VBS script / wmi security conf DACL

Discussion:

(too old to reply)

e***@gmail.com

2017-05-22 14:51:37 UTC

Hello,

I am trying to write a vbs script that configures WMI security. I want to use byte stream example in link below.

https://blogs.msdn.microsoft.com/spatdsg/2007/11/21/set-wmi-namespace-security-via-gpo-script/

I did the same and generated script:

strSD = array(1,0,20,130,192,0,0,0,208,0,0,0,20,0,0,0,64,0,0,0,2,0,44,0,1,0,0,0,2,194,36,0,31,0,6,0,1,5,0,0,0,0,0,5,21,0,0,0,91,16,155,64,69,109,31,3,188,108,130,0,191,80,2,0,2,0,128,0,5,0,0,0,0,2,20,0,19,0,0,0,1,1,0,0,0,0,0,5,11,0,0,0,0,2,20,0,19,0,0,0,1,1,0,0,0,0,0,5,19,0,0,0,0,2,20,0,19,0,0,0,1,1,0,0,0,0,0,5,20,0,0,0,0,2,24,0,63,0,6,0,1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0,0,2,36,0,63,0,6,0,1,5,0,0,0,0,0,5,21,0,0,0,91,16,155,64,69,109,31,3,188,108,130,0,191,80,2,0,1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0,1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0)

set namespace = createobject("wbemscripting.swbemlocator").connectserver(,"root")

set security = namespace.get("__systemsecurity=@")

nStatus = security.setsd(strSD)

I get error below when I run as an admin:

Privilege not held
Line:7
Char:1
Source: SWbemObjectEx

Can you please help me on this?

Any alternative way that you will suggest would also be appreciated.

Dave "Crash" Dummy

2017-05-22 14:56:30 UTC

Permalink

Post by e***@gmail.com
Hello,
I am trying to write a vbs script that configures WMI security. I want to use byte stream example in link below.
https://blogs.msdn.microsoft.com/spatdsg/2007/11/21/set-wmi-namespace-security-via-gpo-script/
http://youtu.be/_e0ZrknsLFE
strSD = array(1,0,20,130,192,0,0,0,208,0,0,0,20,0,0,0,64,0,0,0,2,0,44,0,1,0,0,0,2,194,36,0,31,0,6,0,1,5,0,0,0,0,0,5,21,0,0,0,91,16,155,64,69,109,31,3,188,108,130,0,191,80,2,0,2,0,128,0,5,0,0,0,0,2,20,0,19,0,0,0,1,1,0,0,0,0,0,5,11,0,0,0,0,2,20,0,19,0,0,0,1,1,0,0,0,0,0,5,19,0,0,0,0,2,20,0,19,0,0,0,1,1,0,0,0,0,0,5,20,0,0,0,0,2,24,0,63,0,6,0,1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0,0,2,36,0,63,0,6,0,1,5,0,0,0,0,0,5,21,0,0,0,91,16,155,64,69,109,31,3,188,108,130,0,191,80,2,0,1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0,1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0)
set namespace = createobject("wbemscripting.swbemlocator").connectserver(,"root")
nStatus = security.setsd(strSD)
Privilege not held
Line:7
Char:1
Source: SWbemObjectEx
Can you please help me on this?
Any alternative way that you will suggest would also be appreciated.

What is "line 7?"

--
Crash

One man's weed is another man's wildflower.

e***@gmail.com

2017-05-23 05:52:32 UTC

Permalink

Post by Dave "Crash" Dummy

What is "line 7?"
--
Crash
One man's weed is another man's wildflower.

Line 7 is "nStatus = security.setsd(strSD)"

2017-05-22 20:10:13 UTC

Permalink

That code works fine when run using admin in my system.
Are you sure you run it using admin privileges?

Try right-clicking the "Command Prompt" from the Start Menu, and choose "Run
as administrator" from the popup menu. Then in that command prompt window,
run the script by executing either CSCRIPT.EXE or WSCRIPT.EXE using the
script file name as its argument.

If you simply type the script file name then press ENTER, WSCRIPT.EXE will
be executed by the desktop shell, which doesn't have administrator
privileges. A VBS file is not a Windows native program. It's a document, and
it requires another program in order to run it (CSCRIPT.EXE or WSCRIPT.EXE).

e***@gmail.com

2017-05-23 05:24:40 UTC

Permalink

Post by JJ

That code works fine when run using admin in my system.
Are you sure you run it using admin privileges?
Try right-clicking the "Command Prompt" from the Start Menu, and choose "Run
as administrator" from the popup menu. Then in that command prompt window,
run the script by executing either CSCRIPT.EXE or WSCRIPT.EXE using the
script file name as its argument.
If you simply type the script file name then press ENTER, WSCRIPT.EXE will
be executed by the desktop shell, which doesn't have administrator
privileges. A VBS file is not a Windows native program. It's a document, and
it requires another program in order to run it (CSCRIPT.EXE or WSCRIPT.EXE).

Hello JJ,

I have tried with both cscript and wscript (cmd opened as admin) but still same result. It is really weird that you are able to run same script successfully :S

Dave "Crash" Dummy

2017-05-22 22:11:53 UTC

Permalink

Put this code in the start of your script:

Set WshShell = WScript.CreateObject("WScript.Shell")
If WScript.Arguments.length = 0 Then
Set ObjShell = CreateObject("Shell.Application")
ObjShell.ShellExecute "wscript.exe", """" & _
WScript.ScriptFullName & """" &_
" RunAsAdministrator", , "runas", 1
Else

Put your code here

End if

--
Crash

When it comes to texting, some people are all thumbs.

Dave "Crash" Dummy

2017-05-22 22:26:03 UTC

Permalink

--
Crash

Democracy is government by the basest emotions of slightly over half the
population.

e***@gmail.com

2017-05-23 05:27:24 UTC

Permalink

Post by Dave "Crash" Dummy

Set WshShell = WScript.CreateObject("WScript.Shell")
If WScript.Arguments.length = 0 Then
Set ObjShell = CreateObject("Shell.Application")
ObjShell.ShellExecute "wscript.exe", """" & _
WScript.ScriptFullName & """" &_
" RunAsAdministrator", , "runas", 1
Else
Put your code here
End if
--
Crash
Democracy is government by the basest emotions of slightly over half the
population.

Hello Dave,

I have updated my code just like you said but I still get error.

Privilege Not Held
Line 15
Char 2

which is pointing the line starts with "nStatus"

2017-05-23 10:30:08 UTC

Permalink

Post by e***@gmail.com
Hello Dave,
I have updated my code just like you said but I still get error.
Privilege Not Held
Line 15
Char 2
which is pointing the line starts with "nStatus"

Looks like some internal things has been tampered with.
Or the access is blocked by an anti virus / security suite software.

Dave "Crash" Dummy

2017-05-23 14:11:20 UTC

Permalink

Post by e***@gmail.com
Hello Dave,
I have updated my code just like you said but I still get error.
Privilege Not Held Line 15 Char 2
which is pointing the line starts with "nStatus"

Looks like some internal things has been tampered with. Or the access
is blocked by an anti virus / security suite software.

The only other thing I can think of is that he is not logged in as a
user with administrator privileges.

--
Crash

"The unexamined life is not worth living."
~ Socrates ~

2017-05-24 09:03:55 UTC

Permalink

Post by Dave "Crash" Dummy
The only other thing I can think of is that he is not logged in as a
user with administrator privileges.

The WMI SetSD method is only available in Vista+, so that assures that he's
using a system with UAC. And under Vista+, even a non Administrator logged
on user (i.e. doesn't belong to the Administrators group) can virtually have
admin privileges assuming that the user passed the UAC prompt. In this case,
the elevated program is executed using other account which belong to the
Administrators group (UAC will prompt for credentials of other admin
account). And if a system has no account which belong to the Administrators
group (or has but none is enabled), no user will be able to pass the UAC
prompt (none will ever virtually have admin privileges).