wmi SetSecurityDescriptor

Question

Try to grant access right on systemroot by wmi with sddl, but get an error of invalid parameter. This is my function:

function GrantSysRoot
{
    Param (
        [string]$strcomputer
    )  
    $sec =  Get-WmiObject -Class Win32_LogicalFileSecuritySetting -Filter "Path='C:\\Windows'" -ComputerName $strcomputer
    $converter = New-Object System.Management.ManagementClass Win32_SecurityDescriptorHelper
    $sddl = $converter.Win32SDToSDDL($sec.GetSecurityDescriptor().Descriptor)
    $newSDDL = $sddl.SDDL += "(" + $SRSDDL + ")"
    $Win32descriptor = $converter.SDDLToWin32SD($newSDDL)
    $result = $sec.SetSecurityDescriptor($Win32descriptor)

    if ($result.ReturnValue -eq 0) {
        LogWrite "Success SystemRoot setting rights"
    } 
    else {
        LogWrite "An error occured with SystemRoot rights settings"
    }
}

The SetSecurityDescriptor method returned Invalid parameter error. Have any idea?

What is `$SRSDDL`? It only mentioned once in your code and never defined... — n01d, Dec 19 '16 at 15:13
Please put it in your code example at the same place it is in your script. — n01d, Dec 20 '16 at 07:29

score 0 · Answer 1 · answered Dec 19 '16 at 15:41

0

I think you made a small typo. In your code, I am not able to see anything defined with $SRSDDL but you are appending the data and storing in $newSDDL. Could you please re-verify that.

function GrantSysRoot
{
Param (
[string]$strcomputer
 )  
 $sec =  Get-WmiObject -Class Win32_LogicalFileSecuritySetting -Filter "Path='C:\\Windows'" -ComputerName $strcomputer
 $converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
 $sddl = $converter.Win32SDToSDDL($sec.GetSecurityDescriptor().Descriptor)
 $newSDDL = $sddl.SDDL += "(" + $SDDL + ")"
 $Win32descriptor = $converter.SDDLToWin32SD($newSDDL)
 $result = $sec.SetSecurityDescriptor($Win32descriptor)
 if ($result.ReturnValue -eq 0){LogWrite "Success SystemRoot setting rights"
    } else {LogWrite "An error occured with SystemRoot rights settings"}

answered Dec 19 '16 at 15:41

Ranadip Dutta

8,857
3
29
45

$SRSDDL defined as "A;;0x1200a9;;;$sid" – altynos Dec 20 '16 at 06:29
Alright. So is could you share a sample output of $sddl also after picking the win32SDToSDDL – Ranadip Dutta Dec 20 '16 at 06:30
ReturnValue : 0 SDDL : O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831 038044-1853292631-2271478464D:PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-227147 8464)(A;CIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1301bf;;;SY)( A;OICIIO;GA;;;SY)(A;;0x1301bf;;;BA)(A;OICIIO;GA;;;BA)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)(A;OICIIO ;GA;;;CO)' – altynos Dec 20 '16 at 07:21
@altynos: Happy to help you out. Please accept the answer then :) – Ranadip Dutta Dec 20 '16 at 07:56

score 0 · Accepted Answer · answered Dec 20 '16 at 07:48

0

Resolved, we have to use property "descriptor"

$result = $sec.SetSecurityDescriptor($Win32descriptor.Descriptor)

answered Dec 20 '16 at 07:48

altynos

3
2

wmi SetSecurityDescriptor

2 Answers2