Jump to content

Check if only elevated users can modify a folder

Recommended Posts

Given a folder path, I want to make sure that only elevated users are able to modify the folder and the files directly in it.

As to why -- my script runs as Admin via #RequireAdmin and it has an option to run at startup as Admin, which it achieves by setting up an autorun task with Task Scheduler. The issue is, if the user enables the Run at Startup when the script executable is in a unprotected folder, e.g. the Desktop, any other process can overwrite the script.exe with a malicious executable, which would automatically run as Admin on the next startup, i.e. it this can be used as a privilege escalation vulnerability. Thus I want the user to be able to enable the Run at Startup only when the executable is in a secured folder.

It sounds like the right approach would be to check folder's ACL, but unless I have missed something, there don't seem to be any functions listed in the help file that can be used to read folder's ACLs?

Link to comment
Share on other sites

Nevermind, reading a bit more into DACL on msdn: explicit and inherited ACEs, the related functions, SIDs, account names, etc. it sounds a bit too involved than I expected it to be and easy to make a mistake. Instead of dealing with ACLs, I will just prompt the user that the program will move itself into Program Files if they want to enable the Run at Startup. Program Files already has a secure DACL set on it, which a created subfolder would inherit, so I can make the script copy itself in there, run the copied script and make the initial script exit and self-delete itself via a batch script.

Edited by BakedCakes
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...