Jump to content
FredAI

Set Acl permissions UDF

Recommended Posts

PS

At the same time on my pc I have fake McAfee firewall Core Service- which is constantly sending popups, asking to "activate their services"- which had been installed even without my aknowledgement.

So every time I try to kill this process via tskmngr -  I have this "Unsufficient rights popup" or "access denied"- I just wonder how do they do that?

Share this post


Link to post
Share on other sites

Sorry if I was inattentive while reading posts, could you please explain, how can I solve this

Say, I have running program "test.exe" . How can I prevent user killing this process in the tskmngr?

I was trying this example

#RequireAdmin
#include 'Permissions.au3'
_InitiatePermissionResources()
$TI = TimerInit()
Local $Hndl = _Permissions_OpenProcess(@AutoItPID)
Local $SDBefore = _GetObjectStringSecurityDescriptor($Hndl,$SE_KERNEL_OBJECT)
Local $CODRet = _ClearObjectDacl($Hndl,$SE_KERNEL_OBJECT)
Local $DARet = _DenyAllAccess($Hndl,$SE_KERNEL_OBJECT)
Local $SDAfter = _GetObjectStringSecurityDescriptor($Hndl,$SE_KERNEL_OBJECT)
$TD = Round(TimerDiff($TI),2)
MsgBox(0,'', 'Deny everyone access to the current process:'&@CRLF&@CRLF& _
'@AutoItPID original security descriptor: '&@CRLF&$SDBefore&@CRLF&@CRLF& _
'_ClearObjectDacl return value: '&$CODRet&@CRLF&@CRLF& _
'_DenyAllAccess_ return value: '&$DARet&@CRLF&@CRLF& _
'New @AutoItPID security descriptor: '&@CRLF& _
$SDAfter&@CRLF&@CRLF& 'Time taken: '&$TD&' miliseconds.')
_Permissions_CloseHandle($Hndl)

But anyway, if I write this code into my test.exe and then run it and then if I try killing in tskmngr- it is killed very easily.

Thanx in advance!!!

you will need to compile for it to work. It work for me 

 

PS

At the same time on my pc I have fake McAfee firewall Core Service- which is constantly sending popups, asking to "activate their services"- which had been installed even without my aknowledgement.

So every time I try to kill this process via tskmngr  -  I have this "Unsufficient rights popup" or "access denied"- I just wonder how do they do that?

They create an driver that monitors API calls and then they stop them before it gets to the OS 

Share this post


Link to post
Share on other sites

Thank you very much for this UDF!

I have a question about using this UDF. I want to add some persmissions on a folder:

Local $Array[1][3] = [['Test-Group', 1, $GENERIC_ALL]]
_SetObjectPermissions($sPath, $Array, $SE_FILE_OBJECT, '', 0, 1)

But my problem is that all other permissions entries are deleted. Only permissions are not deleted which the parent folder passes on.

What I have to do to that _SetObjectPermissions only add some permissions without changing the existing

//edit: I have detected the failure: _GetDaclSizeInformation is only working if I am the administrator and so _MergeDaclToArray works only I am the administrator, too. Why does it do so?

//edit2: Another question: I want that inherited permissions still inherited, that other existing permissions still there, too, and that I can add new permission? I have detected only two possiblities:

1. kepp inherited permissions, delete exisiting permissions and add some new.

2. copy inherited permissions into normal permissions, kepp existing permissions and add some new.

Edited by FKFK

Share this post


Link to post
Share on other sites

For some reason this always returns 0

#Include <Permissions.au3>
#Include <File.au3>
$Timer=TimerInit()
$StartDir=@ScriptDir&"\Source\InstallWim"
$aList=_FileListToArrayRec($StartDir,"*",1+4+8,1,2,1)
ConsoleWrite(TimerDiff($Timer)&@CRLF)
;_ArrayDisplay($aList)
$CounterFmt=StringLen($aList[0])
For $Index=1 To $aList[0]
    ConsoleWrite(StringFormat("%0"&$CounterFmt&"d",$Index)&"|"&$StartDir&"\"&$aList[$Index]&"|")
    $Ret=_GrantAllAccess(@ScriptDir&"\"&$aList[$Index])
    ConsoleWrite($Ret&@CRLF)
Next

What is what? What is what.

Share this post


Link to post
Share on other sites

Hello everybody,

I wanted to learn something testing how to modify the ACLs of my drives and I made a little mess in my computer:

I run this script:

#include <Permissions.au3>
_InitiatePermissionResources()

$drives = DriveGetDrive( "FIXED" )
If NOT @error Then
    MsgBox(4096,"", "Found " & $drives[0] & " drives",1)
   $TI = TimerInit()
   For $i = 1 to $drives[0]
      MsgBox(4096,"Drive " & $i, $drives[$i],1)
      $ret = _GrantAllAccess($drives[$i])
      MsgBox(0,'','Grant everyone access'&@CRLF&@CRLF& _
      '_GrantAllAccesss return value: '&$ret&'   Time: '&Round($TD,2)&' miliseconds.'&@CRLF,1)
   Next
   $TD = TimerDiff($TI)
 EndIf

_ClosePermissionResources()
Exit

and I got most of my folders inaccessible.

I tried to fix things drive by drive / folder by folder with this script (drag&drop compiled script) but results are random (sometimes I recover the folder ownership sometimes not, the inherit recursion not always working):

#include <Permissions.au3>
_InitiatePermissionResources()

If @Compiled AND ($CmdLine[0] > 0) Then
   $TI = TimerInit()
   For $i = 2 to UBound($CmdLine) - 1
      $ret = _SetDefaultFileAccess($CmdLine[$i],1)
;     $ret = _InheritParentPermissions($CmdLine[$i], $SE_FILE_OBJECT, 1)
   Next
   $TD = TimerDiff($TI)
   MsgBox(0,'','Execution Time: '&Round($TD,2)&' miliseconds.'&@CRLF,1)
EndIf

_ClosePermissionResources()
Exit

Could anybody suggest / point me to the correct solution to get my files' ownership back?

Regards,

V.

EDIT: Solution found with a batch file:

SET ACLPATH=%~1

subinacl /subdirectories "%ACLPATH%" /setowner=%USERNAME%
subinacl /subdirectories %ACLPATH% /grant=administrators=f

icacls "%ACLPATH%*" /reset /T /C
Edited by Virgus

Share this post


Link to post
Share on other sites

Thank you very much for this great udf. It is doing magic!

A small question

$ret = _CopyFullDacl("c:\pathtofile\somefile",$SE_FILE_OBJECT,@ScriptDir)

This works excellent when I put the script into the same directory with the file to grant permission

I wanted to make it working remotely, and tried replacing @scriptdir with the path to the file

$ret = _CopyFullDacl("c:\pathtofile\somefile",$SE_FILE_OBJECT, "c:\pathtofile\somefile")

That won't work

Then I just programmatically copy the exe script with this code into the same directory

$ret = _CopyFullDacl("c:\pathtofile\somefile",$SE_FILE_OBJECT,@ScriptDir)

And from another script run that script : run ("c:pathtofilemyscript.exe").

The script would make the exe work (I see it by message box for a test) but it wont change the permissions

What can be the reason for that? (both files have #requireadmin)

Great thanx in advance!

Share this post


Link to post
Share on other sites

Be sure the object to change is local and have permissions to change permissions (domain accounts?). Execute it locally from another computer the easier is using PsExec from SysInternals.

So you do Run: PseXec.exe -copyexetoremote -yourexe localobinremotetochangeACL youractualPC->ACLSource.

Older versisons like 1.63 works even better than actual 2.11.

Edited by zalomalo

My english shucks, i know it.

Share this post


Link to post
Share on other sites

Hi guys, =)

I have a question and maybe someone may help me out ..

I need to list the NTFS permissions of different fileshares OR certain file and Folder  where either AD users and/or AD Groups can be in.

Since this UDF can copy ACLs I am sure it can read them as well it somehow has to ;) ).

Unfortuantely it seems I am too stupid to figure out how to do so...

So I would need a simple example how to list persmissions of a certain file or Folder ...

 

Thanks in advance for any help or hints!

 

cheers

Share this post


Link to post
Share on other sites

I was going to go this route your are trying to take.  This UDF will pull the ACE strings, but then you need to convert them to readable user names and groups.  This is a language unto itself.  Here some link, if you are interested.  

https://msdn.microsoft.com/en-us/library/windows/desktop/aa374928(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/windows/desktop/aa379570(v=vs.85).aspx

http://blogs.technet.com/b/askds/archive/2008/04/18/the-security-descriptor-definition-language-of-love-part-1.aspx

http://blogs.technet.com/b/askds/archive/2008/04/18/the-security-descriptor-definition-language-of-love-part-2.aspx

In the UDF you would use, _GetSecurityDescriptor* functions along with the _ConvertSecurityDescriptorToStringSecurityDescriptor function, and then work on converting the string using Security Descriptor Definition Language (SDDL) and _Security__GetAccountSid from the Security UDF in AutoIt.

I got lazy, and needed a way to get them without writing a SDDL UDF, which I currently don't have time to do.  I would like to eventually write a UDF.  I have pieces of one, but not complete or working correctly.   I found a nice free utility NTFS Permissions Reporter.  You can work with local drives, as well as remote server shares.  You can also limit the depth of the directories and exclude directories.  This only works on directories, and not files.  The free version allows you to export a report as HTML, which I then use AutoIt and the HTMLTable2Array UDF to work with.  

Hope that helps.    

 

Adam

Share this post


Link to post
Share on other sites

Hi,

many thanks for your informative reply and sorry for my late one ...

I was not aware about the complexity of this topic. silly me ;)

However I ll give it a shot maybe I can compile something useful.

Thanks again

so long,

Share this post


Link to post
Share on other sites

I have been using this UDF and it is awesome, 

I ran into an issue

on win 7 64 bit 

32 bit compiled app does not modify reg permissions on HKLM64

$out = _GrantAllAccess('HKEY_LOCAL_MACHINE64SOFTWAREtest',4) 

returns 0 

 

$out = _GrantAllAccess('HKEY_LOCAL_MACHINESOFTWAREtest',4) 

returns 1

but modifies 

HKEY_LOCAL_MACHINESOFTWAREWow6432Nodetest

any ideas

 

I can confirm that there seems to be an issue with _GrantAllAccess on HKLM64 when the exe is compiled as x86.

Share this post


Link to post
Share on other sites

I'm trying to use this UDF to add Full permissions for a specific user to a given folder.

The folder may have existing local permissions, which must be retained. It also inherits Administrator and System (full) permissions from the root.  Which is pretty-much a standard situation.

Firstly, I presume that the _SetObjectPermissions() function is unsuitable, since this would seem to always remove any existing local permissions, replacing them with the new one. Can anyone confirm that?  

If I use the _EditObjectPermissions() function, I hit a peculiar combination of effects in that:

If $InHerit is zero, the new permission and all existing Full local permissions are trashed. Specifically, they become rewritten as 'This folder only' permissions.

If the $InHerit is flag non-zero, all of the inherited permissions are duplicated as local permissions. So you then have two Administrator permissions, two of SYSTEM, etc.

Within this scope:

  • If $Inherit is 1, local permissions are made 'This folder-only' as for zero.
  •  If $InHerit is 2, local permissions are made 'This folder and subfolder' permissions.
  • If the $InHerit flag is 3, the new new permission is added correctly and existing local permissions are unaffected.
    (Which would be fine if it were not for the side-effect)

$Recurse has no identifiable effect on the outcome, for the toplevel folder anyway.

$ClearDACL=1 with $InHerit=3 has the effect that inherited permissions are then made local, and the inheritance flag set to false.  

Sample code:
 

Local $pArray[1][3]
 $pArray[0][0]='TestUser'; (Or 'S-1-5-21-789336058-764733703-1177238915-1006')
 $pArray[0][1]=1 ; Grant
 $pArray[0][2]=$GENERIC_ALL ; (Or  0x1F01FF for full generic and specific rights, makes no odds.)
 
 $SetOwner="TestUser"
 $ClearDACL=0 ;
 $Recurse=1 ;
 $InHerit = [As detailed above]
 $rtn=_EditObjectPermissions($oName, $pArray, $SE_FILE_OBJECT, $SetOwner, $ClearDacl, $Recurse, $InHerit)

 $rtn returns 1.

Seems there is definitely something amiss here. Since _EditObjectPermissions() loads the existing DACL into an array containing the new permissions, then submits the result to _Set[Reg/File]ObjectSecurity - The same handlers used by _SetObjectPermissions() which does work correctly - I'd hazard a guess that the permissions are somehow being corrupted in the array merge. Just a guess, though.

Most testing done on XP SP3 VM, some on Win7/10. AI version 3.14.2

If anyone has thoughts on this, would be welcome.

Update:

_SetObjectPermissions() has two parameters reversed in the syntax. (Line 519)

I did notice that at the time, and thought it unlikely they would differ. Seems like if you have illegal values due to the reversal, it can cause the computer to do strange things thereafter. Which I think was why the _EditObjectPermissions() call was acting up the way it did.

That, and there's a fourth array element which determines the scope of the permission. With that in, you get proper Full permissions.

Once those two are fixed, seems to work fine.  Unfortunately, no. Full permissions are now set correctly, but there are still issues with inherited permissions being duplicated locally. Seems to happen at random even with no change of test parameters. I'm wondering if there's a memory overflow/over-read involved.

Edited by Anteaus
Update

Share this post


Link to post
Share on other sites

How to set it for denying acess to the process for only the logged in user? 

I'm making a script that restores some files from a network share, and while doing so, I want it to remove it's permissions from itself.

I tried this, but it will only work if i use it with #requireadmin,

I tried from a non admin user with process explorer, witch was able to deny permissions on the process for the current logged in user, without admin right

#include 'Permissions.au3'
Local $Hndl = _Permissions_OpenProcess(@AutoItPID)
_DenyAllAccess($Hndl, $SE_KERNEL_OBJECT,@UserName)
MsgBox(0,'', _GetObjectStringSecurityDescriptor($Hndl, $SE_KERNEL_OBJECT))

this is how it should look like: http://prntscr.com/afrdbj

Edited by legend

Share this post


Link to post
Share on other sites

I have tried to use your exampel, but I get an error:

"C:\Users\DKSOKVK\Documents\AutoIT\MyIncludeUDF\Permissions.au3"(100,51) : error: $ACCESS_SYSTEM_SECURITY previously declared as a 'Const'.
Global Const $ACCESS_SYSTEM_SECURITY     = 0x01000000
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    ~~~~~~~~~~~~~^
C:\PermissionTest.au3 - 1 error(s), 0 warning(s)
!>13:36:44 AU3Check ended. Press F4 to jump to next error.rc:2
+>13:36:44 AutoIt3Wrapper Finished.
>Exit code: 2    Time: 0.9929

Do I have an old UDF?


Yours sincerely

Kenneth.

Share this post


Link to post
Share on other sites

Hi all,

Could anyone guide me to direction for a problem,

I need to remove Everyone group from folder permissions. How could I achieve this using this UDF ?

I used successfully to add a user to folder permissions using _EditObjectPermissions but unable to find a way to remove 'Everyone' group.

 

Thanks,

Amol

 

Share this post


Link to post
Share on other sites
19 hours ago, Jos said:

Just remove the duplicate Global definition from your UDF version.

Jos

Done and I can compile it.

But the exampel from post#1 have problems.

1,5,6,7 is ok

2,3,4 not ok. Nothing happens.

no. 8 I don't know what do.

 

How do you add "modify" to a folder for a group?

Edited by Valnurat

Yours sincerely

Kenneth.

Share this post


Link to post
Share on other sites
On 4/11/2016 at 8:28 PM, Jos said:

What have you tried that isn't working?

Jos,

The thing is I am not able to think of a way to try to make it work.

Definately if I set $ClearDacl flag in _EditObjectPermissions it will clear everything.

One thing I can think of is to get array of Permissions on folder object and remove 'Everyone' group from the array, and to set all the remaining permissions back on object. But still I can't figure out how should I able to do it.

 

Amol

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...