Use PowerShell to Convert SDDL to Binary Format

Doctor Scripto

Summary: Learn how to use Windows PowerShell to convert security descriptors to different formats.


Hey, Scripting Guy! QuestionHey, Scripting Guy! I was reading through a listing of WMI methods recently, and I ran across a WMI class that looks interesting—Win32_SecurityDescriptorHelper. I think it will help me, because it seems like every security utility wants a different type of security token. But I am not sure how to use this thing; all I get are errors. Does this even work? Any help on your end?



Hey, Scripting Guy! AnswerHello SH,

Microsoft Scripting Guy Ed Wilson here. Tonight is the big night. They say everything is big in Texas, so let’s fill up the conference center for the inaugural meeting of the Corpus Christi PowerShell User group (south Texas). The Scripting Wife and I will be on hand for the event, and I have a really cool presentation planned.

Note   Four articles talk about producing a usable listing of WMI methods and properties:


When working with WMI and Windows PowerShell, it is common to think about using the Get-WmiObject cmdlet. Unfortunately, when using the Get-WmiObject cmdlet with the Win32_SecurityDescriptorHelper class, nothing happens. When I attempt to pipe the results to Get-Member, an error is produced. The two commands are shown here (gwmi is an alias for Get-WmiObject, and gm is an alias for Get-Member):

gwmi win32_SecurityDescriptorHelper #no output

gwmi win32_SecurityDescriptorHelper | gm #generates an error

The commands and associated output are shown here.

Image of commands and associated output

Now, I remember the discussion from yesterday’s blog post about calling WMI methods that there are both instance methods and static methods.

Therefore, I will use the Get-Member cmdlet and choose static members. I wonder what will happen then? I therefore use Get-WmiObject and this time request static members from Get-Member. The command is shown here (gwmi is an alias for Get-WmiObject, and gm is an alias for Get-Member):

gwmi win32_SecurityDescriptorHelper | gm –Static

The command and associated output appear here.

Image of command and associated output

Maybe this is not so strange. For example, nothing came back when I used Get-WmiObject Win32_SecurityDescriptorHelper So maybe Get-Member is not lying to me, and maybe there really is nothing with which to work. I look up the Win32_SecurityDescriptorHelper class on MSDN, but unfortunately, the page has very little information that is useful and no examples of using the class.

Next, I decide to look up the class in the Windows Management Instrumentation Tester (WbemTest). From WbemTest, I see that the Win32_SecurityDescriptorHelper is a dynamic class, and I see that there are many methods available from the class. This is shown in the following figure.

Image of Win32_SecurityDescriptorHelper being dynamic class with many methods

When I click the Instances button (sixth button from top on right side), I see that there are no instances available. I then click the Show MOF button (third button from top on right side), and I see that all methods are implemented. A method will only work if it is marked as implemented. For example, the Win32_Processor WMI class has two methods listed: Reset and SetPowerState. Unfortunately, neither method is implemented and therefore they do not work (in the case of Win32_Processor, the methods are defined on the abstract class CIM_LogicalDevice and are inherited). The MOF description for the Win32_SecurityDescriptorHelper WMI class is shown in the following figure.

Image of MOF description of Win32_SecurityDescriptorHelper

I also notice that each method is static. From yesterday’s article, I remember that static methods do use an instance of the WMI class. This is why the Get-WmiObject command does not work with Win32_SecurityDescriptorHelper because Get-WmiObject returns instances of the class. With this WMI class, there are no instances.

Perhaps the easiest way to work with the static WMI method is to use the [wmiclass] type accelerator. The SDDLToBinarySD method will translate a Security Descriptor Definition Language (SDDL) string into a binary byte array security descriptor (binary SD) format. The best way to talk about this technique is to walk through an example of converting an SDDL to a binary SD. First, I need to obtain an SDDL; I can do that by using the Get-Acl cmdlet. The first thing I do is give the Get-Acl the path to a file on my computer. I store the resulting object in the $acl variable. Next, I examine the SDDL associated with the file, by querying the SDDL property. These two lines of code are shown here:

$acl = Get-Acl C:\fso\BackupLog.txt


The two commands and their associated output are shown here.

Image of two commands and associated output

To convert the SDDL to binary SD format, I use the [wmiclass] type accelerator and call the method directly while supplying a SDDL to the SDDLToBinarySD method. The syntax for the command is shown here:



One thing that is a bit confusing is that in Windows PowerShell, generally double colons are required to call a static method. For example, to obtain the sine of a 45-degree angle, I use the sin static method from the math class:


But here in WMI, there appears to be no difference between calling a static method and calling an instance method. The command to convert the SDDL to binary SD and the default output are shown in the following figure.

Image of command to convert SDDL to binary SD, and default ouput

All the methods return both the returnvalue property that provides the status of the command and the specific output for the converted security descriptor. To retrieve only the BinarySD output, I can add that to the end of the method call. The syntax of this command is shown here:



One of the cool things that I can do with the static methods from the Win32_SecurityDescriptorHelper class is to convert a SDDL security descriptor into an instance of the Win32_SecurityDescriptor WMI class. The Win32_SecurityDescriptor WMI class is often used to provide security for various resources. For example, if I create a new share and I want to assign security to the new share, I will need to provide an instance of Win32_SecurityDescriptor. Using the SDDLToWin32SD method, I can use an SDDL to get the Win32_SecurityDescriptor I need. To illustrate using the SDDLToWin32SD method, I will use the Invoke-WmiMethod to perform the conversion. The following one-line command illustrates using the Invoke-WMIMethod cmdlet to call the SDDLToWin32SD method:

Invoke-WmiMethod -Class Win32_SecurityDescriptorHelper -Name SDDLToWin32SD -ArgumentList $acl.Sddl

The following figure illustrates calling the method and shows the returned data. The data is contained in the Descriptor property.

Image of calling the method and the returned data

The other WMI methods from this class behave in a similar mechanism, and therefore will not be explored.


SH, that is all there is to using static WMI methods. WMI Method Week will continue tomorrow when I will talk about using Windows PowerShell and WMI to terminate multiple processes. It is a really cool article. I think you will enjoy it. I literally create a hundred processes, and then terminate them.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy




Discussion is closed.

Feedback usabilla icon