Decrypt my World : VBScript

How to get LastLogon property for all users in a Domain (VBScript)

alejacma — Thu, 12 Mar 2009 13:05:00 GMT

Hi all,

The following VBScript sample retrieves all users in Active Directory that haven't ever logged on the domain, or haven't logged on for at least maxDays (an argument passed to the script):

On Error Resume Next

' Constants
'
Const ONE_HUNDRED_NANOSECOND = .000000100
Const SECONDS_IN_DAY = 86400

' Get Max Days as an argument passed to the script
'
If Not Wscript.Arguments.Count() = 1 Then
  Wscript.Echo "Syntax error, argument required"
  Wscript.Quit
End If

maxDays = CInt(Wscript.Arguments(0))

' Create the log file
'
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objLogFile = objFSO.CreateTextFile(GetPath() & "log.txt", 8, true)

' Get the root of the domain
'
Set objRoot = Getobject("LDAP://RootDSE")
strRoot = objRoot.Get("defaultnamingcontext")
Set objRoot = Nothing

' Create connection
'
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"

' Create command
'
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000

' Execute command to get all DCs in the domain
'
objCommand.CommandText = "<LDAP://OU=Domain Controllers," & strRoot & ">;(objectcategory=computer);name;onelevel"
Set objRecordSet = objCommand.Execute

'LogData("INFO: There are " & objRecordSet.RecordCount & " Domain Controllers.")

' Execute command to get all users in the domain
'
objCommand.CommandText = "<LDAP://" & strRoot & ">;(&(objectclass=user)(objectcategory=person));adspath,distinguishedname,sAMAccountName;subtree"
Set objRecordSet2 = objCommand.Execute

'LogData("INFO: There are " & objRecordSet2.RecordCount & " users.")

' Get the LastLogon for each user in each DC
'
Do Until objRecordSet2.EOF

  ' Get the LastLogon for one user in each DC, and get the maximum
  '
  objRecordSet.MoveFirst
  maxDate = 0
  Do Until objRecordSet.EOF

    ' Execute command to get LastLogon for the user in one DC
    '
    LdapPath = "LDAP://" & objRecordSet.Fields("name").Value & "/" & Replace(objRecordSet2.Fields("distinguishedname").Value, "/", "\/")
    set objUser = GetObject(LdapPath)

    ' Check for errors executing the command
    '
    if Err.Number <> 0 Then
      ' Error
      '
      LogData("INFO: LDAP Path = " & LdapPath)
      Select Case Err.Number
        Case &H8007203A
          Err.Description = """The server is not operational"""
        Case &H80005000
          Err.Description = """An invalid ADSI pathname was passed"""
        Case Else
          Err.Description = ""
      End Select 
      LogData("ERROR: " & Err.Number & " " & Err.Description)
    Else
      ' No error
      '
      ' Get the LastLogon
      '
      set objLastLogon = objUser.LastLogon
      myDate = 0
      If Not(IsNull(objLastLogon) Or IsEmpty(objLastLogon)) Then
        myDate = MakeDate(objLastLogon)
      End If

      ' See if it's the maximum
      '
      If myDate > maxDate Then
        maxDate = myDate
      End If

    End If

    ' Move on to the next DC
    '
    Err.Clear
    set objUser = nothing
    set objLastLogon = nothing
    objRecordSet.MoveNext

  Loop

  ' Show the maximum LastLogon for the user
  '
  If maxDate = 0 Then
    LogData("INFO: User """ & objRecordSet2.Fields("sAMAccountName").Value & """ never logged on.")
  ElseIf (Date() - maxDate) > maxDays Then 
    LogData("INFO: User """ & objRecordSet2.Fields("sAMAccountName").Value & """ logged on " & maxDate)
  End If

  ' Move on to the next user
  '
  objRecordSet2.MoveNext

Loop


' Close everything
'
objRecordSet.Close
Set objRecordSet = Nothing
objRecordSet2.Close
Set objRecordSet2 = Nothing
Set objCommand = Nothing
objConnection.Close
Set objConnection = Nothing

' We are done!
'
Wscript.Echo "All Done!"


'================================================================
' HELPER FUNCTIONS
'================================================================

' Get script's path
'
Function GetPath()

  Dim path
  path = WScript.ScriptFullName
  GetPath = Left(path, InStrRev(path, "\"))

End Function


' Write data to log file
'
Sub LogData(data)

  objLogFile.writeline Now() & ", " & data

End Sub


' Convert long integer to a date
'
Function MakeDate(oLInt)

  Set objShell = CreateObject("Wscript.Shell")

  lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\TimeZoneInformation\ActiveTimeBias")

  If UCase(TypeName(lngBiasKey)) = "LONG" Then
    glngBias = lngBiasKey

  ElseIf UCase(TypeName(lngBiasKey)) = "VARIANT()" Then
    glngBias = 0

    For k = 0 To UBound(lngBiasKey)
      glngBias = lngBias + (lngBiasKey(k) * 256^k)
    Next
  End If 

  dtmDate = #1/1/1601# + (((oLInt.HighPart * (2 ^ 32)) + oLInt.LowPart) / 600000000 - glngBias) / 1440

  MakeDate = dtmDate

End Function

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

How to sign EXE files with an Authenticode certificate (part 2)

alejacma — Thu, 11 Dec 2008 12:59:00 GMT

Hi all, welcome back,

The other day a customer of mine was having an issue with SignTool.exe when signing an EXE file. The EXE file was getting corrupted/unusable after signing it.

When troubleshooting this issue, I had the chance to play a bit more with SignTool and check what it does behind the scenes.

Note: I already talked a bit about signing EXEs in post How to sign EXE files with an Authenticode certificate (VB.NET). This new post will add more details and samples.

SignTool.exe uses CAPICOM.SignedCode class and its Sign method to do the signing.

The following VBScript shows how we may use CAPICOM to do the signing programmatically:

Option Explicit

Dim szCertName, szExeToSign
szCertName = "My cert Subject"
szExeToSign = "MyApplication.exe"

Const CAPICOM_CURRENT_USER_STORE = 2
Const CAPICOM_STORE_OPEN_READ_ONLY = 0
Const CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME = 1
Const CAPICOM_AUTHENTICATED_ATTRIBUTE_DOCUMENT_DESCRIPTION = 2

' Get certificate for signing
'
Dim objStore
Set objStore = WScript.CreateObject("CAPICOM.Store")
objStore.Open CAPICOM_CURRENT_USER_STORE, "My", CAPICOM_STORE_OPEN_READ_ONLY
Dim objSigningCert
Set objSigningCert = objStore.Certificates.Find(CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME, szCertName).Item(1)

' Create a signer for the code
'
Dim objSigner
Set objSigner = WScript.CreateObject("CAPICOM.Signer")
objSigner.Certificate = objSigningCert

' Sign the file
'
Dim objSignedCode
Set objSignedCode = WScript.CreateObject("CAPICOM.SignedCode")
objSignedCode.FileName = szExeToSign
objSignedCode.Sign objSigner
objSignedCode.TimeStamp "http://timestamp.globalsign.com/scripts/timstamp.dll"

WScript.Echo "Done!"

Note that this sample also shows how to time stamp a signature programmatically.

This sample was also reproducing my customer's issue. So I checked what CAPICOM does behind the scenes to further troubleshoot the issue.

CAPICOM.SignedCode.Sign uses CryptUIWizDigitalSign API to do the signing.

The following VB.NET sample uses CryptUIWizDigitalSign through P/Invoke to do the signing programmatically:

<SAMPLE file="Crypto.vb">

Imports System.Runtime.InteropServices
Imports System.Security.Cryptography
Imports System.ComponentModel
Imports System.Windows.Forms

Public Class Crypto

    ' #define CRYPTUI_WIZ_NO_UI     1
    Public Const CRYPTUI_WIZ_NO_UI As Int32 = 1

    ' #define CRYPTUI_WIZ_DIGITAL_SIGN_SUBJECT_FILE     0x01
    Public Const CRYPTUI_WIZ_DIGITAL_SIGN_SUBJECT_FILE As Int32 = 1

    ' #define CRYPTUI_WIZ_DIGITAL_SIGN_CERT                    0x01
    Public Const CRYPTUI_WIZ_DIGITAL_SIGN_CERT As Int32 = 1

    ' typedef struct _CRYPTUI_WIZ_DIGITAL_SIGN_INFO {  
    '   DWORD dwSize;  
    '   DWORD dwSubjectChoice;  
    '   union {    
    '       LPCWSTR pwszFileName;    
    '       PCCRYPTUI_WIZ_DIGITAL_SIGN_BLOB_INFO pSignBlobInfo;  
    '   };  
    '   DWORD dwSigningCertChoice;  
    '   union {    
    '       PCCERT_CONTEXT pSigningCertContext;    
    '       PCCRYPTUI_WIZ_DIGITAL_SIGN_STORE_INFO pSigningCertStore;    
    '       PCCRYPTUI_WIZ_DIGITAL_SIGN_CERT_PVK_INFO pSigningCertPvkInfo;  
    '   };  
    '   LPCWSTR pwszTimestampURL;  
    '   DWORD dwAdditionalCertChoice;  
    '   PCCRYPTUI_WIZ_DIGITAL_SIGN_EXTENDED_INFO pSignExtInfo;
    ' } CRYPTUI_WIZ_DIGITAL_SIGN_INFO;
    <StructLayout(LayoutKind.Sequential)> _
    Public Structure CRYPTUI_WIZ_DIGITAL_SIGN_INFO
        Public dwSize As Int32
        Public dwSubjectChoice As Int32
        <MarshalAs(UnmanagedType.LPWStr)> Public pwszFileName As String
        Public dwSigningCertChoice As Int32
        Public pSigningCertContext As IntPtr
        Public pwszTimestampURL As String
        Public dwAdditionalCertChoice As Int32
        Public pSignExtInfo As IntPtr
    End Structure

    ' typedef struct _CRYPTUI_WIZ_DIGITAL_SIGN_CONTEXT {  
    '      DWORD dwSize;  
    '      DWORD cbBlob;  
    '      BYTE* pbBlob;
    ' } CRYPTUI_WIZ_DIGITAL_SIGN_CONTEXT;
    <StructLayout(LayoutKind.Sequential)> _
    Public Structure CRYPTUI_WIZ_DIGITAL_SIGN_CONTEXT
        Public dwSize As Int32
        Public cbBlob As Int32
        Public pbBlob As IntPtr
    End Structure

    ' BOOL WINAPI CryptUIWizDigitalSign(
    '      DWORD dwFlags,
    '      HWND hwndParent,
    '      LPCWSTR pwszWizardTitle,
    '      PCCRYPTUI_WIZ_DIGITAL_SIGN_INFO pDigitalSignInfo,
    '      PCCRYPTUI_WIZ_DIGITAL_SIGN_CONTEXT* ppSignContext
    ' );
    <DllImport("Cryptui.dll", CharSet:=CharSet.Unicode, SetLastError:=True)> _
    Public Shared Function CryptUIWizDigitalSign( _
        ByVal dwFlags As Int32, _
        ByVal hwndParent As IntPtr, _
        ByVal pwszWizardTitle As String, _
        ByRef pDigitalSignInfo As CRYPTUI_WIZ_DIGITAL_SIGN_INFO, _
        ByRef ppSignContext As IntPtr _
    ) As Boolean
    End Function

    ' BOOL WINAPI CryptUIWizFreeDigitalSignContext(
    '   PCCRYPTUI_WIZ_DIGITAL_SIGN_CONTEXT pSignContext
    ' );
    <DllImport("Cryptui.dll", CharSet:=CharSet.Auto, SetLastError:=True)> _
    Public Shared Function CryptUIWizFreeDigitalSignContext( _
        ByVal pSignContext As IntPtr _
    ) As Boolean
    End Function

End Class

</SAMPLE>

<SAMPLE file="Module1.vb">

Imports System.ComponentModel
Imports System.Runtime.InteropServices
Imports SignExe.Crypto
Imports System.Security.Cryptography.X509Certificates
Imports System.IO

Module Module1

    Sub Main()

        ' Parameters
        Dim certPath As String = "MyCert.pfx"
        Dim exePath As String = "MyApplication.exe"
        Dim sigPath As String = "signature.sig"

        ' Variables
        '
        Dim cert As X509Certificate2
        Dim digitalSignInfo As CRYPTUI_WIZ_DIGITAL_SIGN_INFO
        Dim pSignContext As IntPtr
        Dim pSigningCertContext As IntPtr
        Dim signContext As CRYPTUI_WIZ_DIGITAL_SIGN_CONTEXT
        Dim fileOut As FileStream
        Dim binWriter As BinaryWriter
        Dim blob() As Byte

        Try
            ' Get certificate context
            '
            cert = New X509Certificate2(certPath, "")
            pSigningCertContext = cert.Handle

            ' Prepare signing info: exe and cert
            '
            digitalSignInfo = New CRYPTUI_WIZ_DIGITAL_SIGN_INFO
            digitalSignInfo.dwSize = Marshal.SizeOf(digitalSignInfo)
            digitalSignInfo.dwSubjectChoice = CRYPTUI_WIZ_DIGITAL_SIGN_SUBJECT_FILE
            digitalSignInfo.pwszFileName = exePath
            digitalSignInfo.dwSigningCertChoice = CRYPTUI_WIZ_DIGITAL_SIGN_CERT
            digitalSignInfo.pSigningCertContext = pSigningCertContext
            digitalSignInfo.pwszTimestampURL = vbNullString
            digitalSignInfo.dwAdditionalCertChoice = 0
            digitalSignInfo.pSignExtInfo = IntPtr.Zero

            ' Sign exe
            '
            If (Not CryptUIWizDigitalSign( _
                CRYPTUI_WIZ_NO_UI, _
                IntPtr.Zero, _
                vbNullString, _
                digitalSignInfo, _
                pSignContext _
            )) Then
                Throw New Win32Exception(Marshal.GetLastWin32Error(), "CryptUIWizDigitalSign")
            End If

            ' Get the blob with the signature
            '
            signContext = Marshal.PtrToStructure(pSignContext, GetType(CRYPTUI_WIZ_DIGITAL_SIGN_CONTEXT))
            blob = New Byte(signContext.cbBlob) {}
            Marshal.Copy(signContext.pbBlob, blob, 0, signContext.cbBlob)

            ' Store the signature in a new file
            '
            fileOut = File.Open(sigPath, FileMode.Create)
            binWriter = New BinaryWriter(fileOut)
            binWriter.Write(blob)
            binWriter.Close()
            fileOut.Close()

            ' Free blob
            '
            If (Not CryptUIWizFreeDigitalSignContext(pSignContext)) Then
                Throw New Win32Exception(Marshal.GetLastWin32Error(), "CryptUIWizFreeDigitalSignContext")
            End If

            ' We are done
            Console.WriteLine("Done!!!")

        Catch ex As Win32Exception
            ' Any expected errors?
            '
            Console.WriteLine(ex.Message + " error#" + ex.NativeErrorCode.ToString)
        Catch ex As Exception
            ' Any unexpected errors?
            '
            Console.WriteLine(ex.Message)
        End Try

        ' We are done
        '
        Console.WriteLine("<< Press any key to continue >>")
        Console.ReadKey()

    End Sub

End Module

</SAMPLE>

This sample was also reproducing the issue. So I checked what CryptUIWizDigitalSign does behind the scenes.

CryptUIWizDigitalSign API uses SignerSignEx API to do the signing.

The following VC++ sample uses SignerSignEx API to do the signing programmatically:

#include "windows.h"
#include "Wincrypt.h"
#include "stdio.h"
#include "conio.h"


// STRUCTS

typedef struct _SIGNER_FILE_INFO {  
	DWORD cbSize;  
	LPCWSTR pwszFileName;  
	HANDLE hFile;
} SIGNER_FILE_INFO,  *PSIGNER_FILE_INFO;

typedef struct _SIGNER_BLOB_INFO {  
	DWORD cbSize;  
	GUID *pGuidSubject;  
	DWORD cbBlob;  
	BYTE *pbBlob;  
	LPCWSTR pwszDisplayName;
} SIGNER_BLOB_INFO,  *PSIGNER_BLOB_INFO;

typedef struct _SIGNER_SUBJECT_INFO {  
	DWORD cbSize;  
	DWORD *pdwIndex;  
	DWORD dwSubjectChoice;  
	union {    
		SIGNER_FILE_INFO *pSignerFileInfo;    
		SIGNER_BLOB_INFO *pSignerBlobInfo;  
	} ;
} SIGNER_SUBJECT_INFO,  *PSIGNER_SUBJECT_INFO;

typedef struct _SIGNER_CERT_STORE_INFO {  
	DWORD cbSize;  
	PCCERT_CONTEXT pSigningCert;  
	DWORD dwCertPolicy;  
	HCERTSTORE hCertStore;
} SIGNER_CERT_STORE_INFO,  *PSIGNER_CERT_STORE_INFO;

typedef struct _SIGNER_SPC_CHAIN_INFO {  
	DWORD cbSize;  
	LPCWSTR pwszSpcFile;  
	DWORD dwCertPolicy;  
	HCERTSTORE hCertStore;
} SIGNER_SPC_CHAIN_INFO,  *PSIGNER_SPC_CHAIN_INFO;

typedef struct _SIGNER_CERT {  
	DWORD cbSize;  
	DWORD dwCertChoice;  
	union {    
		LPCWSTR pwszSpcFile;    
		SIGNER_CERT_STORE_INFO *pCertStoreInfo;    
		SIGNER_SPC_CHAIN_INFO *pSpcChainInfo;  
	} ;  
	HWND hwnd;
} SIGNER_CERT,  *PSIGNER_CERT;

typedef struct _SIGNER_ATTR_AUTHCODE {  
	DWORD cbSize;  
	BOOL fCommercial;  
	BOOL fIndividual;  
	LPCWSTR pwszName;  
	LPCWSTR pwszInfo;
} SIGNER_ATTR_AUTHCODE,  *PSIGNER_ATTR_AUTHCODE;

typedef struct _SIGNER_SIGNATURE_INFO {  
	DWORD cbSize;  
	ALG_ID algidHash;  
	DWORD dwAttrChoice;  
	union {    
		SIGNER_ATTR_AUTHCODE *pAttrAuthcode;  
	} ;  
	PCRYPT_ATTRIBUTES psAuthenticated;  
	PCRYPT_ATTRIBUTES psUnauthenticated;
} SIGNER_SIGNATURE_INFO,  *PSIGNER_SIGNATURE_INFO;

typedef struct _SIGNER_PROVIDER_INFO {  
	DWORD cbSize;  
	LPCWSTR pwszProviderName;  
	DWORD dwProviderType;  
	DWORD dwKeySpec;  
	DWORD dwPvkChoice;  
	union {    
		LPWSTR pwszPvkFileName;    
		LPWSTR pwszKeyContainer;  
	} ;
} SIGNER_PROVIDER_INFO,  *PSIGNER_PROVIDER_INFO;

typedef struct _SIGNER_CONTEXT {  
	DWORD cbSize;  
	DWORD cbBlob;  
	BYTE *pbBlob;
} SIGNER_CONTEXT,  *PSIGNER_CONTEXT;


// EXPORTS 

typedef HRESULT (WINAPI* SignerFreeSignerContextType)(
  __in  SIGNER_CONTEXT *pSignerContext
);

typedef HRESULT (WINAPI *SignerSignExType)(
  __in      DWORD dwFlags,
  __in      SIGNER_SUBJECT_INFO *pSubjectInfo,
  __in      SIGNER_CERT *pSignerCert,
  __in      SIGNER_SIGNATURE_INFO *pSignatureInfo,
  __in_opt  SIGNER_PROVIDER_INFO *pProviderInfo,
  __in_opt  LPCWSTR pwszHttpTimeStamp,
  __in_opt  PCRYPT_ATTRIBUTES psRequest,
  __in_opt  LPVOID pSipData,
  __out     SIGNER_CONTEXT **ppSignerContext
);


// MAIN

void main()
{
	// PARAMETERS

	// File to sign
	LPCWSTR pwszFileName = L"C:\\TEST\\MyApplication.exe";

	// Signing Cert Subject
	LPCWSTR pwszCertSubject = L"My cert Subject";

	// VARIABLES
	HRESULT hResult = S_OK;
	BOOL bResult = TRUE;
	HMODULE hMssign32 = NULL;
	SignerSignExType pfSignerSignEx = NULL;
	SignerFreeSignerContextType pfSignerFreeSignerContext = NULL;
	HANDLE hFile = NULL;
	HCERTSTORE hCertStore = NULL; 
	PCCERT_CONTEXT pCertContext = NULL;
	DWORD dwIndex = 0;
	SIGNER_FILE_INFO signerFileInfo;
	SIGNER_SUBJECT_INFO signerSubjectInfo;
	SIGNER_CERT_STORE_INFO signerCertStoreInfo;
	SIGNER_CERT signerCert;
	SIGNER_SIGNATURE_INFO signerSignatureInfo;
	SIGNER_CONTEXT * pSignerContext = NULL;

	// MAIN

	// Attach a debugger now!
	printf("<< Press any key to continue>>\n");
	_getch();

	// Load library containing SignerSignEx and SignerFreeSignerContext
	printf("LoadLibrary...");
	hMssign32 = LoadLibrary(L"Mssign32.dll");
	if (!hMssign32)
	{
		printf("Error #%d\n", GetLastError()); goto cleanup;
	}
	printf("Done!\n");

	// Get SignerSignEx function
	printf("GetProcAddress(SignerSignEx)...");
	pfSignerSignEx = (SignerSignExType) GetProcAddress(hMssign32, "SignerSignEx");
	if (!pfSignerSignEx)
	{
		printf("Error #%d\n", GetLastError()); goto cleanup;
	}
	printf("Done!\n");

	// Get SignerFreeSignerContext function
	printf("GetProcAddress(SignerFreeSignerContext)...");
	pfSignerFreeSignerContext = (SignerFreeSignerContextType) GetProcAddress(hMssign32, "SignerFreeSignerContext");
	if (!pfSignerFreeSignerContext)
	{
		printf("Error #%d\n", GetLastError()); goto cleanup;
	}
	printf("Done!\n");

	// Open file to sign
	printf("CreateFile...");
	hFile = CreateFile(
		pwszFileName,
		GENERIC_READ | GENERIC_WRITE,
		0,
		NULL,
		OPEN_EXISTING,
		FILE_ATTRIBUTE_NORMAL,
		NULL
	);
	if (!hFile)
	{
		printf("Error #%d\n", GetLastError()); goto cleanup;
	}
	printf("Done!\n");

	// Open MY cert store
	printf("CertOpenStore...");
	hCertStore = CertOpenStore(
		CERT_STORE_PROV_SYSTEM, 
		0,
		NULL,
		CERT_SYSTEM_STORE_CURRENT_USER,
		L"MY"
	);                 
	if (!hCertStore)
	{
		printf("Error #%d\n", GetLastError()); goto cleanup;
	}
	printf("Done!\n");

	// Find signing cert in MY cert store
	printf("CertFindCertificateInStore...");
	pCertContext = CertFindCertificateInStore(
		hCertStore,
		X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
		0,
		CERT_FIND_SUBJECT_STR,
		(void *)pwszCertSubject,
		NULL
	);
	if (!pCertContext)
	{
		printf("Error #%d\n", GetLastError()); goto cleanup;
	}
	printf("Done!\n");

	// Prepare SIGNER_FILE_INFO struct
	signerFileInfo.cbSize = sizeof(SIGNER_FILE_INFO);
	signerFileInfo.pwszFileName = pwszFileName;
	signerFileInfo.hFile = hFile;

	// Prepare SIGNER_SUBJECT_INFO struct
	signerSubjectInfo.cbSize = sizeof(SIGNER_SUBJECT_INFO);
	dwIndex = 0;
	signerSubjectInfo.pdwIndex = &dwIndex;
	signerSubjectInfo.dwSubjectChoice = 1; // SIGNER_SUBJECT_FILE
	signerSubjectInfo.pSignerFileInfo = &signerFileInfo;

	// Prepare SIGNER_CERT_STORE_INFO struct
	signerCertStoreInfo.cbSize = sizeof(SIGNER_CERT_STORE_INFO);
	signerCertStoreInfo.pSigningCert = pCertContext;
	signerCertStoreInfo.dwCertPolicy = 2; // SIGNER_CERT_POLICY_CHAIN
	signerCertStoreInfo.hCertStore = NULL;

	// Prepare SIGNER_CERT struct
	signerCert.cbSize = sizeof(SIGNER_CERT);
	signerCert.dwCertChoice = 2; // SIGNER_CERT_STORE
	signerCert.pCertStoreInfo = &signerCertStoreInfo;
	signerCert.hwnd = NULL;

	// Prepare SIGNER_SIGNATURE_INFO struct
	signerSignatureInfo.cbSize = sizeof(SIGNER_SIGNATURE_INFO);
	signerSignatureInfo.algidHash = CALG_SHA1;
	signerSignatureInfo.dwAttrChoice = 0; // SIGNER_NO_ATTR
	signerSignatureInfo.pAttrAuthcode = NULL;
	signerSignatureInfo.psAuthenticated = NULL;
	signerSignatureInfo.psUnauthenticated = NULL;

	// Sign file with cert
	printf("SignerSignEx...");
	hResult = pfSignerSignEx(
		0,
		&signerSubjectInfo,
		&signerCert,
		&signerSignatureInfo,
		NULL,
		NULL,
		NULL,
		NULL,
		&pSignerContext
	);
	if (S_OK != hResult)
	{
		printf("Error #%d\n", hResult); goto cleanup;
	}
	printf("Done!\n");

	printf("\nSUCCESS!!!\n");

	// Clean up
cleanup:

	if (pSignerContext)
	{
		hResult = pfSignerFreeSignerContext(pSignerContext);
	}

	if (pCertContext)
	{
		bResult = CertFreeCertificateContext(pCertContext);
	}

	if (hCertStore)
	{
		bResult = CertCloseStore(hCertStore, CERT_CLOSE_STORE_CHECK_FLAG);
	}

	if (hFile)
	{
		bResult = CloseHandle(hFile);
	}

	if (hMssign32)
	{
		bResult = FreeLibrary(hMssign32);
	}

	// Exit
	printf("<< Press any key to exit >>\n");
	_getch();
	return;
}

This sample was also reproducing the issue.

Finally we saw that the issue was not in SignTool.exe / CAPICOM.SignCode.Sign / CryptUIWizDigitalSign / SignerSignEx, but in the EXE itself!

I run Visual Studio's Dumpbin.exe with its "/HEADER" parameter to list the problematic EXE's PE header information before and after signing it (the Microsoft Portable Executable and Common Object File Format Specification gives detailed information about PE header information).

Before signing, I could see the following Optional Header Value:

1400 [ C40] RVA [size] of Certificates Directory

After signing, I could see the following value:

1400 [ 1650] RVA [size] of Certificates Directory

Certificates Directory points to the location of the code signing signature in the binary. So an EXE which has not been signed should contain the following values:

0 [ 0] RVA [size] of Certificates Directory

Which was not our case. So SignerSignEx was not corrupting the EXE when signing it. It was already corrupted before that, even if it was successfully running before signing!

Just for testing, I opened the problematic EXE with a binary editor before signing it. I looked for "00 14 00 00 04 0c 00 00" bytes (correspondent to "1400 [ C40] RVA [size] of Certificates Directory" values), changed them to "00 00 00 00 00 00 00 00" and signed the EXE. It worked! Now the EXE is not corrupted and I can see the Digital Signature in Explorer, the certificate I used to sign, launch the EXE and run it as expected.

Manually modifying the PE header is not supported by Microsoft. If you face a similar issue, you should work with the team that developed the EXE and focus on why the EXE got generated with an invalid PE header in the first place.

I looked on the Internet and found that there are some third-party tools which may help us to see and modify the PE header if needed for testing purposes, for example PEInfo 0.9 BETA which I haven't tried so I can't neither recommend nor discourage its use.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

How to change Windows Theme programmatically in XP

alejacma — Wed, 26 Nov 2008 18:30:00 GMT

Hi all,

You may know already that there is no i.e. COM object or .NET class we can use to change the Windows Theme programmatically on Windows XP. You may also know the following VBScript which can be used to do this change without user intervention:

Set OSHApp = CreateObject("Shell.Application")
Set oShell = CreateObject("Wscript.Shell")

' Set the Path to the Theme file
'
Theme = "\\SERVER\SHAREDFOLDER\FILE.THEME"
Theme = """" + Theme + """"
' Open the Theme in Display Properties
'
oSHApp.ControlPanelItem cstr("desk.cpl desk,@Themes /Action:OpenTheme /file:" & Theme)

' Loop and wait until Display Properties is loaded.
'
While OShell.AppActivate ("Display Properties") = FALSE
Wscript.Sleep 1000
Wend

' Loop and send the Enter key to Display Properties until Theme is applied 
'
While OShell.AppActivate ("Display Properties") = TRUE
    oShell.AppActivate "Display Properties"
    Wscript.Sleep 200
    oShell.sendkeys "{ENTER}"
Wend

If you try this script, it will sometimes fail. In some situations, the Display Properties dialog won't be closed automatically. You may "play" with the Sleep times and solve the issue in several machines, but it won't necessarily work in all of them.

The issue here is that "oShell.sendkeys "{ENTER}"" is not getting to the right window and there is any guarantee that it will do it.

Fortunately there is an alternate solution to this script and its SendKeys: send a BM_CLICK window message to the button we need to press in the required Theme window. This way we can warrantee that we close the right window by pressing the right button.

You will find a VB.NET sample below which gets all windows in the desktop (visible and invisible), the way Spy++ does it, in a tree. Then the sample also shows how if we select one of those windows in the tree manually (i.e. the print dialog of notepad), we can interact with it programmatically (i.e. changing the editbox with the number of copies to print and pressing the Print button).

It should be easy to adapt this sample to our needs so it first launches the Theme console to change the theme the way the script above does it (i.e. Running Windows XP Control Panel Applets from Visual Basic.NET 2005), and then it looks for the window we need to close, locates its OK button and sends a BM_CLICK message to it in order to close the window.

Here is the sample:

Imports System.Runtime.InteropServices

Public Class Form1
    Inherits System.Windows.Forms.Form

#Region " Windows Form Designer generated code "

    Public Sub New()
        MyBase.New()

        'This call is required by the Windows Form Designer.
        InitializeComponent()

        'Add any initialization after the InitializeComponent() call

        ' Get all windows and show them in the tree
        '
        GetWindows()
        TreeView1.Nodes.Item(0).Expand()
    End Sub

    'Form overrides dispose to clean up the component list.
    Protected Overloads Overrides Sub Dispose(ByVal disposing As Boolean)
        If disposing Then
            If Not (components Is Nothing) Then
                components.Dispose()
            End If
        End If
        MyBase.Dispose(disposing)
    End Sub

    'Required by the Windows Form Designer
    Private components As System.ComponentModel.IContainer

    'NOTE: The following procedure is required by the Windows Form Designer
    'It can be modified using the Windows Form Designer.  
    'Do not modify it using the code editor.
    Friend WithEvents TreeView1 As System.Windows.Forms.TreeView
    Friend WithEvents Button1 As System.Windows.Forms.Button
    Friend WithEvents Button2 As System.Windows.Forms.Button
     Private Sub InitializeComponent()
        Me.TreeView1 = New System.Windows.Forms.TreeView
        Me.Button1 = New System.Windows.Forms.Button
        Me.Button2 = New System.Windows.Forms.Button
        Me.SuspendLayout()
        '
        'TreeView1
        '
        Me.TreeView1.HideSelection = False
        Me.TreeView1.ImageIndex = -1
        Me.TreeView1.Location = New System.Drawing.Point(8, 48)
        Me.TreeView1.Name = "TreeView1"
        Me.TreeView1.SelectedImageIndex = -1
        Me.TreeView1.Size = New System.Drawing.Size(640, 504)
        Me.TreeView1.TabIndex = 0
        '
        'Button1
        '
        Me.Button1.Location = New System.Drawing.Point(8, 8)
        Me.Button1.Name = "Button1"
        Me.Button1.Size = New System.Drawing.Size(160, 32)
        Me.Button1.TabIndex = 1
        Me.Button1.Text = "Refresh"
        '
        'Button2
        '
        Me.Button2.Location = New System.Drawing.Point(176, 8)
        Me.Button2.Name = "Button2"
        Me.Button2.Size = New System.Drawing.Size(472, 32)
        Me.Button2.TabIndex = 2
        Me.Button2.Text = "Set ""Number of copies"" and click ""Print"" in selected notepad's Print dialog"
        '
        'Form1
        '
        Me.AutoScaleBaseSize = New System.Drawing.Size(5, 13)
        Me.ClientSize = New System.Drawing.Size(656, 558)
        Me.Controls.Add(Me.Button2)
        Me.Controls.Add(Me.Button1)
        Me.Controls.Add(Me.TreeView1)
        Me.Name = "Form1"
        Me.Text = "Form1"
        Me.ResumeLayout(False)

    End Sub

#End Region

#Region "AlejaCMa"

    ' Constants
    '
    Private Const GW_CHILD = 5
    Private Const GW_HWNDNEXT = 2

    Private Const WM_SETTEXT = &HC
    Private Const BM_CLICK = &HF5

    ' API declarations
    '
    Private Declare Function GetDesktopWindow Lib "user32" () As IntPtr

    Private Declare Function GetWindow Lib "user32" ( _
        ByVal hWnd As IntPtr, _
        ByVal uCmd As Int32) _
    As IntPtr

    Private Declare Function GetWindowText Lib "user32" Alias "GetWindowTextA" ( _
        ByVal hWnd As IntPtr, _
        ByVal lpString As String, _
        ByVal nMaxCount As Int32) _
    As Int32

    Public Declare Function GetWindowThreadProcessId Lib "user32" Alias "GetWindowThreadProcessId" ( _
        ByVal hwnd As IntPtr, _
        ByRef lpdwProcessId As Int32) _
    As Int32

    Private Declare Function GetClassName Lib "user32" Alias "GetClassNameA" ( _
        ByVal hWnd As IntPtr, _
        ByVal lpClassName As String, _
        ByVal nMaxCount As Int32) _
    As Int32

    Private Declare Function IsWindowVisible Lib "user32" ( _
        ByVal hWnd As IntPtr) _
    As Int32

    Public Declare Auto Function SendMessage Lib "user32" Alias "SendMessageA" ( _
        ByVal hWnd As IntPtr, _
        ByVal wMsg As Int32, _
        ByVal wParam As Int32, _
         ByVal lParam As String) _
    As Int32

    ' Get windows, and show them in the tree
    '
    Private Sub GetWindows()
        ' Variables
        '
        Dim hWnd As IntPtr
        Dim node As TreeNode
        Dim windowText As String
        Dim className As String
        Dim c As Int32
        Dim nodeText As String

        ' Get desktop window
        '
        hWnd = GetDesktopWindow()

        ' Get window text and class name
        '
        windowText = Space(255)
        c = GetWindowText(hWnd, windowText, 255)
        windowText = Microsoft.VisualBasic.Left(windowText, c)

        className = Space(255)
        c = GetClassName(hWnd, className, 255)
        className = Microsoft.VisualBasic.Left(className, c)

        ' Add window to the tree
        '
        nodeText = String.Format("{0:X8} ""{1}"" {2} (Desktop)", hWnd.ToInt32, windowText, className)
        node = TreeView1.Nodes.Add(nodeText)
        node.ForeColor = Color.Black

        ' Search children by recursion
        '
        GetWindows(hWnd, node)
    End Sub

    Private Sub GetWindows(ByVal hParentWnd As IntPtr, ByVal parentNode As TreeNode)
        ' Variables
        '
        Dim hWnd As IntPtr
        Dim node As TreeNode
        Dim windowText As String
        Dim className As String
        Dim c As Int32
        Dim nodeText As String

        ' Get first child window
        '
        hWnd = GetWindow(hParentWnd, GW_CHILD)

        Do Until hWnd.Equals(IntPtr.Zero)
            ' Get the window text and class name
            '
            windowText = Space(255)
            c = GetWindowText(hWnd, windowText, 255)
            windowText = Microsoft.VisualBasic.Left(windowText, c)

            className = Space(255)
            c = GetClassName(hWnd, className, 255)
            className = Microsoft.VisualBasic.Left(className, c)

            ' Add window to the tree
            '
            nodeText = String.Format("{0:X8} ""{1}"" {2}", hWnd.ToInt32, windowText, className)
            node = parentNode.Nodes.Add(nodeText)
            If (IsWindowVisible(hWnd)) Then
                ' Visible windows are shown in black
                '
                node.ForeColor = Color.Black
            Else
                ' Invisible windows are shown in red
                '
                node.ForeColor = Color.Red
            End If

            ' Search children by recursion
            '
            GetWindows(hWnd, node)

            ' Get next child window
            '
            hWnd = GetWindow(hWnd, GW_HWNDNEXT)
        Loop
    End Sub

    Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
        ' Get all windows and show them in the tree
        '
        TreeView1.Nodes.Clear()
        GetWindows()
        TreeView1.Nodes.Item(0).Expand()
    End Sub

    Private Sub Button2_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button2.Click
        ' Variables
        '
        Dim node As TreeNode
        Dim windowInfo As String
        Dim hWnd As IntPtr
        Dim pid As Int32
        Dim processName As String

        ' Get the selected window in the tree
        '
        node = TreeView1.SelectedNode

        ' Get PID (Process ID) for the selected window
        '
        hWnd = New IntPtr(CInt("&H" + Microsoft.VisualBasic.Left(node.Text, 8)))
        GetWindowThreadProcessId(hWnd, pid)

        ' Get process name from PID
        '
        processName = Process.GetProcessById(pid).ProcessName

        ' Check if the selected window in the tree is notepad's Print dialog:
        '   Window Handle = xxxxxxxx (variable)
        '   Window Text   = Print
        '   Class Name    = #32770
        '   Process Name  = "notepad"
        '
        windowInfo = Microsoft.VisualBasic.Right(node.Text, node.Text.Length - 9)
        If (windowInfo = """Print"" #32770" And processName = "notepad") Then
            ' The selected window is notepad's Print dialog

            ' Change the number of copies in "Number of &copies" edit box 
            '
            ' xxxxxxxx "Print" #32770       <-- Selected node
            '   - xxxxxxxx "General" #32770
            '       - xxxxxxxx "" #32770
            '            xxxxxxxx "" Edit   <-- We have to write here
            '
            hWnd = New IntPtr(CInt("&H" + Microsoft.VisualBasic.Left(node.Nodes(0).Nodes(13).Nodes(10).Text, 8)))
            SendMessage(hWnd, WM_SETTEXT, 0, "2")

            ' Press the print button
            '
            ' xxxxxxxx "Print" #32770       <-- Selected node
            '    xxxxxxxx "&Print" Button   <-- We have to press here
            '
            hWnd = New IntPtr(CInt("&H" + Microsoft.VisualBasic.Left(node.Nodes(1).Text, 8)))
            SendMessage(hWnd, BM_CLICK, 0, Nothing)
        Else
            ' The selected window is not notepad's Print dialog
            '
            MessageBox.Show("The selected window is not a notepad's Print dialog")
        End If
    End Sub
#End Region

End Class

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

How to get more than 1000 group members including foreign SAMs (VBScript)

alejacma — Tue, 05 Aug 2008 10:21:00 GMT

Hi all,

We may have a group in our Active Directory with members from a foreign domain. We may try to retrieve all those members with ADSI and a code like this: Using IADs::GetInfoEx for Range Retrieval. The issue with this code is that we will only be able to see the SID of foreign principals (i.e. CN=S-1-5-21-1234567890...-123,CN=ForeignSecurityPrincipals,DC=domain,DC=com), which may not be very useful for us.

The following sample (based on above Range Retrieval sample) will retrieve all members in a group (including foreign principals) and show their sAMAccountName:

' PARAMETERS.
'
strFileName = "c:\List.txt"
strGroupDN = "CN=groupName,CN=Users,DC=domainName,DC=com"

' Bind to the group with the current credentials.
'
Set oGroup = GetObject("LDAP://" & strGroupDN)

' Create file for results.
'
Set fs = CreateObject("Scripting.FileSystemObject")
Set usersFile = fs.CreateTextFile(strFileName, True)

' For compatibility with all operating systems, the number of objects
' retrieved by each query should not exceed 999. The number of objects
' to retrieve should be as close as possible to 999 to reduce the number
' of round trips to the server necessary to retrieve the objects.
rangeStep = 999
lowRange = 0
highRange = lowRange + rangeStep

Do
  ' Use the "member;range=<lowRange>-<highRange>" syntax.
  '
  strCommandText = "member;range=" & lowRange & "-" & highRange
  usersFile.WriteLine(vbCrLf & "Current search command: " & _
  strCommandText & vbCrLf)

  ' Load the specified range of members into the local cache. This 
  ' will throw an error if the range exceeds the properties contained 
  ' in the object. The "On Error GoTo quit" error handler will cause 
  ' the loop to terminate when this happens.
  '
  On Error Resume Next
  oGroup.GetInfoEx Array(strCommandText), 0
  If Err.Number = &H80072020 Then
    Exit Do
  End If
  On Error Goto 0

  ' Enumerate the retrieved members.
  '
  oMembers = oGroup.Get("member")
  If vbArray And VarType(oMembers) Then
    For Each oMember In oMembers
      ' Add the member.
      '            
      Set oUser = GetObject("LDAP://" & oMember)            
      If (oUser.Class = "foreignSecurityPrincipal") Then

        usersFile.WriteLine(GetForeignSAM(oUser))
      Else
        usersFile.WriteLine(oUser.sAMAccountName)
      End If 
      nRetrieved = nRetrieved + 1
    Next
  Else
    ' oGroup.Get returned only one member, so add it to the list.
    '
    Set oUser = GetObject("LDAP://" & oMembers)            
    If (oUser.Class = "foreignSecurityPrincipal") Then

      usersFile.WriteLine(GetForeignSAM(oUser))
    Else
      usersFile.WriteLine(oUser.sAMAccountName)
    End If 

    nRetrieved = nRetrieved + 1
  End If

  ' Increment the high and low ranges to query for the next block of 
  ' objects.
  '
  lowRange = highRange + 1
  highRange = lowRange + rangeStep
Loop While True

MsgBox "File """ & strFileName &  """ created"


'-----------------------------------------------------------------------
' HELPER FUNCTIONS
'-----------------------------------------------------------------------
function GetForeignSAM (oUser)
  ' CONSTANTS.
  '
  ADS_SID_RAW = 0
  ADS_SID_HEXSTRING = ADS_SID_RAW + 1
  ADS_SID_SAM = ADS_SID_HEXSTRING + 1
  ADS_SID_UPN = ADS_SID_SAM + 1
  ADS_SID_SDDL = ADS_SID_UPN + 1
  ADS_SID_WINNT_PATH = ADS_SID_SDDL + 1

  ' Get the SID
  '

  ' Now, resolve the SID into its sAMAcountName.
  '
  set oADsSID = CreateObject("ADsSID")
  oADsSID.SetAs ADS_SID_RAW, oUser.Get("objectSid")

  ' Requesting the Sam Account Name
  '
  GetForeignSAM = oADsSID.GetAs(ADS_SID_SAM)	

end function

Note: ADsSID object is implemented in ADsSecurity.dll.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

How to get Antivirus information with WMI (VBScript)

alejacma — Mon, 12 May 2008 12:23:00 GMT

Hi all, welcome back,

As we read in Windows Security Center – Managing the State of Security, the vast majority of antivirus Independent Software Vendors (ISVs) support WMI integration. Windows Security Center uses it to detect antivirus and firewall solutions.

The following script shows how to get some information from those solutions:

strComputer = "."
    
Set oWMI = GetObject( _
  "winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter")
  
Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")

For Each objItem in colItems
  With objItem
    WScript.Echo .companyName
    WScript.Echo .displayName
    WScript.Echo .instanceGuid
    WScript.Echo .onAccessScanningEnabled
    WScript.Echo .pathToSignedProductExe
    WScript.Echo .productHasNotifiedUser
    WScript.Echo .productState
    WScript.Echo .productUptoDate
    WScript.Echo .productWantsWscNotifications
    WScript.Echo .versionNumber  
  End With
Next

Cheers,

Alex (Alejandro Campos Magencio)

How to get a list of all users in an OU (VBScript)

alejacma — Wed, 23 Apr 2008 18:44:00 GMT

Hi all, welcome back,

Today I'll post a very straight forward sample which gets a list of all users in an Organizational Unit (OU) in Active Directory (AD) using VBScript:

' Get OU
'
strOU = "OU=Users,DC=domain,DC=com"

' Create connection to AD
'
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"

' Create command
'
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000

' Execute command to get all users in OU
'
objCommand.CommandText = _
  "<LDAP://" & strOU & ">;" & _
  "(&(objectclass=user)(objectcategory=person));" & _
  "adspath,distinguishedname,sAMAccountName;subtree"
Set objRecordSet = objCommand.Execute

' Show info for each user in OU
'
Do Until objRecordSet.EOF

  ' Show required info for a user
  '  
  WScript.Echo objRecordSet.Fields("adspath").Value
  WScript.Echo objRecordSet.Fields("distinguishedname").Value
  WScript.Echo objRecordSet.Fields("sAMAccountName").Value

  ' Move to the next user
  '
  objRecordSet.MoveNext

Loop

' Clean up
'
objRecordSet.Close
Set objRecordSet = Nothing
Set objCommand = Nothing
objConnection.Close
Set objConnection = Nothing

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

How to read a registry key and its values (VBScript)

alejacma — Fri, 11 Apr 2008 09:27:00 GMT

Hi all, welcome back,

Today I'll share with you a couple of VBScript samples I developed the other day. They use WMI and its StdRegProv class to read the Windows registry.

This sample will take a registry key and show its subkeys and the values within those subkeys:

' Constants (taken from WinReg.h)
'
Const HKEY_CLASSES_ROOT   = &H80000000
Const HKEY_CURRENT_USER   = &H80000001
Const HKEY_LOCAL_MACHINE  = &H80000002
Const HKEY_USERS          = &H80000003

Const REG_SZ        = 1
Const REG_EXPAND_SZ = 2
Const REG_BINARY    = 3
Const REG_DWORD     = 4
Const REG_MULTI_SZ  = 7

' Chose computer name, registry tree and key path
'
strComputer = "." ' Use . for current machine
hDefKey = HKEY_LOCAL_MACHINE
strKeyPath = "SOFTWARE\Microsoft\Cryptography\Defaults\Provider"

' Connect to registry provider on target machine with current user
'
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")

' Enum the subkeys of the key path we've chosen
'
oReg.EnumKey hDefKey, strKeyPath, arrSubKeys

For Each strSubkey In arrSubKeys

  ' Show the subkey
  '
  wscript.echo strSubkey

  ' Show its value names and types
  '
  strSubKeyPath = strKeyPath & "\" & strSubkey
  oReg.EnumValues hDefKey, strSubKeyPath, arrValueNames, arrTypes

  For i = LBound(arrValueNames) To UBound(arrValueNames)
    strValueName = arrValueNames(i)
    Select Case arrTypes(i)

      ' Show a REG_SZ value
      '
      Case REG_SZ          
        oReg.GetStringValue hDefKey, strSubKeyPath, strValueName, strValue
        wscript.echo "  " & strValueName & " (REG_SZ) = " & strValue

      ' Show a REG_EXPAND_SZ value
      '
      Case REG_EXPAND_SZ
        oReg.GetExpandedStringValue hDefKey, strSubKeyPath, strValueName, strValue
        wscript.echo "  " & strValueName & " (REG_EXPAND_SZ) = " & strValue

      ' Show a REG_BINARY value
      '          
      Case REG_BINARY
        oReg.GetBinaryValue hDefKey, strSubKeyPath, strValueName, arrBytes
        strBytes = ""
        For Each uByte in arrBytes
          strBytes = strBytes & Hex(uByte) & " "
        Next
        wscript.echo "  " & strValueName & " (REG_BINARY) = " & strBytes

      ' Show a REG_DWORD value
      '
      Case REG_DWORD
        oReg.GetDWORDValue hDefKey, strSubKeyPath, strValueName, uValue
        wscript.echo "  " & strValueName & " (REG_DWORD) = " & CStr(uValue)				  

      ' Show a REG_MULTI_SZ value
      '
      Case REG_MULTI_SZ
        oReg.GetMultiStringValue hDefKey, strSubKeyPath, strValueName, arrValues				  				
        wscript.echo "  " & strValueName & " (REG_MULTI_SZ) ="
        For Each strValue in arrValues
          wscript.echo "    " & strValue 
        Next

    End Select
  Next

Next

But what if we only need to know if a registry key exists? We could just do the following:

' Constants (taken from WinReg.h)
'
Const HKEY_CLASSES_ROOT   = &H80000000
Const HKEY_CURRENT_USER   = &H80000001
Const HKEY_LOCAL_MACHINE  = &H80000002
Const HKEY_USERS          = &H80000003

' Chose computer name, registry tree and key path
'
strComputer = "." ' Use . for current machine
hDefKey = HKEY_LOCAL_MACHINE
strKeyPath = "SOFTWARE\Microsoft\Cryptography\Defaults\Provider"

' Connect to registry provider on target machine with current user
'
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")

' Try to enum the subkeys of the key path we've chosen. We can't if the key doesn't exist
'
If oReg.EnumKey(hDefKey, strKeyPath, arrSubKeys) = 0 Then
  wscript.echo "Key exists!"
Else
  wscript.echo "Key does not exists!"
End If

I hope this helps.

Cheers,

Alex (Alejandro Campos Magencio)

How to change the Security Descriptor of WMI objects

alejacma — Fri, 14 Mar 2008 05:51:00 GMT

Hi all, welcome back,

You may want to give users or groups access to perform read/modify WMI operations on WMI objects, and for that you need to change the Security Descriptor (SD) for WMI objects. There are several ways to achieve this:

1) Manually with wmimgmt.msc: 325353 HOW TO: Set WMI Namespace Security in Windows Server 2003.

2) Using third-party tools like WMI Namespace Security.

3) Programmatically, the easy way:

We could manually set the SD on one box, then save it to a text file with GetSD method of the __SystemSecurity class, read the SD from the text file and reapply it to new boxes with SetSD method.

The following VBScript shows how to use GetSD to obtain the current SD for the Root\Cimv2 namespace and change it to the byte array shown in strDisplaySD.

' Connect to WMI and the root namespace.
'
Set objWMI = GetObject("winmgmts:root\cimv2")

' Get the single __SystemSecurity object in this namespace.
'
Set objSecurity = objWMI.Get("__SystemSecurity=@")

' Get the namespace security.
'
nReturn = objSecurity.GetSD(arrSD)
If Err <> 0 Then
    WScript.Echo "Return value =  " & nReturn
Else
    ' Show it
    '
    strDisplaySD = "SD = {"
    For I = Lbound(arrSD) To Ubound(arrSD)
        strDisplaySD = strDisplaySD & arrSD(I)
        If I <> Ubound(arrSD) Then    
            strDisplaySD = DisplaySD & ","
        End If
    Next
    strDisplaySD = strDisplaySD & "}"
    WScript.Echo strDisplaySD
End If

The following script shows how to use SetSD to set the namespace SD for the root namespace and change it to the byte array shown in arrSD.

' Hard-coded security descriptor
'
arrSD = array( 1, 0, 4,129,72, 0, 0, 0, _ 
    88, 0, 0, 0, 0, 0, 0, 0, _
    20, 0, 0, 0, 2, 0,52, 0, _
    2, 0, 0, 0, 0, 2,24, 0, _
    63, 0, 6, 0, 1, 2, 0, 0, _
    0, 0, 0, 5,32, 0, 0, 0, _
    32, 2, 0, 0, 0, 2,20, 0, _
    63, 0, 6, 0, 1, 1, 0, 0, _
    0, 0, 0, 1, 0, 0, 0, 0, _
    1, 2, 0, 0, 0, 0, 0, 5, _
    32, 0, 0, 0,32, 2, 0, 0, _
    1, 2, 0, 0, 0, 0, 0, 5, _
    32, 0, 0, 0,32, 2, 0, 0)

' Connect to WMI and the root namespace.
'
Set objWMI = GetObject("winmgmts:root\cimv2")

' Get the single __SystemSecurity object in this namespace.
'
Set objSecurity = objWMI.Get("__SystemSecurity=@")

' Change the namespace security.
'
nReturn = objSecurity.SetSD(arrSD)
WScript.Echo "Return value = " & nReturn

4) Programmatically, the hard way:

We can write our own WMI script using the following sample found at http://www.lissware.net/:

vol 2, Sample 4.02 to 4.13 - WMIManageSD.Wsf, using a series of subfunctions:

Sample 4.02 to 4.13 - WMIManageSD.Wsf
Sample 4.14 to 4.24 - GetSDFunction.vbs
Sample 4.25 - CreateDefaultSDFunction.vbs
Sample 4.26 to 4.27 - ADSIHelper.exp
Sample 4.28 - DecipherWMISDFunction.vbs
Sample 4.29 - DecipherADSISDFunction.vbs
Sample 4.30 - DecipherSDControlFlagsFunction.vbs
Sample 4.31 - CalculateSDControlFlagsFunction.vbs
Sample 4.32 to 4.40 - ActiveDirectory.CMD
Sample 4.41 - SetSDOwnerFunction.vbs
Sample 4.42 - CreateTrusteeFunction.vbs
Sample 4.43 - SetSDGroupFunction.vbs
Sample 4.44 - SetSDControlFlagsFunction.vbs
Sample 4.45 to 4.46 - AddACEFunction.vbs
Sample 4.47 to 4.48 - DelACEFunction.vbs
Sample 4.49 to 4.50 - ReOrderACEFunction.vbs
Sample 4.51 to 4.61 - SetSDFunction.vbs

The script actually reads the binary SD with __SystemSecurity class and converts it with Sample 4.14 to 4.24 - GetSDFunction.vbs at line 283.
The object used to convert the SD is defined at line 189 in Sample 4.02 to 4.13 - WMIManageSD.Wsf.
Under XP and 2003, it uses the IADsSecurityUtility::ConvertSecurityDescriptor.
Before XP, it uses a COM component especially written for the purpose of the bin array conversion to an ADSI SD representation (located in the resources folder coming with the ZIP that must be REGSVR32).

The sample given there manages the security not only on WMI namespaces, but also on Files, Folders, Shares, AD objects, Exchange Mailboxes and Registry keys.

Everything is explained in greater details in the book related to this sample as the full coverage of the details for the management of all SD supported above required 220 pages of texts and tables.
This is not a trivial task even if it is fairly achievable.

I hope this helps.

Cheers,

Alex (Alejandro Campos Magencio)

How to change Registry Permissions with RegIni.exe (VBScript)

alejacma — Tue, 11 Mar 2008 10:15:00 GMT

Hi all, welcome back,

Today I'll show how we can set the following permissions on a registry key with RegIni.exe and a VBScript:

- Creator Owner Full Control
- Users Full Control
- Power Users Full Control
- Administrators Full Control
- System Full Control

I will set the permissions here for testing purposes:

- HKEY_CLASSES_ROOT\AlejaCMaTypelib
- HKEY_LOCAL_MACHINE\Software\AlejaCMaCo\AlejaCMaApp

And for that I will need to create a special regini.exe script which will have the following contents:

 
HKEY_LOCAL_MACHINE\Software\Classes\AlejaCMaTypelib [1 5 7 11 17]
HKEY_LOCAL_MACHINE\Software\AlejaCMaCo\AlejaCMaApp [1 5 7 11 17]

Notes:
- With regini.exe I won't be able to set Users Full Control, but Everyone Full Control.
- HKEY_CLASSES_ROOT = HKEY_LOCAL_MACHINE\Software\Classes

See the following articles for details on the values used in the regini script:
- How to Use Regini.exe to Set Permissions on Registry Keys
- How to: Use a Script to Change Registry Permissions from the Command Line

And here you have the VBScript that will use regini.exe and its script:

' Create temp file with the script that regini.exe will use
'
set oFSO = CreateObject("Scripting.FileSystemObject")
strFileName = oFSO.GetTempName
set oFile = oFSO.CreateTextFile(strFileName)
oFile.WriteLine "HKEY_LOCAL_MACHINE\Software\Classes\AlejaCMaTypelib [1 5 7 11 17]"
oFile.WriteLine "HKEY_LOCAL_MACHINE\Software\AlejaCMaCo\AlejaCMaApp [1 5 7 11 17]"
oFile.Close

' Change registry permissions with regini.exe
'
set oShell = CreateObject("WScript.Shell")
oShell.Run "regini " & strFileName, 8, true

' Delete temp file
'
oFSO.DeleteFile strFileName

WScript.Echo "Done!"

I hope it helps.

Cheers,

Alex (Alejandro Campos Magencio)

How to get the user running a VBScript

alejacma — Tue, 11 Mar 2008 10:07:00 GMT

Hi all, welcome back,

It's very easy to find out the user name and the domain name of the user running a VBScript, and the computer name where it's running:

Set objNet = CreateObject("WScript.NetWork") 

strInfo = "User Name is     " & objNet.UserName & vbCRLF & _
          "Computer Name is " & objNet.ComputerName & vbCRLF & _
          "Domain Name is   " & objNet.UserDomain

MsgBox strInfo

I hope this helps.

Cheers,

Alex (Alejandro Campos Magencio)