I have a WindowsXP configured as a build machine. The build process runs under an account which isn't an administrator.
Some projects register as a last step an ocx control with something like
regsvr32 /s /c ".\debug\myocx.ocx"
This step fails and I assume that this has something to do with rights because doing the same under an admin account works fine.
What rights/permissions/policies do I need to give the build account and where do I do it? (Browsing Local Users and Groups and Local Security Settings haven't helped me)
Via regedit you need to give the build account rights on "HKEY_CLASSES_ROOT.
Right-click on HKEY_CLASSES_ROOT and choose Permissions...Full Control.
Registering an OCX comes down to writing entries in the registry under HKLM. Non-admin accounts by default don't have rights there, and I'm not too sure your build account should (installation of debugging OCX's is still "installation" (v.s. building) in my book).
PowerShell Script to apply permissions for regsvr32 without being an Admin
Whilst it's possible to just grant full control of the HKCR key, that might result in granting more access than necessary. While researching how to do this, at one point I ended up hosing the permissions on HKCR, resulting in the need to reimage my machine. In order to come up with this script, I used the procmon tool, and filtered for registry permissions denied, then granted them in the script.
The following PowerShell script creates (non-inherited) permissions on just those keys that I've determined necessary for registration of DLLs (and thus OCXs). This allows a single account (in this case, a build server code builder account) to be granted access to register DLLs without being an administrator. Replace the first variable - $buildAcctUserName - with the account to use when setting rules.
$buildAcctUserName = "AzureDevOpsBuilder"
# Create Rule for full control of keys that need to be added to/updated/deleted from
$user = New-Object System.Security.Principal.NTAccount("$($env:COMPUTERNAME)\$buildAcctUserName")
$rule = New-Object System.Security.AccessControl.RegistryAccessRule(
$user,
[System.Security.AccessControl.RegistryRights]"FullControl",
[System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit", <# ContainerInherit / None / ObjectInherit #>
[System.Security.AccessControl.PropagationFlags]::None,
[System.Security.AccessControl.AccessControlType]::Allow)
# Grant access to HKCR
$regHKCRHive=[Microsoft.Win32.RegistryHive]::ClassesRoot;
$regHKCRBaseKey=[Microsoft.Win32.RegistryKey]::OpenBaseKey($regHKCRHive,[Microsoft.Win32.RegistryView]::Default)
$regkey=$regHKCRBaseKey.OpenSubKey("", $true)
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)
# Grant access to HKLM\Software
$regHKLMHive=[Microsoft.Win32.RegistryHive]::LocalMachine
$regHKLMBaseKey=[Microsoft.Win32.RegistryKey]::OpenBaseKey($regHKLMHive,[Microsoft.Win32.RegistryView]::Default)
$regkey=$regHKLMBaseKey.OpenSubKey("SOFTWARE", $true)
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)
# Grant access to HKLM\Software\Wow6432Node
$regkey=$regHKLMBaseKey.OpenSubKey("SOFTWARE\Wow6432Node", $true)
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)
# Grant access to HKCR\Wow6432Node\CLSID
$regkey=$regHKCRBaseKey.OpenSubKey("Wow6432Node\CLSID", $true)
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)
# Grant access to HKCR\TypeLib
$regkey=$regHKCRBaseKey.OpenSubKey("TypeLib", $true)
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)
# Grant access to HKCR\Wow6432Node\Interface
$regkey=$regHKCRBaseKey.OpenSubKey("Wow6432Node\Interface", $true)
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)
# Grant access to HKCR\Interface
$regkey=$regHKCRBaseKey.OpenSubKey("Interface", $true)
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)
# Grant access to HKCR\AppID
$regkey=$regHKCRBaseKey.OpenSubKey("AppID", $true)
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)
Please check for error messages of regsvr32 as given in
http://support.microsoft.com/kb/249873
and also I am not sure about /c switch..
Hope this may help.
Related
I've asp.net MVC website hosted within docker container. The site needs to read the certificates stored on cert:\currentuser\my and present it to the Azure AD for app authentication.
I've loaded the pfx certs on to docker as part of image build per below:
# Install cert, located at certs folder in the host machine, relative to the path of the Solution Dockerfile
SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
WORKDIR C:\certs
COPY ./certs .\
RUN Get-ChildItem -File | Foreach { Import-PfxCertificate -Password (ConvertTo-SecureString -String "xyz1234" -AsPlainText -Force) -CertStoreLocation Cert:\CurrentUser\My -FilePath $_.fullname }
Then have this simple test aspx to read the cert by thumprint:
public X509Certificate2 FindCertificateByThumbprint(string findValue, bool validateCertificate)
{
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
try
{
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection col = store.Certificates.Find(X509FindType.FindByThumbprint,
findValue, validateCertificate);
if (col == null || col.Count == 0)
return null;
return col[0];
}
finally
{
store.Close();
}
}
Note:
On non docker (local laptop), This works perfectly OK for web.
On docker container, console app can find the certificate but not web app.
I tried all these but no luck:
https://newbedev.com/how-to-grant-permission-to-user-on-certificate-private-key-using-powershell
How to Grant permission to user on Certificate private key using powershell?
https://www.codyhosterman.com/2019/06/assigning-read-access-to-windows-private-key/
Feels like I'm missing a step here but not sure what. Has anyone got
I have this script that adds a path based on the username:
$credential = Get-Credential
$user=$credential.GetNetworkCredential().UserName
New-PSDrive -Name x -PSProvider FileSystem -Root "\\192.168.1.1\$($user)" -Credential $credential -persist
I'm trying to make it more robust, how can I edit it to check which drive letter is available and if the network path is already mapped with an existing drive letter, so no error will be made if the end user runs it multiple times.
Free drive letters:
ls function:[d-z]: -n | ?{ !(test-path $_) }
Credit goes to network share script - auto check drive letter and path
I'm trying to create a script to install malware bytes through powershell silently. This is what I have got so far:
$down = New-Object System.Net.WebClient
$url = 'http://downloads.malwarebytes.org/file/mbam/mbam-setup-2.0.2.1012.exe';
$file = 'c:\Program Files\malwaresetup.exe';
$down.DownloadFile($url,$file);
c:\Program Files\malwaresetup.exe /install=agent /s;
This downloads and starts the install but then the user then has to at there end finish off the installation (Selecting language location etc) is there anyway of completely silently installing the software so the user doesn't have to do anything?
When you run malwaresetup.exe /?, you'll get list of accepted command line parameters. You can write:
c:\Program Files\malwaresetup.exe /install=agent /verysilent
for no GUI whatsoever, or:
c:\Program Files\malwaresetup.exe /install=agent /silent /suppressmsgboxes
for unattended GUI installation (showing progress bar).
How to install application as windows service using NSIS script?
I used this command in the script Exec '"sc.exe" but after installation i couldn't find any service in windows services related to it so help me thanks.
Maybe that the NSIS Simple Service plugin can help you. The syntax is as simple as
SimpleSC::InstallService "MyService" "My Service Display Name" "16" "2" "C:\MyPath\MyService.exe" "" "" ""
Pop $0 ; returns an errorcode (<>0) otherwise success (0)
Here the example install the service as ServiceType own process + StartType automatic + NoDependencies + Logon as System Account.
Please refer to the accompanying help for the meaning of the magic numbers.
The wiki shows the 5 other methods to handle services with NSIS.
There are multiple plugins out there as stated on NSIS website
For me it seemed to be unnecessary complicated, so I ended up using sc tool directly. A command is quite simple:
!define appName "theApp.exe"
!define displayName "My Awesome Service"
!define serviceName "MyAwesomeService"
ExecWait 'sc create ${serviceName} error= "severe" displayname= "${displayName}" type= "own" start= "auto" binpath= "$INSTDIR\${appName}"'
A full list of sc create arguments available here
Below is the scripts which first stops service, uninstalls previous version, remove form registry and then installs fresh copy.
Section "Mobile Interface"
SimpleSC::StopService "MobileInterface" "1" "60"
SimpleSC::RemoveService "MobileInterface"
DeleteRegKey /ifempty HKLM "MobileInterface"
RMDIR /r "$INSTDIR\MobileInterface\"
SetOutPath "$INSTDIR\MobileInterface"
# define what to install and place it in the output path
File "D:\NCS.Sentinel\NCS.Sentinel.MobileWebSvc\bin\Release\"
SimpleSC::InstallService "MobileInterface" "MobileInterface" "16" "2" "$INSTDIR\MobileInterface\NCS.Sentinel.MobileWebSvc.exe" "" "" ""
Pop $0 ; returns an errorcode (<>0) otherwise success (0)
SimpleSC::StartService "MobileInterface" "" "100"
#WriteRegStr HKLM "D:\NCS.Sentinel\NCS.Sentinel.MobileWebSvc\bin\Release\NCS.Sentinel.MobileWebSvc.exe"
WriteUninstaller "$INSTDIR\Uninstall.exe"
; Store installation folder
;WriteRegStr HKCU "Software\Mobile Interface" "" $INSTDIR
SectionEnd
I need to copy files to multiple computers from my computer with following specifications.
I need to provide username
I need to provide password also
while running it should not prompt again for password important
I used the following code but it asks for the password multiple times.
read-host -assecurestring | convertfrom-securestring | out-file e:\SSS\pass.txt
$password=get-content e:\SSS\pass.txt | convertto-securestring
$credential=new-object -typename System.Management.Automation.PSCredential -argumentlist KS\KS012\Administrator, $password
Script below should prompt for credentials and then prompt to ask for location of txt file which has line seperated list of PC's you want to deploy to. Then it will ask for the location of the file you want to copy and then ask for the destination with a preformated UNC c$ formatting.
You can adjust this to set the list of PCs, location of file to copy and desitnation to hardcoded.
Get-Credential domain\usermname
$PC = Read-Host "Location of PC List"
$FileLocation = Read-Host "Enter File Location"
$FileDestination = Read-Host "Enter File Destination"
Get-Content $PC | foreach {Copy-Item $FileLocation -Destination \\$_\c$\$FileDestination}
:)