private void ProcessName()
{
foreach (string right in Name)
{
WriteVerbose($"Getting current membership for the privilege/right '{right}'");
IdentityReference[] actualMembers;
try
{
actualMembers = Lsa.EnumerateAccountsWithUserRight(_lsa, right).ToArray();
}
catch (ArgumentException e)
{
WriteError(new ErrorRecord(e, "InvalidPrivilegeRightName", ErrorCategory.InvalidArgument, right));
continue;
}
if (actualMembers.Length > 0)
{
WriteVerbose($"Privilege/right '{right}' contains members, removing");
foreach (IdentityReference member in actualMembers)
{
if (ShouldProcess(member.Value, $"Remove from the rights {right}"))
{
Lsa.RemoveAccountRights(_lsa, member, new string[] { right });
}
}
}
else
{
WriteVerbose($"Privilege/right '{right}' has no members, no action required");
}
}
}
protected override void ProcessRecord()
{
foreach (string right in Name)
{
List <SecurityIdentifier> actualMembers;
try
{
actualMembers = Lsa.EnumerateAccountsWithUserRight(_lsa, right);
}
catch (ArgumentException e)
{
WriteError(new ErrorRecord(e, "InvalidPrivilegeRightName", ErrorCategory.InvalidArgument, right));
continue;
}
SecurityIdentifier[] toChange = CalculateChanges(actualMembers);
foreach (SecurityIdentifier id in toChange)
{
if (!_setInfo.ContainsKey(id))
{
_setInfo[id] = new List <string>();
}
_setInfo[id].Add(right);
}
}
}
static void Main(string[] args)
{
Console.WriteLine(new Lsa().AccessEnabled);
return;
Trace.Listeners.Add(new ConsoleTraceListener());
var lsa = new Lsa();
Console.WriteLine("AccessEnabled = " + lsa.AccessEnabled);
foreach (var user in lsa.AllowLogonLocally)
{
Console.Write(user);
Console.Write(" = ");
try
{
Console.WriteLine(new SecurityIdentifier(user).Translate(typeof(NTAccount)));
}
catch (Exception ex)
{
Console.WriteLine(ex.GetType().Name);
}
}
Console.WriteLine("-end-");
if (args.Length == 0)
{
lsa.AccessEnabled = true;
}
else
{
lsa.AccessEnabled = false;
}
}
private void Dispose(bool disposing)
{
if (this._lsaHandle != IntPtr.Zero)
{
int num = (int)Lsa.LsaDeregisterLogonProcess(this._lsaHandle);
this._lsaHandle = IntPtr.Zero;
}
if (!disposing)
{
return;
}
GC.SuppressFinalize((object)this);
}
static void SetLogonAsAServicePrivilege(UserAccount userAccount)
{
if (!userAccount.Domain.Equals("NT AUTHORITY", StringComparison.OrdinalIgnoreCase))
{
var privileges = Lsa.GetPrivileges(userAccount.QualifiedName).ToList();
if (!privileges.Contains(LogonPrivileges.LogonAsAService, StringComparer.OrdinalIgnoreCase))
{
privileges.Add(LogonPrivileges.LogonAsAService);
Lsa.GrantPrivileges(userAccount.QualifiedName, privileges.ToArray());
}
}
}
public TicketsManager()
{
WinStatusCodes winStatusCodes1 = Lsa.LsaConnectUntrusted(out this._lsaHandle);
if (winStatusCodes1 != WinStatusCodes.STATUS_SUCCESS)
{
throw new Exception("LsaConnectUntrusted failed with NTSTATUS code: " + (object)winStatusCodes1 + " (0x" + winStatusCodes1.ToString("x8") + ")");
}
WinStatusCodes winStatusCodes2 = Lsa.LsaLookupAuthenticationPackage(this._lsaHandle, ref new LsaStringWrapper("Kerberos")._string, out this._kerberosPackageId);
if (winStatusCodes2 != WinStatusCodes.STATUS_SUCCESS)
{
throw new Exception("LsaLookupAuthenticationPackage failed with NTSTATUS code: " + (object)winStatusCodes2 + " (0x" + winStatusCodes2.ToString("x") + ")");
}
}
public void ChangeAccountDetails(string serviceAccount, string servicePassword)
{
var userAccount = UserAccount.ParseAccountName(serviceAccount);
if (!(userAccount.IsLocalService() || userAccount.IsLocalService()))
{
var privileges = Lsa.GetPrivileges(userAccount.QualifiedName).ToList();
if (!privileges.Contains(LogonPrivileges.LogonAsAService, StringComparer.OrdinalIgnoreCase))
{
privileges.Add(LogonPrivileges.LogonAsAService);
Lsa.GrantPrivileges(userAccount.QualifiedName, privileges.ToArray());
}
}
var objPath = $"Win32_Service.Name='{ServiceName}'";
using (var win32Service = new ManagementObject(new ManagementPath(objPath)))
{
var inParams = win32Service.GetMethodParameters("Change");
inParams["StartName"] = ConvertAccountNameToServiceAccount(userAccount.QualifiedName);
inParams["StartPassword"] = servicePassword;
var outParams = win32Service.InvokeMethod("Change", inParams, null);
if (outParams == null)
{
throw new ManagementException($"Failed to set account credentials service {ServiceName}");
}
var wmiReturnCode = Convert.ToInt32(outParams["ReturnValue"]);
if (wmiReturnCode != 0)
{
var message = (wmiReturnCode < Win32ChangeErrorMessages.Length)
? $"Failed to change service credentials on service {ServiceName} - {Win32ChangeErrorMessages[wmiReturnCode]}"
: "An unknown error occurred";
if (wmiReturnCode == 22)
{
message += $"( AccountName {userAccount.QualifiedName} converted to {ConvertAccountNameToServiceAccount(userAccount.QualifiedName)})";
}
throw new ManagementException(message);
}
}
}
private void ProcessAccount()
{
foreach (IdentityReference acct in Account)
{
WriteVerbose($"Getting current rights for '{acct.Value}'");
string[] rights = Lsa.EnumerateAccountRights(_lsa, acct).ToArray();
if (rights.Length > 0)
{
WriteVerbose($"Removing all rights for account '{acct.Value}'");
if (ShouldProcess(acct.Value, "Remove all rights"))
{
Lsa.RemoveAllAccountRights(_lsa, acct);
}
}
else
{
WriteVerbose($"Account '{acct.Value} does not have any rights, no action required");
}
}
}
public bool PurgeTicket(Ticket ticket)
{
byte[] bytes1 = Encoding.Unicode.GetBytes(ticket.ServerName + "\0");
byte[] bytes2 = Encoding.Unicode.GetBytes(ticket.RealmName + "\0");
int cb = 28 + bytes1.Length + bytes2.Length;
IntPtr num = Marshal.AllocHGlobal(cb);
IntPtr destination1 = new IntPtr(num.ToInt64() + 28L);
IntPtr destination2 = new IntPtr(num.ToInt64() + 28L + (long)bytes1.Length);
Marshal.Copy(bytes1, 0, destination1, bytes1.Length);
Marshal.Copy(bytes2, 0, destination2, bytes2.Length);
UNICODE_STRING unicodeString1;
unicodeString1.Length = (ushort)(bytes1.Length - 2);
unicodeString1.MaximumLength = (ushort)bytes1.Length;
unicodeString1.Buffer = destination1;
UNICODE_STRING unicodeString2;
unicodeString2.Length = (ushort)(bytes2.Length - 2);
unicodeString2.MaximumLength = (ushort)bytes2.Length;
unicodeString2.Buffer = destination2;
KERB_PURGE_TKT_CACHE_REQUEST purgeTktCacheRequest;
purgeTktCacheRequest.MessageType = KERB_PROTOCOL_MESSAGE_TYPE.KerbPurgeTicketCacheMessage;
purgeTktCacheRequest.ServerName = unicodeString1;
purgeTktCacheRequest.RealmName = unicodeString2;
purgeTktCacheRequest.LogonId = 0L;
Marshal.StructureToPtr((object)purgeTktCacheRequest, num, false);
uint ProtocolStatus;
WinStatusCodes winStatusCodes = Lsa.LsaPurgeTickets(this._lsaHandle, this._kerberosPackageId, num, (uint)cb, out IntPtr _, out uint _, out ProtocolStatus);
Marshal.FreeHGlobal(num);
if (winStatusCodes != WinStatusCodes.STATUS_SUCCESS)
{
throw new Exception("LsaCallAuthenticationPackage (LsaGetTickets) failed with NTSTATUS code: " + (object)winStatusCodes + " (0x" + winStatusCodes.ToString("x8") + ")");
}
return(ProtocolStatus == 0U);
}
public List <Ticket> GetTickets()
{
List <Ticket> ticketList = new List <Ticket>();
KERB_QUERY_TKT_CACHE_REQUEST ProtocolSubmitBuffer;
ProtocolSubmitBuffer.MessageType = KERB_PROTOCOL_MESSAGE_TYPE.KerbQueryTicketCacheMessage;
ProtocolSubmitBuffer.LogonId = 0L;
IntPtr ProtocolReturnBuffer;
WinStatusCodes tickets = Lsa.LsaGetTickets(this._lsaHandle, this._kerberosPackageId, ref ProtocolSubmitBuffer, 12U, out ProtocolReturnBuffer, out uint _, out uint _);
if (tickets != WinStatusCodes.STATUS_SUCCESS)
{
throw new Exception("LsaCallAuthenticationPackage (LsaGetTickets) failed with NTSTATUS code: " + (object)tickets + " (0x" + tickets.ToString("x8") + ")");
}
KERB_QUERY_TKT_CACHE_RESPONSE structure1 = (KERB_QUERY_TKT_CACHE_RESPONSE)Marshal.PtrToStructure(ProtocolReturnBuffer, typeof(KERB_QUERY_TKT_CACHE_RESPONSE));
KERB_TICKET_CACHE_INFO kerbTicketCacheInfo = new KERB_TICKET_CACHE_INFO();
for (int index = 0; (long)index < (long)structure1.CountOfTickets; ++index)
{
KERB_TICKET_CACHE_INFO structure2 = (KERB_TICKET_CACHE_INFO)Marshal.PtrToStructure(new IntPtr(ProtocolReturnBuffer.ToInt64() + 8L + (long)(index * 48)), typeof(KERB_TICKET_CACHE_INFO));
ticketList.Add(new Ticket()
{
ServerName = Helper.GetStringFromUNICODE_STRING(structure2.ServerName),
RealmName = Helper.GetStringFromUNICODE_STRING(structure2.RealmName),
StartTime = Helper.GetDateTimeFromFILETIME(structure2.StartTime),
EndTime = Helper.GetDateTimeFromFILETIME(structure2.EndTime),
RenewTime = Helper.GetDateTimeFromFILETIME(structure2.RenewTime),
EncryptionType = structure2.EncryptionType,
TicketFlags = (Ticket.KerbTicketFlags)structure2.TicketFlags
});
}
if (ProtocolReturnBuffer != IntPtr.Zero)
{
int num = (int)Lsa.LsaFreeReturnBuffer(ProtocolReturnBuffer);
}
return(ticketList);
}
protected override void BeginProcessing()
{
WriteVerbose($"Opening handle to LSA with {AccessMask}");
_lsa = Lsa.OpenPolicy(ComputerName, AccessMask);
}
protected override void ProcessRecord()
{
// Will be invalid if it failed to be opened in begin.
if (_lsa.IsInvalid)
{
return;
}
if (Account == null && Name.Length == 0)
{
Name = PrivilegeHelper.ALL_PRIVILEGES.Concat(Lsa.ALL_RIGHTS.Keys).ToArray();
}
else if (Account != null)
{
string[] accountRights = Lsa.EnumerateAccountRights(_lsa, Account).ToArray();
if (Name.Length > 0)
{
accountRights = accountRights.Intersect(Name).ToArray();
}
Name = accountRights;
}
WriteVerbose("Getting details for the following rights: " + String.Join(", ", Name));
foreach (string right in Name)
{
string description = "";
if (Lsa.ALL_RIGHTS.ContainsKey(right))
{
description = Lsa.ALL_RIGHTS[right];
}
else if (PrivilegeHelper.CheckPrivilegeName(right))
{
description = PrivilegeHelper.GetPrivilegeDisplayName(right);
}
else
{
WriteWarning($"Unknown right {right}, cannot get description");
}
WriteVerbose($"Enumerating accounts with the privilege/rights '{right}'");
IdentityReference[] rightAccounts;
try
{
rightAccounts = Lsa.EnumerateAccountsWithUserRight(_lsa, right)
.Select(i => TranslateIdentity(i, IdentityType))
.ToArray();
}
catch (ArgumentException e)
{
WriteError(new ErrorRecord(e, "InvalidPrivilegeRightName", ErrorCategory.InvalidArgument, right));
continue;
}
WriteObject(new Right()
{
Name = right,
ComputerName = ComputerName,
Description = description,
Accounts = rightAccounts,
});
}
}
