Set permissions with VBScript & Secedit

Before we dive into how to apply permissions with VBScript, we must first understand what secedit is. The secedit tool comes by default with Windows Os. Secedit configures and analyzes system security by comparing your current security configuration against specified security templates.

To apply permissions with secedit, all that is required is an .inf file which specifies which folders or registry needs to be targeted for permissions.

There is a whole article regarding Access Control on Microsoft docs where you can find all the necessary information to create the .inf file according to your needs.

Once the .inf file is created, the following command line must be used to call secedit in order to apply the permissions:

secedit.exe /configure /db "%InstallDirectory%\secrigh.sdb" /cfg %InstallDirectory%\secrigh.inf /overwrite /quiet


Now that we know how secedit works, we can implement the following logic into a VBScript. The VBScript will create the .inf file, apply the permissions with secedit, and delete the resulted .sdb and .inf files. The code for the script is as follows:

On Error Resume Next

Dim host, strini, strFile, strLine

WrkDir = "C:\Program Files\MyApplication"

Set fso = CreateObject("Scripting.FileSystemObject")
set oSH = CreateObject("WScript.Shell")

Set f = fso.CreateTextFile(WrkDir & "\secrigh.inf", True)

f.WriteLine "[Unicode]"
f.WriteLine "Unicode=No"
f.WriteLine "[Version]"
f.WriteLine "signature=" + QStr("$CHICAGO$")
f.WriteLine "Revision=1"
f.WriteLine "[File Security]"
f.WriteLine QStr(WrkDir) + ",0," + QStr("D:AR(A;OICINP;0x1301ff;;;AU)")

cmd = "secedit.exe /configure /db " + QStr(WrkDir & "\secrigh.sdb") + " /cfg " + QStr(WrkDir & "\secrigh.inf") & " /overwrite /quiet"
returnVal = osh.Run (cmd, 0, true)

function QStr(S)
QStr = """" + S + """"
end function

Leave a comment

Your email address will not be published. Required fields are marked *

fourteen + 7 =