Set-Privilege

1.1.1

Set-Privilege.ps1

<#PSScriptInfo
.VERSION 1.1.1
 
.GUID 84990677-60ab-4984-9de1-fcfc19f5209d
 
.AUTHOR Pyprohly
 
.TAGS Security, Privilege, TokenPrivilege
 
.RELEASENOTES
    1.1.1 | 2017-03-29
        Set-Privilege 'Privilege' parameter renamed to 'Name'. 'PrivilegeName' is an alias.
 
    1.1.0 | 2017-03-26
        Set-Privilege called if script is invoked and not dot sourced
        Set-Privilege '-Privilege' argument no longer requires "Se" and "Privilege" affixes
        LookupPrivilegeValue function signature parameter 'pluid' modifier changed from 'ref' to 'out'
 
    1.0 | 2017-03-25
        Initial release
#>

<#
.DESCRIPTION
    Toggle privileges for the current PowerShell session.
#>


function Set-Privilege {
    [OutputType('System.Boolean')]
    param(
        [Parameter(Mandatory=$true)]
        [ValidateSet(
            'SeAssignPrimaryTokenPrivilege', 'AssignPrimaryToken',
            'SeAuditPrivilege', 'Audit',
            'SeBackupPrivilege', 'Backup',
            'SeChangeNotifyPrivilege', 'ChangeNotify',
            'SeCreateGlobalPrivilege', 'CreateGlobal',
            'SeCreatePagefilePrivilege', 'CreatePagefile',
            'SeCreatePermanentPrivilege', 'CreatePermanent',
            'SeCreateSymbolicLinkPrivilege', 'CreateSymbolicLink',
            'SeCreateTokenPrivilege', 'CreateToken',
            'SeDebugPrivilege', 'Debug',
            'SeEnableDelegationPrivilege', 'EnableDelegation',
            'SeImpersonatePrivilege', 'Impersonate',
            'SeIncreaseBasePriorityPrivilege', 'IncreaseBasePriority',
            'SeIncreaseQuotaPrivilege', 'IncreaseQuota',
            'SeIncreaseWorkingSetPrivilege', 'IncreaseWorkingSet',
            'SeLoadDriverPrivilege', 'LoadDriver',
            'SeLockMemoryPrivilege', 'LockMemory',
            'SeMachineAccountPrivilege', 'MachineAccount',
            'SeManageVolumePrivilege', 'ManageVolume',
            'SeProfileSingleProcessPrivilege', 'ProfileSingleProcess',
            'SeRelabelPrivilege', 'Relabel',
            'SeRemoteShutdownPrivilege', 'RemoteShutdown',
            'SeRestorePrivilege', 'Restore',
            'SeSecurityPrivilege', 'Security',
            'SeShutdownPrivilege', 'Shutdown',
            'SeSyncAgentPrivilege', 'SyncAgent',
            'SeSystemEnvironmentPrivilege', 'SystemEnvironment',
            'SeSystemProfilePrivilege', 'SystemProfile',
            'SeSystemtimePrivilege', 'SystemTime',
            'SeTakeOwnershipPrivilege', 'TakeOwnership',
            'SeTcbPrivilege', 'Tcb', 'TrustedComputingBase',
            'SeTimeZonePrivilege', 'TimeZone',
            'SeTrustedCredManAccessPrivilege', 'TrustedCredManAccess',
            'SeUndockPrivilege', 'Undock',
            'SeUnsolicitedInputPrivilege', 'UnsolicitedInput'
        )]
        [Alias('PrivilegeName')]
        [string[]]
        $Name,

        [switch]
        $Disable
    )

    begin {
        $signature = '[DllImport("ntdll.dll", EntryPoint = "RtlAdjustPrivilege")]
        public static extern IntPtr SetPrivilege(int Privilege, bool bEnablePrivilege, bool IsThreadPrivilege, out bool PreviousValue);
 
        [DllImport("advapi32.dll")]
        public static extern bool LookupPrivilegeValue(string host, string name, out long pluid);'
        Add-Type -MemberDefinition $signature -Namespace AdjPriv -Name Privilege

        function PrivConst ($str) {
            if ($str -eq 'TrustedComputingBase') {
                return 'SeTcbPrivilege'
            } elseif (($str -match '^Se.*Privilege$')) {
                return $str
            }
            "Se${str}Privilege"
        }
    }

    process {
        foreach ($priv in $Name) {
            [long]$privId = $null
            $null = [AdjPriv.Privilege]::LookupPrivilegeValue($null, (PrivConst $priv), [ref]$privId)
            ![bool][long][AdjPriv.Privilege]::SetPrivilege($privId, !$Disable, $false, [ref]$null)
        }
    }
}

if ($MyInvocation.InvocationName -ne '.') {
    Set-Privilege
}