#cs ---------------------------------------------------------------------------- AutoIt Version: 3.3.14.5 Author: NoNameCode Script Function: UDF for SubInAcl.exe /Service functions #ce ---------------------------------------------------------------------------- #include-once #include #include #include #include ;~ _SubInAcl_TestGui("/service spooler /display=dacl") #Region Functionslist #cs Main: _SubInAcl_Service_Privilege_List($sService, $bDisplayName=False) ;List all Privileged Security Pincipals and the Deny / Grant Privileges _SubInAcl_Service_Privilege_Grant($sService, $sSecurityPrincipal, $sPrivilege) ;Grank a Privilege to a Security Pincipal _SubInAcl_Service_Privilege_Deny($sService, $sSecurityPrincipal, $sPrivilege) ;Deny a Privilege to a Security Pincipal _SubInAcl_Service_Privilege_Revoke($sService, $sSecurityPrincipal) ;Removes a Security Pincipal from the Privilege List Internal: __SubInAcl_Service_PrivilegeTranslate($sPrivileges, $bDisplayName=False) ;Formats all Service Privileged SytemCodes to Read or Usable Helper: _IsStringInStr($sString, $sSubString, $iCaseSense=Default) #ce #EndRegion ; #FUNCTION# ==================================================================================================================== ; Name ..........: _SubInAcl_Service_Privilege_List ; Description ...: Read all Security Principal that have Privileges on a Service ; Syntax ........: _SubInAcl_Service_Privilege_List($sService[, $bDisplayName = False]) ; Parameters ....: $sService - a string value. ; $bDisplayName - Privileges Output => False: LetterCode / True: Name (en-US) ; Return values .: Array: ; : Array[x][0] - Security Principal e.g. System or Administrators ; : Array[x][1] - Is a Grant? True: Grant | False: Deny ; : Array[x][2] - Privileges LetterCode or Name (If name then '|' is used as sperator) ; Author ........: NoNameCode ; Modified ......: ; Remarks .......: ; Related .......: ; Link ..........: https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/grant-users-rights-manage-services ; Example .......: No ; =============================================================================================================================== Func _SubInAcl_Service_Privilege_List($sService, $bDisplayName=False) Local $aSubInAcl_Return, $aSubInAcl_Output, $aReturn $aSubInAcl_Return = __SubInAcl_RunWait("/service " & $sService & " /display=dacl") If @error Then Return SetError(1, @error) ;Error = 1 >> Error by Calling __SubInAcl_RunWait If Not $aSubInAcl_Return[2] = '' Then Return SetError(2, 0, $aSubInAcl_Return[2]) ;Error = 2 >> Error log is not empty $aSubInAcl_Output = StringSplit($aSubInAcl_Return[1], '/pace =', $STR_ENTIRESPLIT+$STR_NOCOUNT) Dim $aReturn[UBound($aSubInAcl_Output)-1][3] ;Dim the Return Array [x][3] For $i = 1 To UBound($aSubInAcl_Output)-1 ;Loop for Seperating data for each Security Principal and the Privileges $aTemp = StringSplit($aSubInAcl_Output[$i], @TAB, $STR_NOCOUNT) ;Array wehre [0] is the Security Principal $aReturn[$i-1][0] = StringStripWS($aTemp[0], $STR_STRIPLEADING+$STR_STRIPTRAILING) ;Write the Security Principal in Return Array If _IsStringInStr($aSubInAcl_Output[$i], 'ACCESS_ALLOWED_ACE_TYPE') Then ;Is Privileges a Grant? $aReturn[$i-1][1] = True ;True => Grant ElseIf _IsStringInStr($aSubInAcl_Output[$i], 'ACCESS_DENIED_ACE_TYPE') Then $aReturn[$i-1][1] = False ;False => Deny EndIf $aReturn[$i-1][2] = __SubInAcl_Service_PrivilegeTranslate($aSubInAcl_Output[$i], $bDisplayName) ;Write the Privilegs Next Return $aReturn EndFunc ; #FUNCTION# ==================================================================================================================== ; Name ..........: _SubInAcl_Service_Privilege_Grant ; Description ...: Grants Privilege to a SecurityPrincipal ; Syntax ........: _SubInAcl_Service_Privilege_Grant($sService, $sSecurityPrincipal, $sPrivilege) ; Parameters ....: $sService - Service Name e.g. 'spooler' ; $sSecurityPrincipal - User / Syste / Group name e.g. 'Users' ; $sPrivilege - Privilege code e.g. 'QSTOP' or 'F' ; Return values .: None ; Author ........: NoNameCode ; Modified ......: ; Remarks .......: ; Related .......: ; Link ..........: https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/grant-users-rights-manage-services ; Example .......: No ; =============================================================================================================================== Func _SubInAcl_Service_Privilege_Grant($sService, $sSecurityPrincipal, $sPrivilege) Local $aSubInAcl_Return $aSubInAcl_Return = __SubInAcl_RunWait("/service " & $sService & ' /grant='&$sSecurityPrincipal&'='&$sPrivilege) If @error Then Return SetError(1, @error) ;Error = 1 >> Error by Calling __SubInAcl_RunWait If Not $aSubInAcl_Return[2] = '' Then Return False Return True EndFunc ; #FUNCTION# ==================================================================================================================== ; Name ..........: _SubInAcl_Service_Privilege_Deny ; Description ...: Deny Privilege to a SecurityPrincipal ; Syntax ........: _SubInAcl_Service_Privilege_Grant($sService, $sSecurityPrincipal, $sPrivilege) ; Parameters ....: $sService - Service Name e.g. 'spooler' ; $sSecurityPrincipal - User / Syste / Group name e.g. 'Users' ; $sPrivilege - Privilege code e.g. 'QSTOP' or 'F' ; Return values .: None ; Author ........: NoNameCode ; Modified ......: ; Remarks .......: ; Related .......: ; Link ..........: https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/grant-users-rights-manage-services ; Example .......: No ; =============================================================================================================================== Func _SubInAcl_Service_Privilege_Deny($sService, $sSecurityPrincipal, $sPrivilege) Local $aSubInAcl_Return $aSubInAcl_Return = __SubInAcl_RunWait("/service " & $sService & ' /deny='&$sSecurityPrincipal&'='&$sPrivilege) If @error Then Return SetError(1, @error) ;Error = 1 >> Error by Calling __SubInAcl_RunWait If Not $aSubInAcl_Return[2] = '' Then Return False Return True EndFunc ; #FUNCTION# ==================================================================================================================== ; Name ..........: _SubInAcl_Service_Privilege_Revoke ; Description ...: Removes a Security Principal from Privilege list ; Syntax ........: _SubInAcl_Service_Privilege_Grant($sService, $sSecurityPrincipal, $sPrivilege) ; Parameters ....: $sService - Service Name e.g. 'spooler' ; $sSecurityPrincipal - User / Syste / Group name e.g. 'Users' ; Return values .: None ; Author ........: NoNameCode ; Modified ......: ; Remarks .......: ; Related .......: ; Link ..........: https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/grant-users-rights-manage-services ; Example .......: No ; =============================================================================================================================== Func _SubInAcl_Service_Privilege_Revoke($sService, $sSecurityPrincipal) Local $aSubInAcl_Return $aSubInAcl_Return = __SubInAcl_RunWait("/service " & $sService & ' /revoke='&$sSecurityPrincipal) If @error Then Return SetError(1, @error) ;Error = 1 >> Error by Calling __SubInAcl_RunWait If Not $aSubInAcl_Return[2] = '' Then Return False Return True EndFunc ; #INTERNAL_USE_ONLY# =========================================================================================================== ; Name ..........: __SubInAcl_Service_PrivilegeTranslate ; Description ...: Internal Use: Translate Codes like 'SERVICE_STOP' to a read and usable name or code ; Syntax ........: __SubInAcl_Service_PrivilegeTranslate($sPrivileges[, $bDisplayName = False]) ; Parameters ....: $sPrivileges - String with Privileges (No formatation needed) ; $bDisplayName (False)- Returns the Privilege LetterCode ; $bDisplayName (True) - Returns the Privilege Names (en-Us) ; Return values .: Privileges Code / Or Fullname String with '|' as delimeter ; Author ........: NoNameCode ; Modified ......: ; Remarks .......: ; Related .......: ; Link ..........: https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/grant-users-rights-manage-services ; Example .......: No ; =============================================================================================================================== Func __SubInAcl_Service_PrivilegeTranslate($sPrivileges, $bDisplayName=False) Local $sReturn, $bIS_READ_CONTROL = False If _IsStringInStr($sPrivileges, 'SERVICE_ALL_ACCESS') Then $sPrivileges = StringReplace($sPrivileges, 'SERVICE_ALL_ACCESS', '') If $bDisplayName Then If StringLen($sReturn) >= 1 Then $sReturn &= '|' $sReturn &= 'Full Control' Else $sReturn &= 'F' EndIf EndIf If _IsStringInStr($sPrivileges, 'SERVICE_QUERY_CONFIG') And _IsStringInStr($sPrivileges, 'SERVICE_QUERY_STATUS') And _IsStringInStr($sPrivileges, 'SERVICE_ENUMERATE_DEPEND') And _IsStringInStr($sPrivileges, '') Then $sPrivileges = StringReplace($sPrivileges, 'SERVICE_QUERY_CONFIG', '') $sPrivileges = StringReplace($sPrivileges, 'SERVICE_QUERY_STATUS', '') $sPrivileges = StringReplace($sPrivileges, 'SERVICE_ENUMERATE_DEPEND', '') $bIS_READ_CONTROL = True If $bDisplayName Then If StringLen($sReturn) >= 1 Then $sReturn &= '|' $sReturn &= 'Generic Read' Else $sReturn &= 'R' EndIf EndIf If _IsStringInStr($sPrivileges, 'SERVICE_CHANGE_CONFIG') And _IsStringInStr($sPrivileges, 'READ_CONTROL') Then $sPrivileges = StringReplace($sPrivileges, 'SERVICE_CHANGE_CONFIG', '') $bIS_READ_CONTROL = True If $bDisplayName Then If StringLen($sReturn) >= 1 Then $sReturn &= '|' $sReturn &= 'Generic Read' Else $sReturn &= 'R' EndIf EndIf If _IsStringInStr($sPrivileges, 'SERVICE_START') And _IsStringInStr($sPrivileges, 'SERVICE_STOP') And _IsStringInStr($sPrivileges, 'SERVICE_PAUSE_CONTINUE') And _IsStringInStr($sPrivileges, 'SERVICE_INTERROGATE') And _IsStringInStr($sPrivileges, 'SERVICE_USER_DEFINED_CONTROL') And _IsStringInStr($sPrivileges, 'READ_CONTROL') Then $sPrivileges = StringReplace($sPrivileges, 'SERVICE_START', '') $sPrivileges = StringReplace($sPrivileges, 'SERVICE_STOP', '') $sPrivileges = StringReplace($sPrivileges, 'SERVICE_PAUSE_CONTINUE', '') $sPrivileges = StringReplace($sPrivileges, 'SERVICE_INTERROGATE', '') $sPrivileges = StringReplace($sPrivileges, 'SERVICE_USER_DEFINED_CONTROL', '') $bIS_READ_CONTROL = True If $bDisplayName Then If StringLen($sReturn) >= 1 Then $sReturn &= '|' $sReturn &= 'Generic eXecute' Else $sReturn &= 'X' EndIf EndIf If _IsStringInStr($sPrivileges, 'READ_CONTROL') Then If Not $bIS_READ_CONTROL Then If $bDisplayName Then If StringLen($sReturn) >= 1 Then $sReturn &= '|' $sReturn &= 'Read controL' Else $sReturn &= 'L' EndIf EndIf EndIf If _IsStringInStr($sPrivileges, 'SERVICE_QUERY_CONFIG') Then If $bDisplayName Then If StringLen($sReturn) >= 1 Then $sReturn &= '|' $sReturn &= 'Query Service Configuration' Else $sReturn &= 'Q' EndIf EndIf If _IsStringInStr($sPrivileges, 'SERVICE_QUERY_STATUS') Then If $bDisplayName Then If StringLen($sReturn) >= 1 Then $sReturn &= '|' $sReturn &= 'Query Service Status' Else $sReturn &= 'S' EndIf EndIf If _IsStringInStr($sPrivileges, 'SERVICE_ENUMERATE_DEPEND') Then If $bDisplayName Then If StringLen($sReturn) >= 1 Then $sReturn &= '|' $sReturn &= 'Enumerate Dependent Services' Else $sReturn &= 'E' EndIf EndIf If _IsStringInStr($sPrivileges, 'SERVICE_CHANGE_CONFIG') Then If $bDisplayName Then If StringLen($sReturn) >= 1 Then $sReturn &= '|' $sReturn &= 'Service Change Configuration' Else $sReturn &= 'C' EndIf EndIf If _IsStringInStr($sPrivileges, 'SERVICE_START') Then If $bDisplayName Then If StringLen($sReturn) >= 1 Then $sReturn &= '|' $sReturn &= 'Start Service' Else $sReturn &= 'T' EndIf EndIf If _IsStringInStr($sPrivileges, 'SERVICE_STOP') Then If $bDisplayName Then If StringLen($sReturn) >= 1 Then $sReturn &= '|' $sReturn &= 'Stop Service' Else $sReturn &= 'O' EndIf EndIf If _IsStringInStr($sPrivileges, 'SERVICE_PAUSE_CONTINUE') Then If $bDisplayName Then If StringLen($sReturn) >= 1 Then $sReturn &= '|' $sReturn &= 'Pause/Continue Service' Else $sReturn &= 'P' EndIf EndIf If _IsStringInStr($sPrivileges, 'SERVICE_INTERROGATE') Then If $bDisplayName Then If StringLen($sReturn) >= 1 Then $sReturn &= '|' $sReturn &= 'Interrogate Service' Else $sReturn &= 'I' EndIf EndIf If _IsStringInStr($sPrivileges, 'SERVICE_USER_DEFINED_CONTROL') Then If $bDisplayName Then If StringLen($sReturn) >= 1 Then $sReturn &= '|' $sReturn &= 'Service User-Defined Control Commands' Else $sReturn &= 'U' EndIf EndIf Return $sReturn EndFunc ; #FUNCTION# ==================================================================================================================== ; Name ..........: _IsStringInStr ; Description ...: Check if a String is in a String ; Syntax ........: _IsStringInStr($sString, $sSubString[, $iCaseSense = Default]) ; Parameters ....: $sString - main String ; $sSubString - Searchstring ; $iCaseSense - Case Sensitiv (Look at StringInStr for details) ; Return values .: True / False ; Author ........: NoNameCode ; Modified ......: ; Remarks .......: ; Related .......: ; Link ..........: ; Example .......: No ; =============================================================================================================================== Func _IsStringInStr($sString, $sSubString, $iCaseSense=Default) If StringInStr($sString, $sSubString, $iCaseSense) = 0 Then Return False If @error Then Return SetError(@error, 0, False) Return True EndFunc