DCOM Security using a batch file

Question

Are there any methods to change the Access Permissions for COM Security using a batch file? I need to write new values to "Edit Limits..." and "Edit Default..." in both "Access Permissions" and "Launch and Activation Permissions" using a batch script. I'm using Windows XP machines with Service Pack 2 and 3.

Thank you.

Answer 1

I recently had the need to create a batch script to grant default Local Activation permissions so that I could run an out-of-process COM component on Windows Azure. After much research, I used a tool called RegFromApp (download link is near bottom of page) to see what changes were made in the Windows Registry when I granted the aforementioned permissions on a Windows Server 2008 R2 VM. Here are the steps I used to determine what changes to make to the registry...

1. Entered dcomcnfg in the Command Prompt to launch Component Services
2. Launched RegFromApp program
3. In RegFromApp, selected the mmc.exe process and clicked OK to inspect what changes it would make to registry
4. Back in Component Services, expanded Component Services item in left panel
5. Expanded Computers item in left panel
6. Right-clicked My Computer item in left panel and selected Properties from popup menu
7. Selected COM Security tab
8. In Launch and Activation Permissions box, clicked Edit Default button
9. Clicked Add button
10. Entered IIS_IUSRS in empty box, clicked Check Names button and clicked OK button
11. Ticked Allow for Local Activation and clicked OK button
12. Clicked Apply button then OK button
13. Back in RegFromApp program, clicked Save As from the File menu to save registry changes as SetDCOMPermission.reg file

Having recorded the registry changes in a .reg file (i.e. the DefaultLaunchPermission value was modified in the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE] key), I wrote the following batch script to register my COM component and apply the changes to the registry by running my .reg file...

chcp 1252>NUL
OleAutomationFeasibilityModel.exe /regserver
regedit.exe /s SetDCOMPermission.reg
exit /b 0

I'm sure you could use a similar technique to record the necessary registry changes for what you're trying to achieve in a .reg file and run this file from a batch script.

Hope that helps!

Answer 2

I'm not aware of any 3rd party tool that allows you to create ACL's programmatically. In the past I've only ever seen this done using custom tooling, e.g. VBScript & a C++ COM component or a native command line tool.

If you do want to go down this route then Keith Brown's Programming Windows Security is an excellent book on the topic, if a little old these days. It's what I used to work on just such a component some years ago.