Scripts/Get-Privilege.ps1
|
Function Get-Privilege { <# .SYNOPSIS Gets all privileges on a local or remote system. .DESCRIPTION Gets the currently applied privileges or current user privileges. .PARAMETER Privilege Specific privilege/s to view. .PARAMETER Computername View privileges on a remote system .PARAMETER CurrentUser View the currently applied privileges for the current user .NOTES Name: Get-Privilege Author: Boe Prox Version History: 1.0 - Initial Version .EXAMPLE Get-Privilege Computername Privilege Accounts ------------ --------- -------- BOE-PC SeAssignPrimaryTokenPrivilege {IIS APPPOOL\.NET v4.5 Cl... BOE-PC SeAuditPrivilege {IIS APPPOOL\.NET v4.5 Cl... BOE-PC SeBackupPrivilege {BUILTIN\Backup Operators... BOE-PC SeBatchLogonRight {BUILTIN\IIS_IUSRS, BUILT... BOE-PC SeChangeNotifyPrivilege {Window Manager\Window Ma... BOE-PC SeCreateGlobalPrivilege {NT AUTHORITY\SERVICE, BU... BOE-PC SeCreatePagefilePrivilege {BUILTIN\Administrators} BOE-PC SeCreatePermanentPrivilege {} BOE-PC SeCreateSymbolicLinkPrivilege {BUILTIN\Administrators} ... Description ----------- Enables the SeBackupPrivilege on the existing process .EXAMPLE Get-Privilege -CurrentUser Privilege Description Enabled --------- ----------- ------- SeLockMemoryPrivilege Lock pages in memory False SeIncreaseQuotaPrivilege Adjust memory quotas for a process False SeTcbPrivilege Act as part of the operating system False SeSecurityPrivilege Manage auditing and security log False SeTakeOwnershipPrivilege Take ownership of files or other objects False SeLoadDriverPrivilege Load and unload device drivers False SeSystemProfilePrivilege Profile system performance False SeSystemtimePrivilege Change the system time False SeProfileSingleProcessPrivilege Profile single process False SeIncreaseBasePriorityPrivilege Increase scheduling priority False SeCreatePagefilePrivilege Create a pagefile False SeBackupPrivilege Back up files and directories False SeRestorePrivilege Restore files and directories False SeShutdownPrivilege Shut down the system False SeDebugPrivilege Debug programs True SeSystemEnvironmentPrivilege Modify firmware environment values False SeChangeNotifyPrivilege Bypass traverse checking True SeRemoteShutdownPrivilege Force shutdown from a remote system False SeUndockPrivilege Remove computer from docking station False SeManageVolumePrivilege Perform volume maintenance tasks False SeImpersonatePrivilege Impersonate a client after authentica... True SeCreateGlobalPrivilege Create global objects True SeIncreaseWorkingSetPrivilege Increase a process working set False SeTimeZonePrivilege Change the time zone False SeCreateSymbolicLinkPrivilege Create symbolic links False Description ----------- Displays currently applied privileges for current user. .EXAMPLE Get-Privilege -Privilege SeDebugPrivilege Computername Privilege Accounts ------------ --------- -------- BOE-PC SeDebugPrivilege {} Description ----------- Shows all accounts/groups that have been given SeDebugPrivilege .OutputType PSPrivilege.Privilege PSPrivilege.CurrentUserPrivilege #> #REQUIRES -Version 3.0 [OutputType('PSPrivilege.Privilege','PSPrivilege.CurrentUserPrivilege')] [cmdletbinding( DefaultParameterSetName = 'Default' )] Param ( [parameter(ParameterSetName='Default')] [Privileges[]]$Privilege, [parameter(ParameterSetName='Default')] [string]$Computername = $Env:Computername , [parameter(ParameterSetName='CurrentUser')] [switch]$CurrentUser ) Switch ($PSCmdlet.ParameterSetName) { 'CurrentUser' { $Process = Get-Process -Id $PID $PROCESS_QUERY_INFORMATION = [ProcessAccessFlags]::QueryInformation $TOKEN_ALL_ACCESS = [System.Security.Principal.TokenAccessLevels]::AllAccess $hProcess = [PoShPrivilege]::OpenProcess( $PROCESS_QUERY_INFORMATION, $True, $Process.Id ) Write-Debug "ProcessHandle: $($hProcess)" $hProcessToken = [intptr]::Zero [void][PoShPrivilege]::OpenProcessToken( $hProcess, $TOKEN_ALL_ACCESS, [ref]$hProcessToken ) Write-Debug "ProcessToken: $($hProcessToken)" [void][PoShPrivilege]::CloseHandle($hProcess) [UInt32]$TokenPrivSize = 1000 [IntPtr]$TokenPrivPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenPrivSize) [uint32]$ReturnLength = 0 [void][PoShPrivilege]::GetTokenInformation( $hProcessToken, [TOKEN_INFORMATION_CLASS]::TokenPrivileges, $TokenPrivPtr, $TokenPrivSize, [ref]$ReturnLength ) $TokenPrivileges = [System.Runtime.InteropServices.Marshal]::PtrToStructure($TokenPrivPtr, [Type][TOKEN_PRIVILEGES]) [IntPtr]$PrivilegesBasePtr = [IntPtr](AddSignedIntAsUnsigned $TokenPrivPtr ([System.Runtime.InteropServices.Marshal]::OffsetOf( [Type][TOKEN_PRIVILEGES], "Privileges" ))) $LuidAndAttributeSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][LUID_AND_ATTRIBUTES]) for ($i=0; $i -lt $TokenPrivileges.PrivilegeCount; $i++) { $LuidAndAttributePtr = [IntPtr](AddSignedIntAsUnsigned $PrivilegesBasePtr ($LuidAndAttributeSize * $i)) $LuidAndAttribute = [System.Runtime.InteropServices.Marshal]::PtrToStructure($LuidAndAttributePtr, [Type][LUID_AND_ATTRIBUTES]) [UInt32]$PrivilegeNameSize = 60 $PrivilegeNamePtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PrivilegeNameSize) $PLuid = $LuidAndAttributePtr [void][PoShPrivilege]::LookupPrivilegeNameW( [IntPtr]::Zero, $PLuid, $PrivilegeNamePtr, [Ref]$PrivilegeNameSize ) $PrivilegeName = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($PrivilegeNamePtr) $Enabled = $False If ($LuidAndAttribute.Attributes -ne 0) { $Enabled = $True } $Object = [pscustomobject]@{ Computername = $env:COMPUTERNAME Account = "{0}\{1}" -f ($env:USERDOMAIN, $env:USERNAME) Privilege = $PrivilegeName Description = GetPrivilegeDisplayName -Privilege $PrivilegeName Enabled = $Enabled } $Object.pstypenames.insert(0,'PSPrivilege.CurrentUserPrivilege') $Object } } Default { If (-NOT $PSBoundParameters.ContainsKey('Privilege')) { $Privilege = [Privileges].GetEnumNames() } #region LsaOpenPolicy $Computer = New-Object LSA_UNICODE_STRING $Computer.Buffer = $Computername $Computer.Length = ($Computer.buffer.length * [System.Text.UnicodeEncoding]::CharSize) $Computer.MaximumLength = (($Computer.buffer.length+1) * [System.Text.UnicodeEncoding]::CharSize) $PolicyHandle = [intptr]::Zero $ObjectAttributes = New-Object LSA_OBJECT_ATTRIBUTES [uint32]$Access = [LSA_AccessPolicy]::POLICY_VIEW_LOCAL_INFORMATION -BOR [LSA_AccessPolicy]::POLICY_LOOKUP_NAMES Write-Verbose "Opening policy handle" [void][PoShPrivilege]::LsaOpenPolicy( [ref]$Computer, [ref]$ObjectAttributes, $Access, [ref]$PolicyHandle ) #endregion LsaOpenPolicy #region LsaEnumerateAccountsWithUserRight ForEach ($Priv in $Privilege) { $UserRight = New-Object LSA_UNICODE_STRING $UserRight.Buffer = $Priv.ToString() $UserRight.Length = ($UserRight.Buffer.Length * [System.Text.UnicodeEncoding]::CharSize) $UserRight.MaximumLength = (($UserRight.buffer.length+1) * [System.Text.UnicodeEncoding]::CharSize) $EnumerationBuffer = [intptr]::Zero [uint32]$Count = 0 Write-Verbose "Gathering enumerating accounts with user right" $NTStatus = [PoShPrivilege]::LsaEnumerateAccountsWithUserRight( $PolicyHandle, $UserRight, [ref]$EnumerationBuffer, [ref]$Count ) $Accounts = New-Object System.Collections.Arraylist If ($NTStatus -eq 0) { $LSAInfo = [intptr]::Zero $StructSize = [System.Runtime.InteropServices.Marshal]::SizeOf([type][LSA_ENUMERATION_INFORMATION]) Write-Debug "StructSize: $($StructSize)" Write-Verbose "Gathering privilege information" For ($i=0; $i -lt $Count; $i++) { Write-Debug "Iteration: $($i)" $EnumerationItem = [intptr]($EnumerationBuffer.ToInt64() + ([long]$StructSize*[long]$i)) $Sid = [System.Runtime.InteropServices.Marshal]::PtrToStructure( $EnumerationItem, [type][LSA_ENUMERATION_INFORMATION] ) [string]$SIDString = [string]::Empty [void][PoShPrivilege]::ConvertSidToStringSid($Sid.sid, [ref]$SIDString) Try { $Account = ([system.security.principal.securityidentifier]$SIDString).Translate([System.Security.Principal.NTAccount]).Value } Catch { $Account = $SIDString } [void]$Accounts.Add($Account) } } $Object = [pscustomobject]@{ Computername = $Computername Privilege = $Priv.ToString() Description = GetPrivilegeDisplayName -Privilege $Priv.ToString() Accounts = $Accounts } $Object.pstypenames.insert(0,'PSPrivilege.Privilege') $Object } #endregion LsaEnumerateAccountsWithUserRight #region Close Policy Handle Write-Verbose "Closing policy handle" [void][PoShPrivilege]::LsaClose($PolicyHandle) $PolicyHandle = [intptr]::Zero #region Close Policy Handle } } } |