This is an old revision of the document!
Commands
http://technet.microsoft.com/en-us/library/ee176949.aspx
Get-ExecutionPolicy
http://technet.microsoft.com/en-us/library/ee176961.aspx
Set-ExecutionPolicy RemoteSigned
& "C:\My Scripts\Test.ps1" Get-Service | Sort-Object Status | Format-Table
Removing Security protected files from c:\ after infection of bProtector
PowerShell Community Extensions (PSCX)
http://pscx.codeplex.com/releases
Solution: (First: Thanks to AlfredHall & Sheng Jiang for starting me in the right direction in their discussion here) 0) Run PS as administrator if UAC is enabled. 1) Use PSCX to elevate your privileges Import-Module “PSCX”
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeRestorePrivilege", $true) #Necessary to set Owner Permissions Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeBackupPrivilege", $true) #Necessary to bypass Traverse Checking Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeTakeOwnershipPrivilege", $true) #Necessary to override FilePermissions & take Ownership
2) Create a new, Owner-only ACL with only the Owner specified with the administrative group as the owner.
$blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity $blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
3) Use SetAccessControl to set that Owner.
(Get-Item "F:\testpath\locked").SetAccessControl($blankdirAcl)
4) Modify File Permissions, Auditing, Ownership using Get-Acl, Set-Acl as normal.
By using the new Owner-only ACL object and SetAccessControl, Ownership has now changed to Administrators and you can use Get-Acl,Set-Acl as desired.
In honor of Diana - goddess of the hunt -
Import-Module -Name "C:\Users\Diana\Downloads\Pscx-2.1.1\PSCX" -verbose Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeRestorePrivilege", $true) #Necessary to set Owner Permissions Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeBackupPrivilege", $true) #Necessary to bypass Traverse Checking Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeTakeOwnershipPrivilege", $true) #Necessary to override FilePermissions & take Ownership $blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity $blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'Diana-PC\Diana') (Get-Item "c:\6dc5d7208340ab9995c48afe1508").SetAccessControl($blankdirAcl) takeown /F "c:\6dc5d7208340ab9995c48afe1508" /R /D Y $Acl = Get-Acl "C:\6dc5d7208340ab9995c48afe1508" $Ar = New-Object system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow") $Acl.SetAccessRule($Ar) Set-Acl "C:\6dc5d7208340ab9995c48afe1508" $Acl $Acl = Get-Acl "c:\6dc5d7208340ab9995c48afe1508\bProtectorForWindows" $Ar = New-Object system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow") $Acl.SetAccessRule($Ar) Set-Acl "c:\6dc5d7208340ab9995c48afe1508\bProtectorForWindows" $Acl $Acl = Get-Acl "c:\6dc5d7208340ab9995c48afe1508\searchplugins" $Ar = New-Object system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow") $Acl.SetAccessRule($Ar) Set-Acl "c:\6dc5d7208340ab9995c48afe1508\bProtectorForWindows" $Acl $Acl = Get-Acl "c:\6dc5d7208340ab9995c48afe1508\bProtectorForWindows\2.2.453.59" $Ar = New-Object system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow") $Acl.SetAccessRule($Ar) Set-Acl "c:\6dc5d7208340ab9995c48afe1508\bProtectorForWindows\2.2.453.59" $Acl rmdir "c:\6dc5d7208340ab9995c48afe1508"
Did it for one!
Import-Module -Name "C:\Users\Diana\Downloads\Pscx-2.1.1\PSCX" -verbose Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeRestorePrivilege", $true) #Necessary to set Owner Permissions Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeBackupPrivilege", $true) #Necessary to bypass Traverse Checking Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeTakeOwnershipPrivilege", $true) #Necessary to override FilePermissions & take Ownership $blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity $blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'Diana-PC\Diana') $excluded = @("hp","users","PerfLogs","Program Files","ProgramData","Qoobox","speedDIAL","System Volume Information","Windows","autoexec.bat","bootmgr","BOOTSECT.BAK","config.sys","hiberfil.sys","IO.SYS","MSDOS.SYS","pagefile.sys","TDSSKiller.2.8.16.0_23.02.2013_08.59.56_log.txt","TDSSKiller.2.8.16.0_23.02.2013_09.20.12_log.txt","updatedatfix.log","Windows Sidebar","Boot","ComboFix","Config.Msi","Documents and Settings","*.BIN")
$LockedDirs = Get-ChildItem $Directorypath -force -name -exclude $excluded # get all of the locked directories. #$LockedDirs Foreach ($Locked in $LockedDirs) { $Locked $FileName = "c:\$Locked" $FileName (Get-Item $FileName).SetAccessControl($blankdirAcl) takeown /F $FileName /R /D Y $Acl = Get-Acl $FileName $Ar = New-Object system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow") $Acl.SetAccessRule($Ar) Set-Acl $FileName $Acl $Acl = Get-Acl "$FileName\bProtectorForWindows" $Ar = New-Object system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow") $Acl.SetAccessRule($Ar) Set-Acl "$FileName\bProtectorForWindows" $Acl $Acl = Get-Acl "$FileName\searchplugins" $Ar = New-Object system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow") $Acl.SetAccessRule($Ar) Set-Acl "$FileName\bProtectorForWindows" $Acl $Acl = Get-Acl "$FileName\bProtectorForWindows\2.2.453.59" $Ar = New-Object system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow") $Acl.SetAccessRule($Ar) Set-Acl "$FileName\bProtectorForWindows\2.2.453.59" $Acl rmdir $FileName }
Done!