SetObjectSecurity - Sets security descriptor on securable objects
Version 1.0.2004.13001
Copyright (C) 2011-2020 Microsoft Corporation
Security Compliance Toolkit - https://www.microsoft.com/download/details.aspx?id=55319
Usage:
SetObjectSecurity objType objName SDDL [-v|-q]
where
objType = file, FILE, key, KEY, eventlog, printer, service, share, kobject,
process, thread, or regbinary. (All-caps FILE or KEY uses pre-Windows
2000 APIs to avoid applying inheritance.)
objName = the name of the object (quoted if it contains spaces); or
a Process ID (PID) or Thread ID (TID) in decimal if objType is
"process" or "thread"; or
a registry value name if objType is "regbinary".
SDDL = the security descriptor to apply, in Security Descriptor
Definition Language.
-v = reports verbose diagnostic output to stderr (optional).
-q = Do not display the startup banner and copyright message. (optional).
Sets the security descriptor on the target object to that specified by SDDL;
if objType is "regbinary", outputs a .reg-compatible representation of
the security descriptor for a REG_BINARY registry value.
Specify the all-uppercase "FILE" and "KEY" to use the pre-Windows 2000
SetFileSecurity and RegSetKeySecurity APIs instead of Set[Named]SecurityInfo.
The older APIs apply the pre-Win2k inheritance model, which is good if you
don't want changes recursed through a directory or key hierarchy.
Use Sysinternals AccessChk.exe with -L to get SDDL from objects.
Object examples:
file/FILE - absolute or relative path to local or remote file or folder; or
a device name:
C:\TestFolder\Sample.dat
C:\TestFolder
Sample.dat
..\Sample.dat
\\ComputerName\Share\Sample.dat
\\.\CdRom0
key/KEY - accepts these forms for hive roots: HKLM, HKLM:, HKEY_LOCAL_MACHINE:
HKLM\Software\MyApp
HKCU:\Software\MyApp
HKEY_CLASSES_ROOT\.abc
eventlog:
Application
Microsoft-Windows-AppLocker/EXE and DLL
printer:
MyPrinter
\\ComputerName\MyPrinter
service:
MyService
\\ComputerName\MyService
share:
MyShare
\\ComputerName\MyShare
kobject - named instance of a semaphore, event, mutex, waitable timer,
or file mapping; prepend "Global\" for global namespace objects:
MyEvent
Local\MyEvent (same as "MyEvent")
Global\MyEvent
process - PID in decimal:
3022
thread - TID in decimal:
2044
regbinary: see example below
SDDL examples (these usually must be quoted in PowerShell):
Admins+System, File-All-Access, protected, inherited by all children:
D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)
The above with Users, File-Read:
D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FR;;;BU)
Interactive Users, Generic-All:
D:(A;;GA;;;IU)
Everyone full control but deny List permission:
D:P(D;;CC;;;WD)(A;;FA;;;WD)
Empty DACL (no access, no inherited ACEs):
D:P
Reset inherited DACL (empty DACL but unprotected):
D:
Inherited DACL, Low IL (Vista and newer):
D:S:(ML;;NW;;;LW)
Inherited DACL, remove IL (Vista and newer):
D:S:
NULL DACL (all access):
""
Set owner to BUILTIN\Administrators, leave DACL intact:
O:BA
Set SACL to audit Success and Failure for everything for Everyone:
S:(AU;SAFA;GA;;;WD)
Note that event log security descriptors must explicitly specify an
owner SID and a group SID. If you set event log permissions with
either missing, owner will be set to BA and group SID to SY.
regbinary example:
SetObjectSecurity.exe regbinary SrvsvcSec O:SYG:SYD:(A;;CCSDRCWDWO;;;BA)(A;;CCSDRCWDWO;;;SY)
outputs this, which can be incorporated into a .reg file:
"SrvsvcSec"=hex:01,00,04,80,48,00,00,00,54,00,00,00,00,00,00,00,14,00,00,00,02,00,34,00,...
Example:
Restore Windows 10 default permissions on the C:\ root directory
(Make sure to use the ALL-CAPS "FILE" option to avoid propagating inherited permissions!)
SetObjectSecurity.exe FILE C:\ "O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)(A;OICIIO;SDGXGWGR;;;AU)(A;;LC;;;AU)S:P(ML;OINPIO;NW;;;HI)"