-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathSysmonEventProviderPermissions.ps1
More file actions
36 lines (23 loc) · 1.35 KB
/
SysmonEventProviderPermissions.ps1
File metadata and controls
36 lines (23 loc) · 1.35 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# https://community.spiceworks.com/topic/415037-replace-all-child-object-permissions-powershell
# https://powertoe.wordpress.com/2010/08/28/controlling-registry-acl-permissions-with-powershell/
param (
[Parameter(Mandatory)] $IdentityReference
)
function GetAcl{
param(
[Parameter(Mandatory)] $IdentityReference
)
$acl = New-Object System.Security.AccessControl.RegistrySecurity
$acl.AddAccessRule((New-Object System.Security.AccessControl.RegistryAccessRule ("SYSTEM", "FullControl", 'ContainerInherit,ObjectInherit', 'None', 'Allow')))
try{
$acl.AddAccessRule((New-Object System.Security.AccessControl.RegistryAccessRule ($IdentityReference, "FullControl", 'ContainerInherit,ObjectInherit', 'None', 'Allow')))
}catch{
Write-Host "[!] Error adding '$IdentityReference' to ACL. Does it exist? Exiting."
return;
}
$acl.AddAccessRule((New-Object System.Security.AccessControl.RegistryAccessRule ("Authenticated Users", "ReadKey", 'ContainerInherit,ObjectInherit', 'None', 'Allow')))
$acl.SetAccessRuleProtection($true, $false) # Make sure that the key doesn't inherit permissions from its parent
return $acl;
}
$Acl = GetAcl -IdentityReference $IdentityReference
$Acl | Set-Acl -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"