software:powershell
Table of Contents
Set-ExecutionPolicy so Powershell is useable
2020-07-19
-ExecutionPolicy Specifies the execution policy. If there are no Group Policies and each scope's execution policy is set to Undefined, then Restricted becomes the effective policy for all users. The acceptable execution policy values are as follows:
• AllSigned. Requires that all scripts and configuration files are signed by a trusted publisher, including scripts written on the local computer. • Bypass. Nothing is blocked and there are no warnings or prompts. • Default. Sets the default execution policy. Restricted for Windows clients or RemoteSigned for Windows servers. • RemoteSigned. Requires that all scripts and configuration files downloaded from the Internet are signed by a trusted publisher. The default execution policy for Windows server computers. • Restricted. Doesn't load configuration files or run scripts. The default execution policy Windows client computers. • Undefined. No execution policy is set for the scope. Removes an assigned execution policy from a scope that is not set by a Group Policy. If the execution policy in all scopes is Undefined, the effective execution policy is Restricted. • Unrestricted. Loads all configuration files and runs all scripts. If you run an unsigned script that was downloaded from the Internet, you are prompted for permission before it runs.
Set-ExecutionPolicy -ExecutionPolicy ByPass
Set-ExecutionPolicy and About Signing
The Set-ExecutionPolicy cmdlet changes the user preference for the Windows PowerShell execution policy. The Restricted execution policy does not permit any scripts to run. The AllSigned and RemoteSigned execution policies prevent Windows PowerShell from running scripts that do not have a digital signature.+ This topic explains how to run selected scripts that are not signed, even while the execution policy is RemoteSigned, and how to sign scripts for your own use.
Commands
http://technet.microsoft.com/en-us/library/ee176949.aspx
Get-ExecutionPolicy
http://technet.microsoft.com/en-us/library/ee176961.aspx
Set-ExecutionPolicy RemoteSigned
& "C:\My Scripts\Test.ps1" Get-Service | Sort-Object Status | Format-Table
Removing Security protected files from c:\ after infection of bProtector
PowerShell Community Extensions (PSCX)
http://pscx.codeplex.com/releases
Solution: (First: Thanks to AlfredHall & Sheng Jiang for starting me in the right direction in their discussion here) 0) Run PS as administrator if UAC is enabled. 1) Use PSCX to elevate your privileges Import-Module “PSCX”
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeRestorePrivilege", $true) #Necessary to set Owner Permissions Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeBackupPrivilege", $true) #Necessary to bypass Traverse Checking Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeTakeOwnershipPrivilege", $true) #Necessary to override FilePermissions & take Ownership
2) Create a new, Owner-only ACL with only the Owner specified with the administrative group as the owner.
$blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity $blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
3) Use SetAccessControl to set that Owner.
(Get-Item "F:\testpath\locked").SetAccessControl($blankdirAcl)
4) Modify File Permissions, Auditing, Ownership using Get-Acl, Set-Acl as normal.
By using the new Owner-only ACL object and SetAccessControl, Ownership has now changed to Administrators and you can use Get-Acl,Set-Acl as desired.
In honor of Diana - goddess of the hunt -
Import-Module -Name "C:\Users\Diana\Downloads\Pscx-2.1.1\PSCX" -verbose
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeRestorePrivilege", $true) #Necessary to set Owner Permissions
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeBackupPrivilege", $true) #Necessary to bypass Traverse Checking
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeTakeOwnershipPrivilege", $true) #Necessary to override FilePermissions & take Ownership
$blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
$blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'Diana-PC\Diana')
(Get-Item "c:\6dc5d7208340ab9995c48afe1508").SetAccessControl($blankdirAcl)
takeown /F "c:\6dc5d7208340ab9995c48afe1508" /R /D Y
$Acl = Get-Acl "C:\6dc5d7208340ab9995c48afe1508"
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "C:\6dc5d7208340ab9995c48afe1508" $Acl
$Acl = Get-Acl "c:\6dc5d7208340ab9995c48afe1508\bProtectorForWindows"
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "c:\6dc5d7208340ab9995c48afe1508\bProtectorForWindows" $Acl
$Acl = Get-Acl "c:\6dc5d7208340ab9995c48afe1508\searchplugins"
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "c:\6dc5d7208340ab9995c48afe1508\bProtectorForWindows" $Acl
$Acl = Get-Acl "c:\6dc5d7208340ab9995c48afe1508\bProtectorForWindows\2.2.453.59"
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "c:\6dc5d7208340ab9995c48afe1508\bProtectorForWindows\2.2.453.59" $Acl
rmdir "c:\6dc5d7208340ab9995c48afe1508"
Did it for one!
Import-Module -Name "C:\Users\Diana\Downloads\Pscx-2.1.1\PSCX" -verbose
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeRestorePrivilege", $true) #Necessary to set Owner Permissions
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeBackupPrivilege", $true) #Necessary to bypass Traverse Checking
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeTakeOwnershipPrivilege", $true) #Necessary to override FilePermissions & take Ownership
$blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
$blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'Diana-PC\Diana')
$excluded = @("hp","users","PerfLogs","Program Files","ProgramData","Qoobox","speedDIAL","System Volume Information","Windows","autoexec.bat","bootmgr","BOOTSECT.BAK","config.sys","hiberfil.sys","IO.SYS","MSDOS.SYS","pagefile.sys","TDSSKiller.2.8.16.0_23.02.2013_08.59.56_log.txt","TDSSKiller.2.8.16.0_23.02.2013_09.20.12_log.txt","updatedatfix.log","Windows Sidebar","Boot","ComboFix","Config.Msi","Documents and Settings","*.BIN")
$LockedDirs = Get-ChildItem $Directorypath -force -name -exclude $excluded # get all of the locked directories.
#$LockedDirs
Foreach ($Locked in $LockedDirs) {
$Locked
$FileName = "c:\$Locked"
$FileName
(Get-Item $FileName).SetAccessControl($blankdirAcl)
takeown /F $FileName /R /D Y
$Acl = Get-Acl $FileName
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl $FileName $Acl
$Acl = Get-Acl "$FileName\bProtectorForWindows"
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "$FileName\bProtectorForWindows" $Acl
$Acl = Get-Acl "$FileName\searchplugins"
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "$FileName\bProtectorForWindows" $Acl
$Acl = Get-Acl "$FileName\bProtectorForWindows\2.2.453.59"
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "$FileName\bProtectorForWindows\2.2.453.59" $Acl
rmdir $FileName
}
Done!
software/powershell.txt · Last modified: 2020/07/19 18:13 by superwizard