Skip to content

Instantly share code, notes, and snippets.

@MyITGuy

MyITGuy/WinSxSDirectorySecurity.psm1

Last active October 20, 2020 19:16
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save MyITGuy/84316b9e6f099cc53a61d829d027a697 to your computer and use it in GitHub Desktop.
Save MyITGuy/84316b9e6f099cc53a61d829d027a697 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
WinSxSDirectorySecurity.psm1
#region Reset-WinSxSDirectorySecurity
function Reset-WinSxSDirectorySecurity {
[CmdletBinding()]
PARAM(
)
begin {
#region Enable-Privilege
function Enable-Privilege {
param(
## The privilege to adjust. This set is taken from
## http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx
[ValidateSet(
"SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege",
"SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeCreatePagefilePrivilege",
"SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege",
"SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege",
"SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege",
"SeLockMemoryPrivilege", "SeMachineAccountPrivilege", "SeManageVolumePrivilege",
"SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege",
"SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege",
"SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege",
"SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege",
"SeUndockPrivilege", "SeUnsolicitedInputPrivilege")]
$Privilege,
## The process on which to adjust the privilege. Defaults to the current process.
$ProcessId = $pid,
## Switch to disable the privilege, rather than enable it.
[Switch] $Disable
)
## Taken from P/Invoke.NET with minor adjustments.
$definition = @'
using System;
using System.Runtime.InteropServices;
public class AdjPriv
{
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid
{
public int Count;
public long Luid;
public int Attr;
}
internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public static bool EnablePrivilege(long processHandle, string privilege, bool disable)
{
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = new IntPtr(processHandle);
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
if(disable)
{
tp.Attr = SE_PRIVILEGE_DISABLED;
}
else
{
tp.Attr = SE_PRIVILEGE_ENABLED;
}
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
}
}
'@
$processHandle = (Get-Process -id $ProcessId).Handle
$type = Add-Type $definition -PassThru
$type[0]::EnablePrivilege($processHandle, $Privilege, $Disable)
}
#endregion Enable-Privilege
# Add SeTakeOwnershipPrivilege for this process
Enable-Privilege -Privilege SeTakeOwnershipPrivilege | Out-Null
# Add SeRestorePrivilege for this process
Enable-Privilege -Privilege SeRestorePrivilege | Out-Null
}
process {
#Check for Admin rights
if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
Write-Warning "$($MyInvocation.MyCommand) cannot be run because the current Windows PowerShell session is not running as an administrator. Start Windows PowerShell as an administrator and then try running the function again."
return
}
Get-ChildItem -Path $env:windir\WinSxS -Recurse | ForEach-Object {
$Item = $_
try {
#region Change ownership to Administrators
$acl = $Item.GetAccessControl([System.Security.AccessControl.AccessControlSections]::None)
$acl.SetOwner([System.Security.Principal.NTAccount]"Administrators")
Set-Acl -Path $Item.FullName -AclObject $acl
#endregion
#region Add Administrators Full Control
$acl = $Item.GetAccessControl()
# Give Administrators full control to keys and subkeys
$acl.PurgeAccessRules([System.Security.Principal.NTAccount]"Everyone")
$ReadAccessNTAccounts = @(
'ALL APPLICATION PACKAGES'
'ALL RESTRICTED APPLICATION PACKAGES'
'SYSTEM'
'Administrators'
'Users'
)
if ($Item.PSIsContainer -eq $true) {
foreach ($NTAccount In $ReadAccessNTAccounts) {
$acl.SetAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule ([System.Security.Principal.NTAccount]$NTAccount, [System.Security.AccessControl.FileSystemRights]::ReadAndExecute, @("ObjectInherit", "ContainerInherit"), "None", "Allow")))
}
$acl.SetAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule ([System.Security.Principal.NTAccount]"NT Service\TrustedInstaller", [System.Security.AccessControl.FileSystemRights]::FullControl, @("ObjectInherit", "ContainerInherit"), "None", "Allow")))
} else {
foreach ($NTAccount In $ReadAccessNTAccounts) {
$acl.SetAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule ([System.Security.Principal.NTAccount]$NTAccount, [System.Security.AccessControl.FileSystemRights]::ReadAndExecute, "None", "None", "Allow")))
}
$acl.SetAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule ([System.Security.Principal.NTAccount]"NT Service\TrustedInstaller", [System.Security.AccessControl.FileSystemRights]::FullControl, "None", "None", "Allow")))
}
Set-Acl -Path $Item.FullName -AclObject $acl
#endregion
#region Change ownership to TrustedInstaller.
$acl = $Item.GetAccessControl()
$acl.SetOwner([System.Security.Principal.NTAccount]"NT Service\TrustedInstaller")
Set-Acl -Path $Item.FullName -AclObject $acl
#endregion
$_
}
catch {
throw $_
}
}
}
end {
}
}
#endregion Reset-WinSxSDirectorySecurity
#region Set-WinSxSDirectorySecurityAdministratorsWrite
function Set-WinSxSDirectorySecurityAdministratorsWrite {
[CmdletBinding()]
PARAM(
)
begin {
#region Enable-Privilege
function Enable-Privilege {
param(
## The privilege to adjust. This set is taken from
## http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx
[ValidateSet(
"SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege",
"SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeCreatePagefilePrivilege",
"SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege",
"SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege",
"SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege",
"SeLockMemoryPrivilege", "SeMachineAccountPrivilege", "SeManageVolumePrivilege",
"SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege",
"SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege",
"SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege",
"SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege",
"SeUndockPrivilege", "SeUnsolicitedInputPrivilege")]
$Privilege,
## The process on which to adjust the privilege. Defaults to the current process.
$ProcessId = $pid,
## Switch to disable the privilege, rather than enable it.
[Switch] $Disable
)
## Taken from P/Invoke.NET with minor adjustments.
$definition = @'
using System;
using System.Runtime.InteropServices;
public class AdjPriv
{
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid
{
public int Count;
public long Luid;
public int Attr;
}
internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public static bool EnablePrivilege(long processHandle, string privilege, bool disable)
{
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = new IntPtr(processHandle);
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
if(disable)
{
tp.Attr = SE_PRIVILEGE_DISABLED;
}
else
{
tp.Attr = SE_PRIVILEGE_ENABLED;
}
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
}
}
'@
$processHandle = (Get-Process -id $ProcessId).Handle
$type = Add-Type $definition -PassThru
$type[0]::EnablePrivilege($processHandle, $Privilege, $Disable)
}
#endregion Enable-Privilege
# Add SeTakeOwnershipPrivilege for this process
Enable-Privilege -Privilege SeTakeOwnershipPrivilege | Out-Null
# Add SeRestorePrivilege for this process
Enable-Privilege -Privilege SeRestorePrivilege | Out-Null
}
process {
#Check for Admin rights
if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
Write-Warning "$($MyInvocation.MyCommand) cannot be run because the current Windows PowerShell session is not running as an administrator. Start Windows PowerShell as an administrator and then try running the function again."
return
}
Get-ChildItem -Path $env:windir\WinSxS -Recurse | ForEach-Object {
$Item = $_
try {
#region Change ownership to Administrators
$acl = $Item.GetAccessControl([System.Security.AccessControl.AccessControlSections]::None)
$acl.SetOwner([System.Security.Principal.NTAccount]"Administrators")
Set-Acl -Path $Item.FullName -AclObject $acl
#endregion
#region Add Administrators Full Control
$acl = $Item.GetAccessControl()
# Give Administrators full control to keys and subkeys
if ($Item.PSIsContainer -eq $true) {
$acl.SetAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule ([System.Security.Principal.NTAccount]"Administrators", [System.Security.AccessControl.FileSystemRights]::FullControl, @("ObjectInherit", "ContainerInherit"), "None", "Allow")))
}
else {
$acl.SetAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule ([System.Security.Principal.NTAccount]"Administrators", [System.Security.AccessControl.FileSystemRights]::FullControl, "Allow")))
}
Set-Acl -Path $Item.FullName -AclObject $acl
#endregion
$_
}
catch {
throw $_
}
}
}
end {
}
}
#endregion Set-WinSxSDirectorySecurityAdministratorsWrite
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment