I am lazy and so simply copied a Word file I wrote into this web site which together with my inability to use Word properly should explain the bad formatting of this blog entry.
Direct comments, complaints and threats to me at ajbrehm@gmail.com.
The Elephant Security Descriptor Definition Language Editor
What is it?
The Elephant editor is an editor for Security Description Definition Language1 strings that were apparently introduced in Windows 2000 because the Windows NT binary format for security descriptors was not ideal for editing.
What can it do?
Elephant uses AclEdit.exe from the ABTokenTools (which must be in the same directory) to read and write Access Control Lists of named objects such as services, directories, files etc. It can also read and write security descriptors in SDDL or binary format in registry values.
It can display the SDDL received from AclEdit in SDDL and a table for (somewhat) easy editing.
It can currently set an object’s owner, DACL (Discretionary Access Control List), and inheritance.
What can’t it do?
Elephant cannot (yet) get or set permissions of objects without a unique name (like processes).
What will it be able to do?
I will try to add support for objects without a unique name and support OpenVMS’ security descriptor string format (which is easier to read and write).
Where can I find it?
It should be downloadable on
http://netneurotic.net/bin/Elephant-x64.zip
Note that you also need AclEdit from ABTokenTools which can be found at
http://netneurotic.net/bin/ABTokenTools-x64.zip
Replace “x64” with “x86”, “ARM”, or “ARM64” if you are brave. I sometimes make versions for those CPUs too.
Licence
Elephant is freeware but the source code is not available except upon request because I don’t want people to find it on the internet and base other programs on it. I don’t want my mistakes to spread.
The main window
Elephant’s main window has four components.
On the top is a menu bar with several menus.
Below it is a text field for editing SDDL directly. This is also where a security descriptor will be loaded from an object.
Below that is a table that translates (attempts to translate) the SDDL string into a (more) human-readable form.
Below the table is a one-line text field that shows the path to the currently loaded object.
The File|Open Named Object menu
This opens the AclEdit Parameters window which is used to open a named object of a specified type. It is basically a GUI for AclEdit.
See below for a complete description.
The File|Open File menu
This will open a file’s security descriptor and is equivalent to giving an object path to a file and selecting the object type “File” in the AclEdit Parameters window.
The File|Open Directory menu
This will open a directory’s security descriptor and is equivalent to giving an object path to a directory and selecting the object type “File” (both directories and files are “files” in that sense) in the AclEdit Parameters window.
The File|Open Registry Key Or Value menu
This will open a registry key’s security descriptor or a registry value containing a security descriptor. Opening a registry key’s security descriptor here is equivalent to giving an object path to a registry key and selecting the object type “Registry Key” in the AclEdit Parameters window.
(Opening a registry value is not, because a registry value containing a security descriptor is not a named object.)
To open a registry key or a registry value this menu uses the Registry Access window. See below for a complete description.
The File|Save Security Descriptor menu
This opens the AclEdit Parameters window in write mode.
The File|Clear menu
This clears the current SDDL string and resets the main window’s contents.
The File|Exit menu
Hm.
The Edit|Toggle Column Display Mode menu
Toggles the table display between two different modes. Just try it out.
The Edit|Force Table Translation menu
Translates the table to match the SDDL or vice versa, in case that didn’t happen for some reason.
The Edit|Copy Table menu
Copies the table into the clipboard, I believe with tabs between columns.
The ACL|File and ACL|Registry menus
Generates SDDL for basic DACLs for file or registry objects.
The Tools|Scheduled Tasks menu
Opens the Registry Access window at the path for Windows Scheduled Tasks. Note that Windows Scheduled Task permissions are stored in registry values called “SD” in keys below the “Tree” key. Also note that such a value can only be edited after the key that hosts it can be written to which usually requires taking ownership which can be done by replacing the key’s ACL with one with a better owner (for example BA, Builtin\Administrators).
The AclEdit Parameters window
The Object Path text field takes an object path2 and pressing the Read or Write button will read or write the security descriptor of the object identified of the type selected below the Object Path text field.
Note that not all object types can be used with a path (but are listed here for completeness’ sake). Also note that not all object types necessarily understand all Access Control Elements Elephant can produce or you can invent.
It’s probably best never to create new ACLs but always to modify existing ACLs.
The Registry Access window
This window allows navigating the registry and selecting keys or values to load security descriptors. The selected path will be displayed in the textbox in the upper half of the window.
Note that the “Read” button will read whatever key or value is confirmed in the textbox, which should be the same as selected below it, but when in doubt, it’s the textbox that counts!
The About menu
Hm.
1 https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language
2 Really.