Are there any methods to change the Access Permissions for COM Security using a batch file?
I need to write new values to "Edit Limits..." and "Edit Default..." in both "Access Permissions" and "Launch and Activation Permissions" using a batch script.
I'm using Windows XP machines with Service Pack 2 and 3.
Thank you.
I'm not aware of any 3rd party tool that allows you to create ACL's programmatically. In the past I've only ever seen this done using custom tooling, e.g. VBScript & a C++ COM component or a native command line tool.
If you do want to go down this route then Keith Brown's Programming Windows Security is an excellent book on the topic, if a little old these days. It's what I used to work on just such a component some years ago.
I recently had the need to create a batch script to grant default Local Activation permissions so that I could run an out-of-process COM component on Windows Azure. After much research, I used a tool called RegFromApp (download link is near bottom of page) to see what changes were made in the Windows Registry when I granted the aforementioned permissions on a Windows Server 2008 R2 VM. Here are the steps I used to determine what changes to make to the registry...
- Entered
dcomcnfg
in the Command Prompt to launch Component
Services
- Launched RegFromApp program
- In RegFromApp, selected the mmc.exe process and clicked OK to inspect what changes it would make to registry
- Back in Component Services, expanded Component Services item in left panel
- Expanded Computers item in left panel
- Right-clicked My Computer item in left panel and selected Properties
from popup menu
- Selected COM Security tab
- In Launch and Activation Permissions box, clicked Edit Default
button
- Clicked Add button
- Entered
IIS_IUSRS
in empty box, clicked Check Names button and
clicked OK button
- Ticked Allow for Local Activation and clicked OK button
- Clicked Apply button then OK button
- Back in RegFromApp program, clicked Save As from the File menu to save registry
changes as
SetDCOMPermission.reg
file
Having recorded the registry changes in a .reg file (i.e. the DefaultLaunchPermission value was modified in the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE] key), I wrote the following batch script to register my COM component and apply the changes to the registry by running my .reg file...
chcp 1252>NUL
OleAutomationFeasibilityModel.exe /regserver
regedit.exe /s SetDCOMPermission.reg
exit /b 0
I'm sure you could use a similar technique to record the necessary registry changes for what you're trying to achieve in a .reg file and run this file from a batch script.
Hope that helps!