Created
January 29, 2023 14:20
-
-
Save mtask/9b2a70cc4f32cc9d2e06634aab6a5590 to your computer and use it in GitHub Desktop.
Convert SIDs in usert rights assingments to names
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $RESULT = @{} | |
| $OUTFILE = $env:TEMP+"\out.cf" | |
| # Use SecEdit to export USER_RIGHTS configuration | |
| SecEdit.exe /export /areas USER_RIGHTS /cfg $OUTFILE >NULL | |
| # Loop over output file's content | |
| foreach($line in Get-Content -Path $OUTFILE) { | |
| $line_arr = $line.Split(' ') | |
| # Seperate privilige name | |
| $PRIV = $line_arr[0] | |
| # Output contains some other lines as well.. | |
| #.. and this ensures that we are only checking relevant lines | |
| if ($line -match '[A-Za-z]+\s=\s.*') { | |
| # Seperate SIDs that are seperated with comma | |
| foreach( $sid_str in $line_arr[2].Split(',') ) { | |
| # Some names are already converted lik "Guest" | |
| if ( $sid_str.StartsWith('*S-') ) { | |
| $sid_str = $sid_str.Replace('*', '') | |
| $CONVERTED_SID = $([wmi]"Win32_SID.SID='$sid_str'"|select -ExpandProperty AccountName) | |
| if ($RESULT.ContainsKey($PRIV) ) { | |
| $RESULT[$PRIV] += $CONVERTED_SID | |
| } | |
| else{ | |
| $RESULT.add($PRIV, @($CONVERTED_SID)) | |
| } | |
| }else { | |
| if ($RESULT.ContainsKey($PRIV) ) { | |
| $RESULT[$PRIV] += $sid_str | |
| } | |
| else{ | |
| $RESULT.add($PRIV, @($sid_str)) | |
| } | |
| } | |
| } | |
| } | |
| } | |
| # Remove SecEdit export file | |
| del $OUTFILE | |
| # Convert results to JSON | |
| Write-Host $($RESULT | ConvertTo-Json -Depth 4) |
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[System Access]
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
NewAdministratorName = "Administrator"
NewGuestName = "Guest"
ClearTextPassword = 0
LSAAnonymousNameLookup = 0
EnableAdminAccount = 0
EnableGuestAccount = 0
[Event Audit]
AuditSystemEvents = 0
AuditLogonEvents = 0
AuditObjectAccess = 0
AuditPrivilegeUse = 0
AuditPolicyChange = 0
AuditAccountManage = 0
AuditProcessTracking = 0
AuditDSAccess = 0
AuditAccountLogon = 0
[Registry Values]
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"10"
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,5
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"0"
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin=4,5
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser=4,3
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,""
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures=4,0
MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0
MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,536870912
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,536870912
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,0
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=7,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog
MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional=7,
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes=7,
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0
MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1
[Privilege Rights]
SeNetworkLogonRight = *S-1-1-0,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551
SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-551
SeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551
SeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544
SeCreatePagefilePrivilege = *S-1-5-32-544
SeDebugPrivilege = *S-1-5-32-544
SeRemoteShutdownPrivilege = *S-1-5-32-544
SeAuditPrivilege = *S-1-5-19,*S-1-5-20
SeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544
SeIncreaseBasePriorityPrivilege = *S-1-5-32-544,*S-1-5-90-0
SeLoadDriverPrivilege = *S-1-5-32-544
SeBatchLogonRight = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-559
SeServiceLogonRight = *S-1-5-80-0
SeInteractiveLogonRight = Guest,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551
SeSecurityPrivilege = *S-1-5-32-544
SeSystemEnvironmentPrivilege = *S-1-5-32-544
SeProfileSingleProcessPrivilege = *S-1-5-32-544
SeSystemProfilePrivilege = *S-1-5-32-544,*S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420
SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20
SeRestorePrivilege = *S-1-5-32-544,*S-1-5-32-551
SeShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551
SeTakeOwnershipPrivilege = *S-1-5-32-544
SeDenyNetworkLogonRight = Guest
SeDenyInteractiveLogonRight = Guest
SeUndockPrivilege = *S-1-5-32-544,*S-1-5-32-545
SeManageVolumePrivilege = *S-1-5-32-544
SeRemoteInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-555
SeImpersonatePrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6
SeCreateGlobalPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6
SeIncreaseWorkingSetPrivilege = *S-1-5-32-545
SeTimeZonePrivilege = *S-1-5-19,*S-1-5-32-544,*S-1-5-32-545
SeCreateSymbolicLinkPrivilege = *S-1-5-32-544
SeDelegateSessionUserImpersonatePrivilege = *S-1-5-32-544
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Example output:
{ "SeLoadDriverPrivilege": [ "Administrators" ], "SeImpersonatePrivilege": [ "LOCAL SERVICE", "NETWORK SERVICE", "Administrators", "SERVICE" ], "SeSystemtimePrivilege": [ "LOCAL SERVICE", "Administrators" ], "SeDelegateSessionUserImpersonatePrivilege": [ "Administrators" ], "SeTakeOwnershipPrivilege": [ "Administrators" ], "SeDenyInteractiveLogonRight": [ "Guest" ], "SeBackupPrivilege": [ "Administrators", "Backup Operators" ], "SeRemoteInteractiveLogonRight": [ "Administrators", "Remote Desktop Users" ], "SeIncreaseQuotaPrivilege": [ "LOCAL SERVICE", "NETWORK SERVICE", "Administrators" ], "SeSecurityPrivilege": [ "Administrators" ], "SeDebugPrivilege": [ "Administrators" ], "SeServiceLogonRight": [ "ALL SERVICES" ], "SeIncreaseWorkingSetPrivilege": [ "Users" ], "SeIncreaseBasePriorityPrivilege": [ "Administrators", "Window Manager Group" ], "SeShutdownPrivilege": [ "Administrators", "Users", "Backup Operators" ], "SeUndockPrivilege": [ "Administrators", "Users" ], "SeBatchLogonRight": [ "Administrators", "Backup Operators", "Performance Log Users" ], "SeTimeZonePrivilege": [ "LOCAL SERVICE", "Administrators", "Users" ], "SeAssignPrimaryTokenPrivilege": [ "LOCAL SERVICE", "NETWORK SERVICE" ], "SeInteractiveLogonRight": [ "Guest", "Administrators", "Users", "Backup Operators" ], "SeCreatePagefilePrivilege": [ "Administrators" ], "SeRestorePrivilege": [ "Administrators", "Backup Operators" ], "SeSystemProfilePrivilege": [ "Administrators", "WdiServiceHost" ], "SeCreateGlobalPrivilege": [ "LOCAL SERVICE", "NETWORK SERVICE", "Administrators", "SERVICE" ], "SeDenyNetworkLogonRight": [ "Guest" ], "SeRemoteShutdownPrivilege": [ "Administrators" ], "SeNetworkLogonRight": [ "Everyone", "Administrators", "Users", "Backup Operators" ], "SeManageVolumePrivilege": [ "Administrators" ], "SeAuditPrivilege": [ "LOCAL SERVICE", "NETWORK SERVICE" ], "SeProfileSingleProcessPrivilege": [ "Administrators" ], "SeCreateSymbolicLinkPrivilege": [ "Administrators" ], "SeSystemEnvironmentPrivilege": [ "Administrators" ], "SeChangeNotifyPrivilege": [ "Everyone", "LOCAL SERVICE", "NETWORK SERVICE", "Administrators", "Users", "Backup Operators" ] }