IISWAMREG

<br></br>PARAM(<br></br> [string]$Principal = $(throw "Missing -Principal DOMAIN\username"),<br></br> [string]$Computer = $(throw "Missing -Computer 'hostname'")<br></br>)<br></br># USAGE:<br></br>#<br></br># .\Set-IIS-WAMREG.ps1 -Principal "DOMAIN\<group or="" username="">"<br></br>#<br></br># EXAMPLE:<br></br># .\Set-IIS-WAMREG.ps1 -Principal ".\WSS_ADMIN_WPG"<br></br>#<br></br># Inspired by Karl Mitschke's post:<br></br># http://unlockpowershell.wordpress.com/2009/11/20/script-remote-dcom-wmi-access-for-a-domain-user/<br></br># and Tome Tanasovski (http://powertoe.wordpress.com/) to change Ownership of a reg-key</group>

# WSS_ADMIN_WPG und WSS_WPG
# HKEY_LOCAL_MACHINE\Software\Classes\AppID\{61738644-F196-11D0-9953-00C04FD919C1}.

Write-Host “Set-IIS-WAMREG - Updates DCOM Permissions for IIS WAMREG Service”
Write-Host “tInspired by Brad Turner (bturner@ensynch.com)" Write-Host "tBlog: http://www.identitychaos.com”
Write-Host “`tAnd Tome Tanasovski (http://powertoe.wordpress.com/)”

function get-sid
{
PARAM ($DSIdentity)

$ID = new-object System.Security.Principal.NTAccount($DSIdentity)
return $ID.Translate( [System.Security.Principal.SecurityIdentifier] ).toString()
}

function enable-privilege {
param(
## The privilege to adjust. This set is taken from
## http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx
[ValidateSet(
“SeAssignPrimaryTokenPrivilege”, “SeAuditPrivilege”, “SeBackupPrivilege”,
“SeChangeNotifyPrivilege”, “SeCreateGlobalPrivilege”, “SeCreatePagefilePrivilege”,
“SeCreatePermanentPrivilege”, “SeCreateSymbolicLinkPrivilege”, “SeCreateTokenPrivilege”,
“SeDebugPrivilege”, “SeEnableDelegationPrivilege”, “SeImpersonatePrivilege”, “SeIncreaseBasePriorityPrivilege”,
“SeIncreaseQuotaPrivilege”, “SeIncreaseWorkingSetPrivilege”, “SeLoadDriverPrivilege”,
“SeLockMemoryPrivilege”, “SeMachineAccountPrivilege”, “SeManageVolumePrivilege”,
“SeProfileSingleProcessPrivilege”, “SeRelabelPrivilege”, “SeRemoteShutdownPrivilege”,
“SeRestorePrivilege”, “SeSecurityPrivilege”, “SeShutdownPrivilege”, “SeSyncAgentPrivilege”,
“SeSystemEnvironmentPrivilege”, “SeSystemProfilePrivilege”, “SeSystemtimePrivilege”,
“SeTakeOwnershipPrivilege”, “SeTcbPrivilege”, “SeTimeZonePrivilege”, “SeTrustedCredManAccessPrivilege”,
“SeUndockPrivilege”, “SeUnsolicitedInputPrivilege”)]
$Privilege,
## The process on which to adjust the privilege. Defaults to the current process.
$ProcessId = $pid,
## Switch to disable the privilege, rather than enable it.
[Switch] $Disable
)

## Taken from P/Invoke.NET with minor adjustments.
$definition = @’
using System;
using System.Runtime.InteropServices;

public class AdjPriv
{
[DllImport(“advapi32.dll”, ExactSpelling = true, SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);

DllImport(“advapi32.dll”, ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
[DllImport(“advapi32.dll”, SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid
{
public int Count;
public long Luid;
public int Attr;
}

internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public static bool EnablePrivilege(long processHandle, string privilege, bool disable)
{
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = new IntPtr(processHandle);
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
if(disable)
{
tp.Attr = SE_PRIVILEGE_DISABLED;
}
else
{
tp.Attr = SE_PRIVILEGE_ENABLED;
}
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
}
}
‘@

}
###end function enable_privilege

##############
# MAIN
##############
$sid = get-sid $Principal

# Software\Classes\AppID\{61738644-F196-11D0-9953-00C04FD919C1}
$regPath = [string]“AppID\{61738644-F196-11D0-9953-00C04FD919C1}”

# change Ownership to be able to set the ACL
enable-privilege SeTakeOwnershipPrivilege
write-host “key”
$key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey($regPath,[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::TakeOwnership)
write-host “get-acl”
$acl = $key.GetAccessControl([System.Security.AccessControl.AccessControlSections]::None)
$me = [System.Security.Principal.NTAccount]”$($env:userdomain)\$($env:username)”
write-host “SO”
$acl.SetOwner($me)
write-host “SACL”
$key.SetAccessControl($acl)
write-host “blabla”
#After you have set owner you need to get the acl with the perms so you can modify it.
$acl = $key.GetAccessControl()
$rule = New-Object System.Security.AccessControl.RegistryAccessRule (“$($env:userdomain)\$($env:username)”,”FullControl”,”ContainerInherit”,”None”,”Allow”)
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)
$key.Close()

# now let’s start to change the Settings

#DefaultLaunchPermission - Local Launch, Remote Launch, Local Activation, Remote Activation
$DCOMSDDLDefaultLaunchPermission = “A;;CCDCLCSWRP;;;$sid”

#PartialMatch
$DCOMSDDLPartialMatch = “A;;\w+;;;$sid”

write-host “`nWorking on IIS WAMREG with principal $Principal ($sid):”
# Get the respective binary values of the DCOM registry entries
$Reg = [WMIClass]”\\$Computer\root\default:StdRegProv”
# 2147483650
# HKEY_LOCAL_MACHINE
write-host “blabla”
$DCOMLaunchPermission = $Reg.GetBinaryValue(2147483650,$regPath,”LaunchPermission”).uValue

# Convert the current permissions to SDDL
write-host “`tConverting current permissions to SDDL format…”
$converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
$CurrentDCOMSDDLLaunchPermission = $converter.BinarySDToSDDL($DCOMLaunchPermission )

# Build the new permissions
write-host “`tBuilding the new permissions…”

if (($CurrentDCOMSDDLLaunchPermission.SDDL -match $DCOMSDDLPartialMatch) -and ($CurrentDCOMSDDLLaunchPermission.SDDL -notmatch $DCOMSDDLDefaultLaunchPermission))
{
$NewDCOMSDDLLaunchPermission = $CurrentDCOMSDDLLaunchPermission.SDDL -replace $DCOMSDDLPartialMatch, $DCOMSDDLDefaultLaunchPermission
}
else
{
$NewDCOMSDDLLaunchPermission = $CurrentDCOMSDDLLaunchPermission.SDDL + “(“ + $DCOMSDDLDefaultLaunchPermission + “)”
}

# Convert SDDL back to Binary
write-host “`tConverting SDDL back into binary form…”

$DCOMbinarySDDefaultLaunchPermission = $converter.SDDLToBinarySD($NewDCOMSDDLLaunchPermission)
$DCOMconvertedPermissionDefaultLaunchPermission = ,$DCOMbinarySDDefaultLaunchPermission.BinarySD

# Apply the changes
write-host “tApplying changes..." if ($CurrentDCOMSDDLLaunchPermission\['SDDL'\] -match $DCOMSDDLDefaultLaunchPermission) { write-host "t`tCurrent LaunchPermission matches desired value.”
}
else
{
$result = $Reg.SetBinaryValue(2147483650,$regPath,”LaunchPermission”, $DCOMbinarySDDefaultLaunchPermission.binarySD)
if($result.ReturnValue=’0’){write-host “ Applied LaunchPermission complete.”}
}

#———————————————————————————————————-
trap
{
$exMessage = $_.Exception.Message

if($exMessage.StartsWith(“L:”))
{write-host “n" $exMessage.substring(2) "n” -foregroundcolor white -backgroundcolor darkblue}
else {write-host “nError: " $exMessage "n” -foregroundcolor white -backgroundcolor darkred}
Exit
}
#———————————————————————————————————-