Security__LookupAccountSid(_SidToStringSid(DllStructGetPtr($aOldArray[$i][0]))) $aOldArray[$i][0] = $sUser[1] & "\" & $sUser[0] ; Domain\Username $aNewArray[$i][0] = $sUser[1] & "\" & $sUser[0] ; Domain\Username Next _ArrayDisplay($aOldArray, "_MergeDaclToArray_Old") _ArrayDisplay($aNewArray, "_MergeDaclToArray_New") _ClosePermissionResources() I found 2 issues (see pics below): It changed the size of the array It left out the Inheritance flags This was an issue since we have permissions that use "List Folder Contents" which needs the flag to be 2 not 3 otherwise it looks like "Read-Only". So I compared the differences between both functions and modified it to get the results I needed. New Modified Function: (I commented on the changes I made) expandcollapse popupFunc _MergeDaclToArray(ByRef $Dacl, ByRef $aPerm, $Filter = 1) If Not IsArray($aPerm) Or UBound($aPerm,2) < 3 Then Return SetError(1,0,0) Local $_EXPLICIT_ACCESS, $t_EXPLICIT_ACCESS = 'DWORD;DWORD;DWORD;ptr;DWORD;DWORD;DWORD;ptr' Local $aCall = DllCall($h__Advapi32Dll,'DWORD','GetExplicitEntriesFromAcl','ptr',$Dacl,'ulong*',0,'ptr*',0) If @error Or $aCall[0] Then Return SetError(2,0,0) Local $uB = UBound($aPerm), $l = 0, $TrusteeExists, $E = $aCall[2], $eaSID, $aPermSid, $pEa = $aCall[3] Local $aAce, $uB2 = UBound($aPerm,2) ; Add This Line For $i = 2 To $E $t_EXPLICIT_ACCESS &= ';DWORD;DWORD;DWORD;ptr;DWORD;DWORD;DWORD;ptr' Next $_EXPLICIT_ACCESS = DllStructCreate($t_EXPLICIT_ACCESS, $pEa) For $i = 0 To $uB -1 If Not IsDllStruct($aPerm[$i][0]) Then $aPerm[$i][0] = _GetSidStruct($aPerm[$i][0]) Next For $i = 0 To $E ; Changed from '1' to '0' $eaSID = DllStructGetData($_EXPLICIT_ACCESS, $l+8) $aAce = _GetAce($Dacl, $i) ; Added This Line If $eaSID = 0 Then ContinueLoop $TrusteeExists = 0 If $Filter Then For $c = 0 To $uB -1 $aCall = DllCall($h__Advapi32Dll,'BOOL','EqualSid','ptr',$eaSID,'ptr',DllStructGetPtr($aPerm[$c][0])) If Not @error Then $TrusteeExists = $aCall[0] If $TrusteeExists Then ExitLoop Next EndIf If Not $TrusteeExists And _IsValidSid($eaSID) Then ReDim $aPerm[$uB+1][$uB2] ; Changed from '3' to '$uB2' $aPerm[$uB][0] = DllStructCreate('byte SID['&_GetLengthSid($eaSID)&']',$eaSID) $aPerm[$uB][1] = Number(DllStructGetData($_EXPLICIT_ACCESS,$l+2) = 1) $aPerm[$uB][2] = DllStructGetData($_EXPLICIT_ACCESS,$l+1) If $uB2 > 3 Then $aPerm[$uB][3] = $aAce[3] ; Added This Line $uB += 1 EndIf $l += 8 Next Return $pEa EndFunc ;==> _MergeDaclToArray AdamUL 1
AdamUL Posted September 23, 2016 Posted September 23, 2016 @Surf243 Very good find. I'm updating my copy of the UDF with your updated function. I'm still working on testing this UDF, and plan to add some more example posts. Thanks again. Adam
AdamUL Posted September 23, 2016 Posted September 23, 2016 @Terenz I'm currently running on 32-bit, so I'm unable to test. It could be an issue with the DLL call and the OS bitness. There is one thing I would like to you try, if you don't mind. Could you add this to the top of your 32-bit script, and see if it runs correctly on 64-bit? I'm not sure it will work, but I am curious to see. #include <WinAPIFiles.au3> If @OSArch = "X64" And Not @AutoItX64 Then _WinAPI_Wow64EnableWow64FsRedirection(False) Adam Terenz 1
Terenz Posted September 24, 2016 Posted September 24, 2016 (edited) 12 hours ago, AdamUL said: @Terenz I'm currently running on 32-bit, so I'm unable to test. It could be an issue with the DLL call and the OS bitness. There is one thing I would like to you try, if you don't mind. Could you add this to the top of your 32-bit script, and see if it runs correctly on 64-bit? Adam about the redirection, you are correct the script always take another DLL instead of that i have put in the path. You second script at post #143 work "partially" fine. _GetObjectOwner give me the correct owner and also the SID is valid, i have check with CMD "sc showsid TrustedInstaller" If i put: FileMove("C:\Windows\System32\aaclient.dll", @ScriptDir) After _EditObjectPermissions the file is moved in the @ScriptDir ( just for test, for see if the permission are all correct ) and until that everything goes in the right direction. The problem is here: $iRet = _SetObjectSecurity(@ScriptDir & "\aaclient.dll", $SE_FILE_OBJECT, $DACL_SECURITY_INFORMATION, 0, 0, $pDACL, 0) Global $iRet1 = _SetObjectOwner(@ScriptDir & "\aaclient.dll", $SE_FILE_OBJECT, $sOwner) MsgBox(0, '', 'Restore all permissions' & @CRLF & @CRLF & _ '_SetObjectSecurity return value: ' & $iRet & @CRLF & _ '_SetObjectOwner return value: ' & $iRet1 & @error & @CRLF & @CRLF & _ 'Check the file permissons before closing the message box.') It restore the original permission with _SetObjectSecurity but _SetObjectOwner FAIL! Give me 0 and the error is 87 Searching about this 87 i have see that is SetNamedSecurityInfo and the error is "Invalid Parameter". What? What parameter is invalid? P.S If i change "TrustedInstaller" with "Administrators" group like owner _SetObjectOwner can correct restore the original owner after the FileMove so there is a problem with "TrustedInstaller" inside the script, maybe in _GetSidStruct? With "Administrators" SID return value inside _SetObjectOwner are: $SID = "" $pSID = 0x034B7588 With "TrustedInstaller" SID taken from _GetObjectOwner $SID = 0 $pSID = 0 That's why error 87, $pSID is 0 SetNamedSecurityInfo fail and i really don't know why. This work fine: _SetObjectOwner(@ScriptDir & "\aaclient.dll", $SE_FILE_OBJECT, "TrustedInstaller") This NOT: _SetObjectOwner(@ScriptDir & "\aaclient.dll", $SE_FILE_OBJECT, "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464") So the problem is the SID processed by _SetObjectOwner , i prefer don't use the Owner name in any case. Thanks for your help, i apprecciate it. PROBLEM FOUND! Was the damn, stupid StringRegExp, hours lost for this. The original _GetSidStruct identyfy the SID like a NAME! Here you can see the difference between old and my version: expandcollapse popup_GetSidStruct_Original("S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464") _GetSidStruct_New("S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464") Func _GetSidStruct_Original($AccountName) If $AccountName = 'TrustedInstaller' Then $AccountName = 'NT SERVICE\TrustedInstaller' If $AccountName = 'Everyone' Then ;~ Return _StringSidToSid('S-1-1-0') ElseIf $AccountName = 'Authenticated Users' Then ;~ Return _StringSidToSid('S-1-5-11') ElseIf $AccountName = 'System' Then ;~ Return _StringSidToSid('S-1-5-18') ElseIf $AccountName = 'Administrators' Then ;~ Return _StringSidToSid('S-1-5-32-544') ElseIf $AccountName = 'Users' Then ;~ Return _StringSidToSid('S-1-5-32-545') ElseIf $AccountName = 'Guests' Then ;~ Return _StringSidToSid('S-1-5-32-546') ElseIf $AccountName = 'Power Users' Then ;~ Return _StringSidToSid('S-1-5-32-547') ElseIf $AccountName = 'Local Authority' Then ;~ Return _StringSidToSid('S-1-2') ElseIf $AccountName = 'Creator Owner' Then ;~ Return _StringSidToSid('S-1-3-0') ElseIf $AccountName = 'NT Authority' Then ;~ Return _StringSidToSid('S-1-5-1') ElseIf $AccountName = 'Restricted' Then ;~ Return _StringSidToSid('S-1-5-12') ElseIf StringRegExp($AccountName, '\A(S-1-\d+(-\d+){0,5})\z') Then MsgBox(0,0,"SID") Else MsgBox(0,0,"NAME") EndIf EndFunc ;==>_GetSidStruct Func _GetSidStruct_New($AccountName) If $AccountName = 'TrustedInstaller' Then $AccountName = 'NT SERVICE\TrustedInstaller' Select Case $AccountName = 'Everyone' ;~ Return _StringSidToSid('S-1-1-0') Case $AccountName = 'Auticated Users' ;~ Return _StringSidToSid('S-1-5-11') Case $AccountName = 'System' ;~ Return _StringSidToSid('S-1-5-18') Case $AccountName = 'Administrators' ;~ Return _StringSidToSid('S-1-5-32-544') Case $AccountName = 'Users' ;~ Return _StringSidToSid('S-1-5-32-545') Case $AccountName = 'Guests' ;~ Return _StringSidToSid('S-1-5-32-546') Case $AccountName = 'Power Users' ;~ Return _StringSidToSid('S-1-5-32-547') Case $AccountName = 'Local Authority' ;~ Return _StringSidToSid('S-1-2') Case $AccountName = 'Creator Owner' ;~ Return _StringSidToSid('S-1-3-0') Case $AccountName = 'NT Authority' ;~ Return _StringSidToSid('S-1-5-1') Case $AccountName = 'Restricted' ;~ Return _StringSidToSid('S-1-5-12') Case StringRegExp($AccountName, '\A(S-\d(-\d+){2,14})\z') ; is a SID ;~ Return _StringSidToSid($AccountName) MsgBox(0, 0, "SID") Case Else ; is an account name ;~ Local $SID = _LookupAccountName($AccountName) ;~ Return _StringSidToSid($SID) MsgBox(0, 0, "NAME") EndSelect EndFunc ;==>_GetSidStruct2 On the next post the working function. Edited September 24, 2016 by Terenz AdamUL 1 Nothing is so strong as gentleness. Nothing is so gentle as real strength
Terenz Posted September 24, 2016 Posted September 24, 2016 (edited) New version of _GetSidStruct Func _GetSidStruct($AccountName) If $AccountName = 'TrustedInstaller' Then $AccountName = 'NT SERVICE\TrustedInstaller' Select Case $AccountName = 'Everyone' Return _StringSidToSid('S-1-1-0') Case $AccountName = 'Authenticated Users' Return _StringSidToSid('S-1-5-11') Case $AccountName = 'System' Return _StringSidToSid('S-1-5-18') Case $AccountName = 'Administrators' Return _StringSidToSid('S-1-5-32-544') Case $AccountName = 'Users' Return _StringSidToSid('S-1-5-32-545') Case $AccountName = 'Guests' Return _StringSidToSid('S-1-5-32-546') Case $AccountName = 'Power Users' Return _StringSidToSid('S-1-5-32-547') Case $AccountName = 'Local Authority' Return _StringSidToSid('S-1-2') Case $AccountName = 'Creator Owner' Return _StringSidToSid('S-1-3-0') Case $AccountName = 'NT Authority' Return _StringSidToSid('S-1-5-1') Case $AccountName = 'Restricted' Return _StringSidToSid('S-1-5-12') Case StringRegExp($AccountName, '\A(S-\d(-\d+){2,14})\z') ; is a SID Return _StringSidToSid($AccountName) Case Else ; is an account name Local $SID = _LookupAccountName($AccountName) Return _StringSidToSid($SID) EndSelect EndFunc ;==>_GetSidStruct Edited September 26, 2016 by Terenz AdamUL 1 Nothing is so strong as gentleness. Nothing is so gentle as real strength
lgvlgv Posted September 24, 2016 Posted September 24, 2016 (edited) Is this suppose to work in windows 10 (64) as well? Or did i miss somethings? /L trying this code for fun. expandcollapse popup#RequireAdmin #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Compile_Both=y #AutoIt3Wrapper_UseX64=y #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** Global $key7, $key8 If @OSArch = "X64" Then $key7 = "HKLM64" $key8 = "HKCU64" Else $key7 = "HKLM" $key8 = "HKCU" EndIf #include <Array.au3> #include 'Permissions.au3' #include 'Permissions.au3' _InitiatePermissionResources() RegWrite($key7 & '\SOFTWARE\Example') ; write a registry key Local $TI = TimerInit() Local $ret = _DenyAllAccess($key7 & '\SOFTWARE\Example', $SE_REGISTRY_KEY, @UserName) Local $TD = TimerDiff($TI) MsgBox(0, '', 'Deny all access to HKLM\SOFTWARE\Example and take ownership:' & @CRLF & @CRLF & _ '_DenyAllAccesss return value: ' & $ret & ' Time: ' & Round($TD, 2) & ' miliseconds.' & @CRLF & _ 'Check the registry key permissons before closing the message box.') $TI = TimerInit() $ret = _GrantReadAccess($key7 & '\SOFTWARE\Example', $SE_REGISTRY_KEY, 'Administrators') $TD = TimerDiff($TI) MsgBox(0, '', 'Grant everyone read access, all access to admins and system, and set the owner: Admins group' & @CRLF & @CRLF & _ '_GrantReadAccesss return value: ' & $ret & ' Time: ' & Round($TD, 2) & ' miliseconds.' & @CRLF & _ 'Check the registry key permissons before closing the message box.') $TI = TimerInit() $ret = _GrantAllAccess($key7 & '\SOFTWARE\Example') $TD = TimerDiff($TI) MsgBox(0, '', 'Grant everyone access' & @CRLF & @CRLF & _ '_GrantAllAccesss return value: ' & $ret & ' Time: ' & Round($TD, 2) & ' miliseconds.' & @CRLF & _ 'Check the registry key permissons before closing the message box.') $TI = TimerInit() $ret = _CopyFullDacl($key7 & '\SOFTWARE\Example', $SE_REGISTRY_KEY, @ScriptDir) $TD = TimerDiff($TI) MsgBox(0, '', 'Restore all inherited permissions' & @CRLF & @CRLF & _ '_CopyFullDacl return value: ' & $ret & ' Time: ' & Round($TD, 2) & ' miliseconds.' & @CRLF & _ 'Check the registry key permissons before closing the message box.') $TI = TimerInit() Local $aPerm[2][3] = [['Restricted', 1, $GENERIC_ALL], ['Users', 1, $GENERIC_ALL]] $ret = _EditObjectPermissions($key7 & '\SOFTWARE\Example', $aPerm) $TD = TimerDiff($TI) MsgBox(0, '', 'Add two granted access aces: Restricted and Users' & @CRLF & @CRLF & _ '_EditObjectPermissions return value: ' & $ret & ' Time: ' & Round($TD, 2) & ' miliseconds.' & @CRLF & _ 'Check the registry key permissons before closing the message box.') $TI = TimerInit() Dim $aPerm[2][3] = [['Restricted', 1, $GENERIC_READ], ['Users', 1, $GENERIC_READ]] $ret = _EditObjectPermissions($key7 & '\SOFTWARE\Example', $aPerm) $TD = TimerDiff($TI) MsgBox(0, '', 'Give only read access to the Restricted and Users groups' & @CRLF & @CRLF & _ '_EditObjectPermissions return value: ' & $ret & ' Time: ' & Round($TD, 2) & ' miliseconds.' & @CRLF & _ 'Check the registry key permissons before closing the message box.') $TI = TimerInit() Dim $aPerm[2][3] = [['Restricted', 0, $GENERIC_ALL], ['Users', 0, $GENERIC_ALL]] $ret = _EditObjectPermissions($key7 & '\SOFTWARE\Example', $aPerm) $TD = TimerDiff($TI) MsgBox(0, '', 'Deny access to the Restricted and Users groups' & @CRLF & @CRLF & _ '_EditObjectPermissions return value: ' & $ret & ' Time: ' & Round($TD, 2) & ' miliseconds.' & @CRLF & _ 'Check the registry key permissons before closing the message box.') $TI = TimerInit() Local $Hndl = _Permissions_OpenProcess(@AutoItPID) Local $SDBefore = _GetObjectStringSecurityDescriptor($Hndl, $SE_KERNEL_OBJECT) Local $CODRet = _ClearObjectDacl($Hndl, $SE_KERNEL_OBJECT) Local $DARet = _DenyAllAccess($Hndl, $SE_KERNEL_OBJECT) Local $SDAfter = _GetObjectStringSecurityDescriptor($Hndl, $SE_KERNEL_OBJECT) $TD = Round(TimerDiff($TI), 2) MsgBox(0, '', 'Deny everyone access to the current process:' & @CRLF & @CRLF & _ '@AutoItPID original security descriptor: ' & @CRLF & $SDBefore & @CRLF & @CRLF & _ '_ClearObjectDacl return value: ' & $CODRet & @CRLF & @CRLF & _ '_DenyAllAccess_ return value: ' & $DARet & @CRLF & @CRLF & _ 'New @AutoItPID security descriptor: ' & @CRLF & _ $SDAfter & @CRLF & @CRLF & 'Time taken: ' & $TD & ' miliseconds.') _Permissions_CloseHandle($Hndl) RegDelete($key7 & '\SOFTWARE\Example') _ClosePermissionResources() Edited September 24, 2016 by lgvlgv
AdamUL Posted September 26, 2016 Posted September 26, 2016 (edited) @lgvlgv With this UDF, "HKLM64" and "HKCU64" are not valid. Have a look at the _Security_RegKeyName function for valid paths. Adam Edited September 26, 2016 by AdamUL
AdamUL Posted September 26, 2016 Posted September 26, 2016 @Terenz Good find. I'm glad you figured it out. One question, did you mean to put "Auticated Users" instead of "Authenticated Users" in your function? Adam
Terenz Posted September 26, 2016 Posted September 26, 2016 (edited) @AdamUL LOL no a replacement issue. I have replace "then" with "" for the select...endselect and Authenticated Users has that word. I have edited the post, thanks for let me know. Edited September 26, 2016 by Terenz Nothing is so strong as gentleness. Nothing is so gentle as real strength
AdamUL Posted September 26, 2016 Posted September 26, 2016 Your welcome. I thought is was a typo. Adam
taurus905 Posted November 4, 2016 Posted November 4, 2016 (edited) I love the fact this UDF exists. However, after two days, I cannot get it to do what I want. Please help. I want to give myself "Full Permission" to a registry key and its subkeys. For example: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion I don't want to list all the code I've tried because it would just confuse the issue. Thank you in advance to anyone who can shed some light on this. taurus905 Edited November 4, 2016 by taurus905 "Never mistake kindness for weakness."-- Author Unknown --"The highest point to which a weak but experienced mind can rise is detecting the weakness of better men."-- Georg Lichtenberg --Simple Obfuscator (Beta not needed.), Random names for Vars and Funcs
lgvlgv Posted November 5, 2016 Posted November 5, 2016 Here is my code to take owner of a regkey "Metered connections" and change the values under it. maybe its any use for u? expandcollapse popupCase $ButtonWSUS Local $reg1tmp = RegRead($key7 & "\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "AUOptions") $sWindowsUpdate = GUICtrlRead($WindowsUpdate, $GUI_READ_EXTENDED) $sCheckboxWiFi = GUICtrlRead($CheckboxWiFi) $sCheckboxEthernet = GUICtrlRead($CheckboxEthernet) ConsoleWrite(RegRead($key7 & "\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "AUOptions") & @CRLF) ConsoleWrite($sWindowsUpdate & @CRLF) ConsoleWrite($sCheckboxWiFi & @CRLF) ConsoleWrite($sCheckboxEthernet & @CRLF) ; Exit Local $TI = TimerInit() Local $ret = _SetObjectOwner('HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost', $SE_REGISTRY_KEY, 'Administrators') Local $TD = TimerDiff($TI) ConsoleWrite('HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost Administrators take ownership: ' & $ret & ' Time: ' & Round($TD, 2) & ' miliseconds.' & @CRLF) _DebugOut('HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost Administrators take ownership: ' & $ret & ' Time: ' & Round($TD, 2) & ' miliseconds.') ConsoleWrite("$WindowsUpdate: " & GUICtrlRead($WindowsUpdate, 0) & @CRLF) If GUICtrlRead($WindowsUpdate, 1) = "Notify for download and notify for install" Then RegWrite($key7 & "\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "AUOptions", "REG_DWORD", "2") ElseIf GUICtrlRead($WindowsUpdate, 1) = "Auto download and notify for install" Then RegWrite($key7 & "\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "AUOptions", "REG_DWORD", "3") ElseIf GUICtrlRead($WindowsUpdate, 1) = "Auto download and schedule install" Then RegWrite($key7 & "\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "AUOptions", "REG_DWORD", "4") Else RegDelete($key7 & "\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "AUOptions") EndIf ConsoleWrite("$CheckboxNoReboot1: " & GUICtrlRead($CheckboxNoReboot1) & @CRLF) If GUICtrlRead($CheckboxNoReboot1) = "1" Then RegWrite($key7 & "\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "NoAutoRebootWithLoggedOnUsers", "REG_DWORD", "1") Else RegWrite($key7 & "\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "NoAutoRebootWithLoggedOnUsers", "REG_DWORD", "0") EndIf ConsoleWrite("$CheckboxTelemetry: " & GUICtrlRead($CheckboxTelemetry) & @CRLF) If GUICtrlRead($CheckboxTelemetry) = "1" Then RegWrite($key7 & "\SOFTWARE\Policies\Microsoft\Windows\DataCollection", "AllowTelemetry", "REG_DWORD", "1") Else RegWrite($key7 & "\SOFTWARE\Policies\Microsoft\Windows\DataCollection", "AllowTelemetry", "REG_DWORD", "0") EndIf ConsoleWrite("$CheckboxWiFi: " & GUICtrlRead($CheckboxWiFi) & @CRLF) If GUICtrlRead($CheckboxWiFi) = "1" Then RegWrite($key7 & "\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost", "WiFi", "REG_DWORD", "2") Else RegWrite($key7 & "\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost", "WiFi", "REG_DWORD", "1") EndIf ConsoleWrite("$CheckboxEthernet: " & GUICtrlRead($CheckboxEthernet) & @CRLF) If GUICtrlRead($CheckboxEthernet) = "1" Then RegWrite($key7 & "\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost", "Ethernet", "REG_DWORD", "2") Else RegWrite($key7 & "\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost", "Ethernet", "REG_DWORD", "1") EndIf GUIDelete($MuhApp1) ExitLoop Case $GUI_EVENT_CLOSE GUIDelete($MuhApp1) ExitLoop EndSwitch WEnd _Permissions_CloseHandle($Hndl)
taurus905 Posted November 8, 2016 Posted November 8, 2016 On 11/5/2016 at 1:23 AM, lgvlgv said: Here is my code to take owner of a regkey "Metered connections" and change the values under it. maybe its any use for u? Thank you, lgvlgv. I'm still having issues performing this task. My plan is to start a new topic where I can fully outline what I'm trying to accomplish, along with my code and what is not working. taurus905 "Never mistake kindness for weakness."-- Author Unknown --"The highest point to which a weak but experienced mind can rise is detecting the weakness of better men."-- Georg Lichtenberg --Simple Obfuscator (Beta not needed.), Random names for Vars and Funcs
Koudou Posted March 16, 2017 Posted March 16, 2017 Hi, Is there a final version of Permissions.au3 ? Like others when I update a permission with EditObjectPermissions, it works but all other permissions are deleted. Thanks.
Biatu Posted April 22, 2017 Posted April 22, 2017 Is there a way to get an Object's Type? What is what? What is what.
Bowmore Posted April 22, 2017 Posted April 22, 2017 @Biatu Does this give you what you are looking for? $sName = ObjName() "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to build bigger and better idiots. So far, the universe is winning."- Rick Cook
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now