• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

NISPOM: Setting Auditing on Files/Folders via Powershell

J

JayteeBates

[H]ard|Poof
Joined
Jul 21, 2007
Messages
5,500
On of my responsibilities at work is setting security settings on various operating systems to DSS requirements. DSS doesn't do anything other than say set all these files to XYZ permissions and auditing. Previously I shared a VBScript using WMI to do this here but it doesn't work as well on Win7 as it did on XP.

I found the original form of this script here. I had to tweak it a bit with the biggest change being that he was auditing for success with AceFlags=0x67 while 0x80 does failure which I needed. I also changed the AccessMask to FullControl from Modify as I wanted all possible failures on the files in the list.

Hopefully this helps if anyone needs it.

Code: 
$items=@()   
$items += "C:\Windows\Registration\CRMLog"
$items += "c:\program files\Common Files\Symantec Shared"
$items += "c:\program files\SAV"
$items += "c:\program files\Symantec AntiVirus"
$items += "c:\program files\Symantec"
$items += "C:\Windows\repair"
$items += "C:\Windows\system32\config"
$items += "c:\ia"
$items += "c:\eventlogs"
$items += "c:\scripting\testfolder"
$items += "C:\Windows\system32\arp.exe"
$items += "C:\Windows\system32\at.exe"
$items += "C:\Windows\system32\attrib.exe"
$items += "C:\Windows\system32\cacls.exe"
$items += "C:\Windows\system32\debug.exe"
$items += "C:\Windows\system32\edlin.exe"
$items += "C:\Windows\system32\eventcreate.exe"
$items += "C:\Windows\system32\eventtriggers.exe"
$items += "C:\Windows\system32\ftp.exe"
$items += "C:\Windows\system32\nbtstat.exe"
$items += "C:\Windows\system32\net.exe"
$items += "C:\Windows\system32\net1.exe"
$items += "C:\Windows\system32\netsh.exe"
$items += "C:\Windows\system32\netstat.exe"
$items += "C:\Windows\system32\nslookup.exe"
$items += "C:\Windows\system32\ntbackup.exe"
$items += "C:\Windows\system32\rcp.exe"
$items += "C:\Windows\system32\reg.exe"
$items += "C:\Windows\system32\regedit.exe"
$items += "C:\Windows\system32\regedt32.exe"
$items += "C:\Windows\system32\regini.exe"
$items += "C:\Windows\system32\regsvr32.exe"
$items += "C:\Windows\system32\rexec.exe"
$items += "C:\Windows\system32\route.exe"
$items += "C:\Windows\system32\rsh.exe"
$items += "C:\Windows\system32\sc.exe"
$items += "C:\Windows\system32\secedit.exe"
$items += "C:\Windows\system32\subst.exe"
$items += "C:\Windows\system32\systeminfo.exe"
$items += "C:\Windows\system32\telnet.exe"
$items += "C:\Windows\system32\tftp.exe"
$items += "C:\Windows\system32\tlntsvr.exe"
$items += "C:\Windows\setupapi.log"
$items += "C:\Windows\system32\activeds.dll" 
$items += "C:\Windows\system32\adsldpc.dll" 
$items += "C:\Windows\system32\advapi32.dll" 
$items += "C:\Windows\system32\advpack.dll" 
$items += "C:\Windows\system32\apphelp.dll" 
$items += "C:\Windows\system32\atl.dll" 
$items += "C:\Windows\system32\authz.dll" 
$items += "C:\Windows\system32\bootvid.dll" 
$items += "C:\Windows\system32\browseui.dll" 
$items += "C:\Windows\system32\cabinet.dll" 
$items += "C:\Windows\system32\cdfview.dll" 
$items += "C:\Windows\system32\certcli.dll" 
$items += "C:\Windows\system32\cfgmgr32.dll" 
$items += "C:\Windows\system32\clusapi.dll" 
$items += "C:\Windows\system32\comctl32.dll"
$items += "C:\Windows\system32\comdlg32.dll" 
$items += "C:\Windows\system32\comres.dll" 
$items += "C:\Windows\system32\credui.dll" 
$items += "C:\Windows\system32\crypt32.dll" 
$items += "C:\Windows\system32\cryptdll.dll" 
$items += "C:\Windows\system32\cryptui.dll" 
$items += "C:\Windows\system32\cscdll.dll" 
$items += "C:\Windows\system32\dbghelp.dll" 
$items += "C:\Windows\system32\devmgr.dll" 
$items += "C:\Windows\system32\dhcpcsvc.dll"
$items += "C:\Windows\system32\dnsapi.dll" 
$items += "C:\Windows\system32\drivers\ksecdd.sys" 
$items += "C:\Windows\system32\DRIVERS\ntfs.sys" 
$items += "C:\Windows\system32\duser.dll" 
$items += "C:\Windows\system32\efsadu.dll" 
$items += "C:\Windows\system32\esent.dll" 
$items += "C:\Windows\system32\eventlog.dll" 
$items += "C:\Windows\system32\gdi32.dll" 
$items += "C:\Windows\system32\hal.dll" 
$items += "C:\Windows\system32\imagehlp.dll" 
$items += "C:\Windows\system32\imm32.dll" 
$items += "C:\Windows\system32\inetcomm.dll" 
$items += "C:\Windows\system32\iphlpapi.dll" 
$items += "C:\Windows\system32\kerberos.dll" 
$items += "C:\Windows\system32\kernel32.dll" 
$items += "C:\Windows\system32\linkinfo.dll" 
$items += "C:\Windows\system32\loadperf.dll" 
$items += "C:\Windows\system32\lsasrv.dll" 
$items += "C:\Windows\system32\lsass.exe" 
$items += "C:\Windows\system32\lz32.dll" 
$items += "C:\Windows\system32\mfc42u.dll" 
$items += "C:\Windows\system32\mlang.dll" 
$items += "C:\Windows\system32\mobsync.dll" 
$items += "C:\Windows\system32\mpr.dll" 
$items += "C:\Windows\system32\mprapi.dll"
$items += "C:\Windows\system32\mprui.dll" 
$items += "C:\Windows\system32\msgina.dll" 
$items += "C:\Windows\system32\mshtml.dll" 
$items += "C:\Windows\system32\msi.dll" 
$items += "C:\Windows\system32\msimg32.dll" 
$items += "C:\Windows\system32\msoert2.dll" 
$items += "C:\Windows\system32\msrating.dll" 
$items += "C:\Windows\system32\mssign32.dll" 
$items += "C:\Windows\system32\msv1_0.dll" 
$items += "C:\Windows\system32\msvbvm60.dll" 
$items += "C:\Windows\system32\msvcp60.dll" 
$items += "C:\Windows\system32\msvcrt.dll" 
$items += "C:\Windows\system32\mswsock.dll" 
$items += "C:\Windows\system32\nddeapi.dll" 
$items += "C:\Windows\system32\netapi32.dll" 
$items += "C:\Windows\system32\netcfgx.dll" 
$items += "C:\Windows\system32\netman.dll" 
$items += "C:\Windows\system32\netplwiz.dll" 
$items += "C:\Windows\system32\netrap.dll" 
$items += "C:\Windows\system32\netshell.dll" 
$items += "C:\Windows\system32\netui0.dll" 
$items += "C:\Windows\system32\netui1.dll"
$items += "C:\Windows\system32\netui2.dll" 
$items += "C:\Windows\system32\ntdll.dll" 
$items += "C:\Windows\system32\ntdsapi.dll"
$items += "C:\Windows\system32\ntlanman.dll" 
$items += "C:\Windows\system32\ntoskrnl.exe" 
$items += "C:\Windows\system32\odbc32.dll" 
$items += "C:\Windows\system32\ole32.dll" 
$items += "C:\Windows\system32\oleacc.dll" 
$items += "C:\Windows\system32\oleaut32.dll" 
$items += "C:\Windows\system32\oledlg.dll" 
$items += "C:\Windows\system32\olepro32.dll" 
$items += "C:\Windows\system32\pautoenr.dll" 
$items += "C:\Windows\system32\powrprof.dll" 
$items += "C:\Windows\system32\printui.dll" 
$items += "C:\Windows\system32\psapi.dll" 
$items += "C:\Windows\system32\query.dll" 
$items += "C:\Windows\system32\rasapi32.dll" 
$items += "C:\Windows\system32\rasdlg.dll" 
$items += "C:\Windows\system32\rasman.dll" 
$items += "C:\Windows\system32\regapi.dll" 
$items += "C:\Windows\system32\rpcrt4.dll" 
$items += "C:\Windows\system32\rtutils.dll" 
$items += "C:\Windows\system32\samlib.dll"
$items += "C:\Windows\system32\samsrv.dll" 
$items += "C:\Windows\system32\scecli.dll" 
$items += "C:\Windows\system32\secur32.dll"
$items += "C:\Windows\system32\security.dll" 
$items += "C:\Windows\system32\setupapi.dll" 
$items += "C:\Windows\system32\sfc.dll" 
$items += "C:\Windows\system32\sfcfiles.dll"
$items += "C:\Windows\system32\shdocvw.dll" 
$items += "C:\Windows\system32\shlwapi.dll" 
$items += "C:\Windows\system32\shsvcs.dll" 
$items += "C:\Windows\system32\tapi32.dll" 
$items += "C:\Windows\system32\urlmon.dll" 
$items += "C:\Windows\system32\user32.dll" 
$items += "C:\Windows\system32\userenv.dll" 
$items += "C:\Windows\system32\utildll.dll" 
$items += "C:\Windows\system32\uxtheme.dll"
$items += "C:\Windows\system32\version.dll" 
$items += "C:\Windows\system32\w32topl.dll" 
$items += "C:\Windows\system32\wininet.dll" 
$items += "C:\Windows\system32\winipsec.dll" 
$items += "C:\Windows\system32\winlogon.exe" 
$items += "C:\Windows\system32\winmm.dll" 
$items += "C:\Windows\system32\winscard.dll" 
$items += "C:\Windows\system32\winspool.drv"
$items += "C:\Windows\system32\winsta.dll" 
$items += "C:\Windows\system32\wintrust.dll" 
$items += "C:\Windows\system32\wldap32.dll" 
$items += "C:\Windows\system32\wmi.dll"
$items += "C:\Windows\system32\ws2_32.dll" 
$items += "C:\Windows\system32\ws2help.dll"
$items += "C:\Windows\system32\wsock32.dll" 
$items += "C:\Windows\system32\wtsapi32.dll" 
$items += "C:\Windows\system32\wzcdlg.dll" 
$items += "C:\Windows\system32\wzcsapi.dll" 
$items += "C:\Windows\system32\wzcsvc.dll" 
$items += "C:\Windows\system32\kdcom.dll"
  

foreach ($item in $items)
{

Write-Host $item


$computer = gc env:computername
$path = $item
$user = "everyone"
$path = $path.replace("\", "\\")
$SD = ([WMIClass] "Win32_SecurityDescriptor").CreateInstance()
$ace = ([WMIClass] "Win32_ace").CreateInstance()
$Trustee = ([WMIClass] "Win32_Trustee").CreateInstance()
$SID = (new-object security.principal.ntaccount $user).translate([security.principal.securityidentifier])
[byte[]] $SIDArray = ,0 * $SID.BinaryLength
$SID.GetBinaryForm($SIDArray,0)
$Trustee.Name = $user
$Trustee.SID = $SIDArray
$ace.AccessMask = [System.Security.AccessControl.FileSystemRights]"FullControl"
$ace.AceFlags = "0x80"
$ace.AceType = 2
$ace.Trustee = $trustee
$SD.SACL = $ace
$SD.ControlFlags="0x10"
$wPrivilege = gwmi Win32_LogicalFileSecuritySetting -computername $computer -filter "path='$path'"
$wPrivilege.psbase.Scope.Options.EnablePrivileges = $true
$wPrivilege.setsecuritydescriptor($SD)
}
 
You must log in or register to reply here.
Back
Top