Cannot remove executeable from folders inherent to prevent malware from execute

Welcome Forums General PowerShell Q&A Cannot remove executeable from folders inherent to prevent malware from execute

Viewing 1 reply thread
  • Author
    Posts
    • #232954
      Participant
      Topics: 1
      Replies: 0
      Points: 12
      Rank: Member

      Hi Guys.
      Normally I’m a unix guy, but all our enviorments clients runs Windows10 – so needed a little Powershell script. After beeing hit twice in hostingcenter with Malware – I talked with some guys – that talking about removing executeable bit in some folders. So thats the Why 🙂
      OS: Windows10 Pro – 64Bit v.1909

      My Script is quite simple – but getting stuck on a error:

      ## Changing permission on Folders
      $Acl = Get-Acl C:\Windows\Temp 
      $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("AUTHORITY\SYSTEM","Execute","Allow")
      $Acl.RemoveAccessRule($AccessRule)
      $Acl | Set-Acl C:\Windows\Temp

      When running this script – I’m just getting this error:

      Exception calling "RemoveAccessRule" with "1" argument(s): "Some or all Identities could not be translated."
      At C:\Users\pbj\Powershell\update.ps1:14 char:1
      + $Acl.RemoveAccessRule($AccessRule)
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
      + FullyQualifiedErrorId : IdentityNotMappedException

      And I do not get this problem – since I’ve tried following several guides etc online from these:
      https://blog.netwrix.com/2018/04/18/how-to-manage-file-system-acls-with-powershell-scripts/#How%20to%20remove%20user%20permissions
      https://blog.netwrix.com/2018/05/17/powershell-file-management/

      But unfortunably I’m not getting this to work – and properly have blinded myself with looking at it for some time!

      Thanks in advance

    • #233038
      Participant
      Topics: 3
      Replies: 421
      Points: 1,479
      Helping Hand
      Rank: Community Hero

      Read the error message and it will tell you exactly the problem. It can’t translate “some or all” of the identities. Your code is only referring to one identity. Try this instead.

      ## Changing permission on Folders
      $Acl = Get-Acl C:\Windows\Temp 
      $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM","Execute","Allow")
      $Acl.RemoveAccessRule($AccessRule)
      $Acl | Set-Acl C:\Windows\Temp
      

      Hope it helps.

Viewing 1 reply thread
  • You must be logged in to reply to this topic.