-
Notifications
You must be signed in to change notification settings - Fork 34
Expand file tree
/
Copy pathReset-FilePermissions
More file actions
204 lines (164 loc) · 7.29 KB
/
Reset-FilePermissions
File metadata and controls
204 lines (164 loc) · 7.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
Function Reset-FilePermissions {
<#
.SYNOPSIS
Reset-FilePermissions
Author: Chris Campbell (obscuresec)
License: BSD 3-Clause
.DESCRIPTION
A function that resets file permissions to restore corrupted or user-adjusted permissions.
.PARAMETER $Path
Specifies the folder path to recursively set permissions on.
.PARAMETER $Owner
Specifies the account or group that should be set as the file owner. This defaults to "Administrators".
.PARAMETER $FullControl
Specifies the account or group that should be given full control of the files. This defaults to "Administrators".
.EXAMPLE
PS C:\> Reset-FilePermissions -Path c:\demo
PS C:\> Reset-FilePermissions -Path c:\demo\folder -Owner 'demouser' -FullControl 'demoadmin'
#>
[CmdletBinding()] Param(
[Parameter(Mandatory=$True)]
[ValidateScript({Test-Path -Path $_ })]
[string] $Path,
[Parameter(Mandatory=$False)]
[string] $Owner = 'Administrators',
[Parameter(Mandatory=$False)]
[string[]] $FullControl = 'Administrators'
)
#Define helper functions
Function ChangeOwner {
#$CurrentOwner = Get-Acl $File | Select-Object Owner
$SecurityUserObject = New-Object System.Security.Principal.NTAccount($Owner)
$FileACLObject = Get-Acl $File
$FileACLObject.SetOwner($SecurityUserObject)
[Void][PowerShellPerm.Utils.TokenManipulator]::AddPrivilege([PowerShellPerm.Utils.TokenManipulator]::SE_RESTORE_NAME)
Set-Acl -Path $File -AclObject $FileACLObject -PassThru
[Void][PowerShellPerm.Utils.TokenManipulator]::RemovePrivilege([PowerShellPerm.Utils.TokenManipulator]::SE_RESTORE_NAME)
}
Function ChangePermissions {
$ACLList = (Get-Item $File).GetAccessControl("Access")
$FullPermissions = $FullControl,'FullControl','Allow'
$FSAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $FullPermissions
$ACLList.SetAccessRule($FSAccessRule)
$ACLList | Set-Acl $File
}
#This grants all privs required to set the file owner ala http://www.pinvoke.net/default.aspx/advapi32.adjusttokenprivileges
#This avoids the need to schedule a task to run as system with all privs
$CSharpCode = @"
using System;
using System.Runtime.InteropServices;
namespace PowerShellPerm.Utils
{
public class TokenManipulator
{
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
[DllImport("kernel32.dll", ExactSpelling = true)]
internal static extern IntPtr GetCurrentProcess();
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr
phtok);
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name,
ref long pluid);
[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid
{
public int Count;
public long Luid;
public int Attr;
}
internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public const string SE_ASSIGNPRIMARYTOKEN_NAME = "SeAssignPrimaryTokenPrivilege";
public const string SE_AUDIT_NAME = "SeAuditPrivilege";
public const string SE_BACKUP_NAME = "SeBackupPrivilege";
public const string SE_CHANGE_NOTIFY_NAME = "SeChangeNotifyPrivilege";
public const string SE_CREATE_GLOBAL_NAME = "SeCreateGlobalPrivilege";
public const string SE_CREATE_PAGEFILE_NAME = "SeCreatePagefilePrivilege";
public const string SE_CREATE_PERMANENT_NAME = "SeCreatePermanentPrivilege";
public const string SE_CREATE_SYMBOLIC_LINK_NAME = "SeCreateSymbolicLinkPrivilege";
public const string SE_CREATE_TOKEN_NAME = "SeCreateTokenPrivilege";
public const string SE_DEBUG_NAME = "SeDebugPrivilege";
public const string SE_ENABLE_DELEGATION_NAME = "SeEnableDelegationPrivilege";
public const string SE_IMPERSONATE_NAME = "SeImpersonatePrivilege";
public const string SE_INC_BASE_PRIORITY_NAME = "SeIncreaseBasePriorityPrivilege";
public const string SE_INCREASE_QUOTA_NAME = "SeIncreaseQuotaPrivilege";
public const string SE_INC_WORKING_SET_NAME = "SeIncreaseWorkingSetPrivilege";
public const string SE_LOAD_DRIVER_NAME = "SeLoadDriverPrivilege";
public const string SE_LOCK_MEMORY_NAME = "SeLockMemoryPrivilege";
public const string SE_MACHINE_ACCOUNT_NAME = "SeMachineAccountPrivilege";
public const string SE_MANAGE_VOLUME_NAME = "SeManageVolumePrivilege";
public const string SE_PROF_SINGLE_PROCESS_NAME = "SeProfileSingleProcessPrivilege";
public const string SE_RELABEL_NAME = "SeRelabelPrivilege";
public const string SE_REMOTE_SHUTDOWN_NAME = "SeRemoteShutdownPrivilege";
public const string SE_RESTORE_NAME = "SeRestorePrivilege";
public const string SE_SECURITY_NAME = "SeSecurityPrivilege";
public const string SE_SHUTDOWN_NAME = "SeShutdownPrivilege";
public const string SE_SYNC_AGENT_NAME = "SeSyncAgentPrivilege";
public const string SE_SYSTEM_ENVIRONMENT_NAME = "SeSystemEnvironmentPrivilege";
public const string SE_SYSTEM_PROFILE_NAME = "SeSystemProfilePrivilege";
public const string SE_SYSTEMTIME_NAME = "SeSystemtimePrivilege";
public const string SE_TAKE_OWNERSHIP_NAME = "SeTakeOwnershipPrivilege";
public const string SE_TCB_NAME = "SeTcbPrivilege";
public const string SE_TIME_ZONE_NAME = "SeTimeZonePrivilege";
public const string SE_TRUSTED_CREDMAN_ACCESS_NAME = "SeTrustedCredManAccessPrivilege";
public const string SE_UNDOCK_NAME = "SeUndockPrivilege";
public const string SE_UNSOLICITED_INPUT_NAME = "SeUnsolicitedInputPrivilege";
public static bool AddPrivilege(string privilege)
{
try
{
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = GetCurrentProcess();
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
tp.Attr = SE_PRIVILEGE_ENABLED;
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
}
catch (Exception ex)
{
throw ex;
}
}
public static bool RemovePrivilege(string privilege)
{
try
{
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = GetCurrentProcess();
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
tp.Attr = SE_PRIVILEGE_DISABLED;
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
}
catch (Exception ex)
{
throw ex;
}
}
}
}
"@
Try {$LoadTest = [PowerShellPerm.Utils.TokenManipulator]}
Catch {Add-Type $CSharpCode}
Get-ChildItem $Path -Recurse | ForEach-Object {
$File = $_.FullName
ChangeOwner
ChangePermissions
}
Write-Verbose "$Output"
}