I want to remove all permissions from some Windows\System32-files, e.g. wuauclt.exe and wuaueng.dll. Therefore I found that script:
takeown /F $file
$acl = get-acl $file
$acl.Access | % {$acl.purgeaccessrules($_.IdentityReference)}
Set-Acl -aclobject $acl -Path $file
This gives me ownership and removes all permission except those for ALL APPLICATION PACKAGES and ALL RESTRICTED APPLICATION PACKAGES. How am I able remove those as well per PowerShell script (not manually and without using a 3rd party tool)?
Thanks in advance!
CodePudding user response:
These IdentityReference are specific. In fact it is an instance of [System.Security.Principal.NTAccount] and translating them to a [System.Security.Principal.SecurityIdentifier] output an error.
But it is still possible to create them manually.
In SDDL format:
ACorS-1-15-2-1forALL APPLICATION PACKAGESS-1-15-2-2forALL RESTRICTED APPLICATION PACKAGES
You can add the following code to remove them. But I'm not sure this is a good idea to remove these rights on System files.
$acl.Access | % {
if ($_.IdentityReference.Value -imatch "APPLICATION PACKAGES") {
try {
$acl.PurgeAccessRules([System.Security.Principal.SecurityIdentifier]::new("S-1-15-2-2"))
$acl.PurgeAccessRules([System.Security.Principal.SecurityIdentifier]::new("AC"))
} catch { }
}
else {
$acl.purgeaccessrules($_.IdentityReference)
}
}