Use PowerShell to Convert SDDL to Binary Format
Summary: Learn how to use Windows PowerShell to convert security descriptors to different formats.
Hey, Scripting Guy! I was reading through a listing of WMI methods recently, and I ran across a WMI class that looks interesting—Win32_SecurityDescriptorHelper. I think it will help me, because it seems like every security utility wants a different type of security token. But I am not sure how to use this thing; all I get are errors. Does this even work? Any help on your end?
Microsoft Scripting Guy Ed Wilson here. Tonight is the big night. They say everything is big in Texas, so let’s fill up the conference center for the inaugural meeting of the Corpus Christi PowerShell User group (south Texas). The Scripting Wife and I will be on hand for the event, and I have a really cool presentation planned.
Note Four articles talk about producing a usable listing of WMI methods and properties:
- Use PowerShell to Find WMI Classes That Contain Methods
- Use PowerShell to Find Writable WMI Properties
- Explore WMI Methods and Properties Via PowerShell Script
- Get All Methods and Writable Properties from All WMI Classes
When working with WMI and Windows PowerShell, it is common to think about using the Get-WmiObject cmdlet. Unfortunately, when using the Get-WmiObject cmdlet with the Win32_SecurityDescriptorHelper class, nothing happens. When I attempt to pipe the results to Get-Member, an error is produced. The two commands are shown here (gwmi is an alias for Get-WmiObject, and gm is an alias for Get-Member):
gwmi win32_SecurityDescriptorHelper #no output
gwmi win32_SecurityDescriptorHelper | gm #generates an error
The commands and associated output are shown here.
Now, I remember the discussion from yesterday’s blog post about calling WMI methods that there are both instance methods and static methods.
Therefore, I will use the Get-Member cmdlet and choose static members. I wonder what will happen then? I therefore use Get-WmiObject and this time request static members from Get-Member. The command is shown here (gwmi is an alias for Get-WmiObject, and gm is an alias for Get-Member):
gwmi win32_SecurityDescriptorHelper | gm –Static
The command and associated output appear here.
Maybe this is not so strange. For example, nothing came back when I used Get-WmiObject Win32_SecurityDescriptorHelper So maybe Get-Member is not lying to me, and maybe there really is nothing with which to work. I look up the Win32_SecurityDescriptorHelper class on MSDN, but unfortunately, the page has very little information that is useful and no examples of using the class.
Next, I decide to look up the class in the Windows Management Instrumentation Tester (WbemTest). From WbemTest, I see that the Win32_SecurityDescriptorHelper is a dynamic class, and I see that there are many methods available from the class. This is shown in the following figure.
When I click the Instances button (sixth button from top on right side), I see that there are no instances available. I then click the Show MOF button (third button from top on right side), and I see that all methods are implemented. A method will only work if it is marked as implemented. For example, the Win32_Processor WMI class has two methods listed: Reset and SetPowerState. Unfortunately, neither method is implemented and therefore they do not work (in the case of Win32_Processor, the methods are defined on the abstract class CIM_LogicalDevice and are inherited). The MOF description for the Win32_SecurityDescriptorHelper WMI class is shown in the following figure.
I also notice that each method is static. From yesterday’s article, I remember that static methods do use an instance of the WMI class. This is why the Get-WmiObject command does not work with Win32_SecurityDescriptorHelper because Get-WmiObject returns instances of the class. With this WMI class, there are no instances.
Perhaps the easiest way to work with the static WMI method is to use the [wmiclass] type accelerator. The SDDLToBinarySD method will translate a Security Descriptor Definition Language (SDDL) string into a binary byte array security descriptor (binary SD) format. The best way to talk about this technique is to walk through an example of converting an SDDL to a binary SD. First, I need to obtain an SDDL; I can do that by using the Get-Acl cmdlet. The first thing I do is give the Get-Acl the path to a file on my computer. I store the resulting object in the $acl variable. Next, I examine the SDDL associated with the file, by querying the SDDL property. These two lines of code are shown here:
$acl = Get-Acl C:\fso\BackupLog.txt
The two commands and their associated output are shown here.
To convert the SDDL to binary SD format, I use the [wmiclass] type accelerator and call the method directly while supplying a SDDL to the SDDLToBinarySD method. The syntax for the command is shown here:
One thing that is a bit confusing is that in Windows PowerShell, generally double colons are required to call a static method. For example, to obtain the sine of a 45-degree angle, I use the sin static method from the math class:
But here in WMI, there appears to be no difference between calling a static method and calling an instance method. The command to convert the SDDL to binary SD and the default output are shown in the following figure.
All the methods return both the returnvalue property that provides the status of the command and the specific output for the converted security descriptor. To retrieve only the BinarySD output, I can add that to the end of the method call. The syntax of this command is shown here:
One of the cool things that I can do with the static methods from the Win32_SecurityDescriptorHelper class is to convert a SDDL security descriptor into an instance of the Win32_SecurityDescriptor WMI class. The Win32_SecurityDescriptor WMI class is often used to provide security for various resources. For example, if I create a new share and I want to assign security to the new share, I will need to provide an instance of Win32_SecurityDescriptor. Using the SDDLToWin32SD method, I can use an SDDL to get the Win32_SecurityDescriptor I need. To illustrate using the SDDLToWin32SD method, I will use the Invoke-WmiMethod to perform the conversion. The following one-line command illustrates using the Invoke-WMIMethod cmdlet to call the SDDLToWin32SD method:
Invoke-WmiMethod -Class Win32_SecurityDescriptorHelper -Name SDDLToWin32SD -ArgumentList $acl.Sddl
The following figure illustrates calling the method and shows the returned data. The data is contained in the Descriptor property.
The other WMI methods from this class behave in a similar mechanism, and therefore will not be explored.
SH, that is all there is to using static WMI methods. WMI Method Week will continue tomorrow when I will talk about using Windows PowerShell and WMI to terminate multiple processes. It is a really cool article. I think you will enjoy it. I literally create a hundred processes, and then terminate them.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at firstname.lastname@example.org, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy