none
(improper?) icacls usage leads to CreateProcessWithLogon failure until intervention from windows GUI RRS feed

  • Question

  • (I'm not sure if this is the correct place to put this question as it involves a combination of powershell and windows API usage)

    I am using 64-bit Window 7 Pro and Visual Studio 2015. (I get the same problem on windows 10 64-bit enterprise edition)

    I am trying to add permissions (Using icacls.exe) to a directory so that a user has to be part of a group (or an admin or a 'controller') in order to execute an application. Note that I do not want the app-folder to inherit ACLs from its parent, but I do want the child objects of the app-folder to inherit their ACLs from the app-folder). This is what I attempted:

    echo "Resetting permissions on ${directory}"
    icacls.exe "${directory}" /C /Q /T /reset
    echo "Removing inheritance on ${directory}"
    icacls.exe "${directory}" /inheritance:r
    # The below are well-known SIDs that are commonly included in the directory permissions.
    # https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
    # The "SYSTEM" and "Administrators" object should have full-control on this directory.
    $system = "S-1-5-18"
    $admins = "S-1-5-32-544"
    $everyone = "S-1-1-0"
    $inherit = "(OI)(CI)"
    echo "Adjusting permissions on ${directory}"
    icacls.exe "${directory}" /C /Q /T /deny "${group}:${inherit}(W,D,WDAC,WO,DC)" `
                              /C /Q /T /deny "${username}:${inherit}(D,DC,WDAC)" `
                              /C /Q /T /grant "*${system}:${inherit}(F)" `
                              /C /Q /T /grant "*${admins}:${inherit}(F)" `
                              /C /Q /T /grant "${username}:${inherit}(RX,W,WO)" `
                              /C /Q /T /grant "${group}:${inherit}(RX)"
    # Reenable inheritance on old child objects of ${directory}
    echo "Re-enable inheritance on ${directory}\*"
    icacls.exe "${directory}\*" /C /Q /T /inheritance:e
    icacls.exe "${directory}\*" /C /Q /T /reset

    After executing the above commands, my application fails to execute CreateProcessWithLogon successfully (Error:5, access denied) for an unknown reason. However, it succeeds when I open the security settings of the folder, Click Advanced, click Change Permissions, click "Replace all child objects permissions with inheritable permissions from this object" and then click Apply/OK. I have tried comparing the icacls.exe output before/after this operation and did not see any differences.

    My code is basically calling LogonUser (with LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT) to get a token so that I can get access to the environment which will be passed to CreateProcessWithLogon. Then CreateProcessWithLogon is called(with LOGON_WITH_PROFILE, CREATE_UNICODE_ENVIRONMENT, and the environment variables retrieved from CreateEnvironmentBlock), but this call fails with error 5 (I tried CREATE_UNICODE_ENVIRONMENT | CREATE_BREAKAWAY_FROM_JOB, as suggested by other google results, but this also did not make a difference)

    I am confused as to why this is required and how I'd be able to fix this from the command line since I assumed the equivalent of the GUI operation would have been to run the icacls.exe command with /reset as done above.

    I have created a small project which demonstrates the problem:

    https://www.dropbox.com/s/033mpmuj9hmpoj4/LogonUser.zip?dl=0

    Notes about the project:

    Instructions are in the readme. Everything outside the main function can be ignored as they are helpers and not relevant. The focus is on the windows API calls. The executables are already built (Use the Release versions), so visual studio is not needed. The reason I did not completely use powershell was because I ran into problems running the icacls.exe command with an argument path that had spaces in it, but I doubt that this would change anything.

    Monday, October 21, 2019 6:32 PM

Answers

  • Essentially, your question is how to use the icacls command to set the permissions you want for your specific application.

    Asking others to download a sample file, reproduce the problem, and fix it for you is kind of a big "ask."

    My recommendation, if you really want better control of permissions from the command line, is to use the SetACL.exe utility (https://helgeklein.com/setacl/).


    -- Bill Stewart [Bill_Stewart]

    • Marked as answer by bsagar3 Friday, October 25, 2019 12:53 PM
    Monday, October 21, 2019 6:44 PM
    Moderator

All replies

  • Essentially, your question is how to use the icacls command to set the permissions you want for your specific application.

    Asking others to download a sample file, reproduce the problem, and fix it for you is kind of a big "ask."

    My recommendation, if you really want better control of permissions from the command line, is to use the SetACL.exe utility (https://helgeklein.com/setacl/).


    -- Bill Stewart [Bill_Stewart]

    • Marked as answer by bsagar3 Friday, October 25, 2019 12:53 PM
    Monday, October 21, 2019 6:44 PM
    Moderator
  • The first obvious thing is this construct: "${directory}"

    The cor4erct way to specify a variable is "$directory".

    Before trying to guess at using PowerShell by copying code you do not understand is to learn basic PowerShell.  Once you have the basics most of your issues will be obvious.

    As Bill has noted - we cannot rewrite your code for you and "Set-Acl" is more PowerShell friendly although iCacls will work if you learn how to write PS code correctly.


    \_(ツ)_/

    Monday, October 21, 2019 8:59 PM
  • This will get you closer but you will have to understand the issues presented by the iCacls command line and how to resolve them. Make it work without variables and then determine how to substitute variables. Also the ":" must be escaped in a string when using variables o it will be interpreted wrong.

    Set-Acl is much easier once you understand how to use it.

    help set-acl -online

    $directory = 'your path'
    Write-Host "Resetting permissions on $directory"
    icacls.exe "$directory" /C /Q /T /reset
    Write-Host "Removing inheritance on $directory"
    icacls.exe $directory /inheritance:r
    
    # The below are well-known SIDs that are commonly included in the directory permissions.
    # https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
    # The "SYSTEM" and "Administrators" object should have full-control on this directory.
    $system = 'S-1-5-18'
    $admins = 'S-1-5-32-544'
    $everyone = 'S-1-1-0'
    $inherit = '(OI)(CI)'
    Write-Host "Adjusting permissions on ${directory}"
    icacls.exe $directory /C /Q /T /deny "$group`:$inherit(W,D,WDAC,WO,DC)" `                           /C /Q /T /grant "*$system`:$inherit(F)" `
                               /C /Q /T /grant "*$admins`:$inherit(F)" `
                               /C /Q /T /grant "$username`:$inherit(RX,W,WO)" `
                               /C /Q /T /grant "$group`:$inherit(RX)"
    
    # Reenable inheritance on old child objects of ${directory}
    Write-Host "Re-enable inheritance on $directory\*"
    icacls.exe $directory\* /C /Q /T /inheritance:e
    icacls.exe $directory\* /C /Q /T /reset


    \_(ツ)_/







    • Edited by jrv Monday, October 21, 2019 9:11 PM
    Monday, October 21, 2019 9:09 PM
  • I replaced the icacls command with setacl which seemed to do the trick for me. Thanks!

    I didn't mean for the project to sound like: "Here's my homework, please fix", but I can see how my post comes off that way. I was very confused because the permissions looked right to me and I was still getting "Access denied" errors, and I needed a sanity check which is why I took some time to isolate and boil down the problem a lot. But you're right in that the real issue was most probably with how I was using icacls.

    Friday, October 25, 2019 12:53 PM
  • Thank you for your help!

    I removed the "${}" occurrences, but wasn't able to find the problem with how I was using icacls since I took the time to look up and use setacl.

    Friday, October 25, 2019 12:55 PM