BakedCakes Posted November 12, 2022 Posted November 12, 2022 Given a folder path, I want to make sure that only elevated users are able to modify the folder and the files directly in it. As to why -- my script runs as Admin via #RequireAdmin and it has an option to run at startup as Admin, which it achieves by setting up an autorun task with Task Scheduler. The issue is, if the user enables the Run at Startup when the script executable is in a unprotected folder, e.g. the Desktop, any other process can overwrite the script.exe with a malicious executable, which would automatically run as Admin on the next startup, i.e. it this can be used as a privilege escalation vulnerability. Thus I want the user to be able to enable the Run at Startup only when the executable is in a secured folder. It sounds like the right approach would be to check folder's ACL, but unless I have missed something, there don't seem to be any functions listed in the help file that can be used to read folder's ACLs?
rudi Posted November 12, 2022 Posted November 12, 2022 Maybe this is a start: or use https://helgeklein.com/setacl/ (mentioned in that thread) as an external program Earth is flat, pigs can fly, and Nuclear Power is SAFE!
BakedCakes Posted November 12, 2022 Author Posted November 12, 2022 Setting ACL is not something I want, I want to just read ACL and tell the user to move the exe to somewhere more secure. Was hoping this could be done without including giant UDFs or external binaries.
BakedCakes Posted November 12, 2022 Author Posted November 12, 2022 (edited) Nevermind, reading a bit more into DACL on msdn: explicit and inherited ACEs, the related functions, SIDs, account names, etc. it sounds a bit too involved than I expected it to be and easy to make a mistake. Instead of dealing with ACLs, I will just prompt the user that the program will move itself into Program Files if they want to enable the Run at Startup. Program Files already has a secure DACL set on it, which a created subfolder would inherit, so I can make the script copy itself in there, run the copied script and make the initial script exit and self-delete itself via a batch script. Edited November 12, 2022 by BakedCakes
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now