|
# TODO: make these parameters? |
|
$CLSID = "{D63B10C5-BB46-4990-A94F-E40B9D520160}" |
|
$APPID = "{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}" |
|
|
|
# To take ownership of a registry key: |
|
# https://social.technet.microsoft.com/Forums/windowsserver/en-US/e718a560-2908-4b91-ad42-d392e7f8f1ad/take-ownership-of-a-registry-key-and-change-permissions?forum=winserverpowershell |
|
|
|
# Originally from here maybe? |
|
# http://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/ |
|
|
|
# ************************* START enable-privilege |
|
function enable-privilege { |
|
param( |
|
## The privilege to adjust. This set is taken from |
|
## http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx |
|
[ValidateSet( |
|
"SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege", |
|
"SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeCreatePagefilePrivilege", |
|
"SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege", |
|
"SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege", |
|
"SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege", |
|
"SeLockMemoryPrivilege", "SeMachineAccountPrivilege", "SeManageVolumePrivilege", |
|
"SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege", |
|
"SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege", |
|
"SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege", |
|
"SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege", |
|
"SeUndockPrivilege", "SeUnsolicitedInputPrivilege")] |
|
$Privilege, |
|
## The process on which to adjust the privilege. Defaults to the current process. |
|
$ProcessId = $pid, |
|
## Switch to disable the privilege, rather than enable it. |
|
[Switch] $Disable |
|
) |
|
|
|
## Taken from P/Invoke.NET with minor adjustments. |
|
$definition = @' |
|
using System; |
|
using System.Runtime.InteropServices; |
|
|
|
public class AdjPriv |
|
{ |
|
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)] |
|
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, |
|
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen); |
|
|
|
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)] |
|
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok); |
|
[DllImport("advapi32.dll", SetLastError = true)] |
|
internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid); |
|
[StructLayout(LayoutKind.Sequential, Pack = 1)] |
|
internal struct TokPriv1Luid |
|
{ |
|
public int Count; |
|
public long Luid; |
|
public int Attr; |
|
} |
|
|
|
internal const int SE_PRIVILEGE_ENABLED = 0x00000002; |
|
internal const int SE_PRIVILEGE_DISABLED = 0x00000000; |
|
internal const int TOKEN_QUERY = 0x00000008; |
|
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020; |
|
public static bool EnablePrivilege(long processHandle, string privilege, bool disable) |
|
{ |
|
bool retVal; |
|
TokPriv1Luid tp; |
|
IntPtr hproc = new IntPtr(processHandle); |
|
IntPtr htok = IntPtr.Zero; |
|
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok); |
|
tp.Count = 1; |
|
tp.Luid = 0; |
|
if(disable) |
|
{ |
|
tp.Attr = SE_PRIVILEGE_DISABLED; |
|
} |
|
else |
|
{ |
|
tp.Attr = SE_PRIVILEGE_ENABLED; |
|
} |
|
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid); |
|
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero); |
|
return retVal; |
|
} |
|
} |
|
'@ |
|
|
|
$processHandle = (Get-Process -id $ProcessId).Handle |
|
$type = Add-Type $definition -PassThru |
|
$type[0]::EnablePrivilege($processHandle, $Privilege, $Disable) |
|
} |
|
# ************************* END enable-privilege |
|
|
|
try { |
|
Write-Host "Script start" |
|
|
|
# Steps we are automating are listed here: |
|
# http://answers.microsoft.com/en-us/windows/forum/windows_8-performance/event-id-10016-the-application-specific-permission/9ff8796f-c352-4da2-9322-5fdf8a11c81e?auth=1 |
|
|
|
# Adjust the permissions for these keys |
|
Write-Host "CLSID is $CLSID" |
|
Write-Host "APPID is $APPID" |
|
|
|
# to check your priviledges: |
|
# whoami /priv |
|
enable-privilege SeTakeOwnershipPrivilege |
|
enable-privilege SeRestorePrivilege |
|
# To change the owner you need SeRestorePrivilege |
|
# http://stackoverflow.com/questions/6622124/why-does-set-acl-on-the-drive-root-try-to-set-ownership-of-the-object |
|
$key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey("CLSID\$CLSID",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership) |
|
|
|
if ($key -eq $null) { |
|
Write-Host "Unable to get registry key HKCR:\CLSID\$CLSID" |
|
exit 1 |
|
} |
|
|
|
Write-Host "Opened registry key $($key.Name)" |
|
|
|
# You must get a blank acl for the key b/c you do not currently have access |
|
#$acl = $key.GetAccessControl([System.Security.AccessControl.AccessControlSections]::None) |
|
#$me = [System.Security.Principal.NTAccount]"t-alien\tome" |
|
#$admin = [System.Security.Principal.NTAccount]"Administrator" |
|
#$acl.SetOwner($admin) |
|
#$key.SetAccessControl($acl) |
|
$cname = $env:computername |
|
$admin = [System.Security.Principal.NTAccount]"$cname\Administrator" |
|
Write-Host "Setting owner to $($admin.Value)" |
|
|
|
$acl = $key.GetAccessControl() |
|
$acl.SetOwner($admin) |
|
$key.SetAccessControl($acl) |
|
$key.Close() |
|
|
|
# After you have set owner you need to get the acl with the perms so you can modify it. |
|
|
|
#$rule = New-Object System.Security.AccessControl.RegistryAccessRule("Administrator","FullControl","Allow") |
|
#$acl.SetAccessRule($rule) |
|
#$key.SetAccessControl($acl) |
|
} catch { |
|
$ErrorMessage = $_.Exception.Message |
|
$FailedItem = $_.Exception.ItemName |
|
Write-Host "Error running setDCOMpermissions" |
|
Write-Host $_.Exception|format-list |
|
exit 1 |
|
} |
|
|
|
|
|
# Code originally from: |
|
# https://social.technet.microsoft.com/Forums/systemcenter/en-US/dfc465bc-7bbd-483e-b98b-2ba56fa98313/the-applicationspecific-permission-settings-do-not-grant-local-launch-permission-for-the-com-server?forum=configmgrgeneral |
|
|
|
#$CLSID = "{3f2db10f-6368-4702-a4b1-e5149d931371}" |
|
# New-PSDrive Creates temporary and persistent mapped network drives. |
|
#New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null |
|
#$key = Get-Item "HKCR:\CLSID\$CLSID\" |
|
#$values = Get-ItemProperty $key.PSPath |
|
#$values.'(default)' |
|
|
|
#$key = Get-Item "HKCR:\AppID\$CLSID\" |
|
#$values = Get-ItemProperty $key.PSPath |
|
#$values.'(default)' |
|
#Remove-PSDrive -Name HKCR |
|
Write-Host "Script complete" |
I had so really hoped this would work. Unfortunately :( maybe something to do with permissions or UEV?
I'll check this post every now and then, hoping for a solution. Until then, I guess i have to fix it manually :) http://www.itexperience.net/event-id-10016-fix-the-application-specific-permission-settings-do-not-grant-local-activation-permission-for-the-com-server-application-with-clsid/