Skip to content

Instantly share code, notes, and snippets.

@gravcat

gravcat/modify-local-activation-dcom.ps1

Created September 7, 2017 21:44
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gravcat/4ceb977916c5f551cae44375296ab72a to your computer and use it in GitHub Desktop.
Save gravcat/4ceb977916c5f551cae44375296ab72a to your computer and use it in GitHub Desktop.
Download ZIP
How to append/manipulate DCOM permission configuration via (elevated) PowerShell
Raw
modify-local-activation-dcom.ps1
<#############
This was really difficult to figure out,
but here's a snippet that will allow you to modify DCOM ACLs.
Easily modified to touch other properties in DCOM ACL-land.
#############>
# get the Object based on the AppId. This example AppID belongs to the Linux Subsystem DCOM object
$wmi = (Get-WmiObject -Class Win32_DCOMApplicationSetting -Filter "AppId='{e82567ae-2ea4-4dbc-bc68-8b0a0526d8d5}'" -EnableAllPrivileges)
# get the Launch Descriptor object and store
$descL = $wmi.GetLaunchSecurityDescriptor().descriptor
# create a special object to hold trustee related information. set trustee we want to apply as the default "Administrators" group
$trusteeObj = ([wmiclass]'Win32_Trustee').psbase.CreateInstance()
$trusteeObj.Domain = "BUILTIN"
$trusteeObj.Name = "Administrators"
# create a special object to store ACL stuffs
$ace = ([wmiclass]'Win32_ACE').psbase.CreateInstance()
# set the access mask we desire (Launch & Local Activation allowed).
$ace.AccessMask = 11
# Set Trustee to what we created earlier then _append_ this to the existing ACL configuration.
$ace.Trustee = $trusteeObj
$descL.DACL += [System.Management.ManagementBaseObject]$ace
# finally, use the SetLaunchSecurityDescriptor method to set all the stuff we created and appended in stone
$wmi.SetLaunchSecurityDescriptor($descL)
@Ashwini-code83
Copy link

Hello , I m trying to update the launch permission for my app , I used ur script getting error
The property 'dacl' cannot be found on this object. Verify that the property exists and can be set.
At D:\workdir\plantsimUnits\prod21jan\prod1\install.ps1:31 char:1

  • $descL.dacl += [System.Management.ManagementBaseObject]$ace
  •   + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
  + FullyQualifiedErrorId : PropertyNotFound

You cannot call a method on a null-valued expression.
At D:\workdir\prod1\install.ps1:34 char:1

  • $wmi.SetLaunchSecurityDescriptor($descL)
  •   + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
  + FullyQualifiedErrorId : InvokeMethodOnNull

any help please ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment