CPAU Administrator-equivalent script
Friday, November 7th, 2008Overview
Inside a Microsoft Virtual PC 2007 VM we require NTFS permissions to be de-restricted on a set of files. The end-user running the script has no administrative rights, so we must use a third-party tool (CPAU).
The Problem
- Software named MultiTerm requires read+write access to files in a certain folder under %programfiles%
- The software runs inside a Virtual PC (or VM)
- The VM is held on an external USB drive, and the Microsoft Virtual PC software resides on a student microlab.
- Of core importance, the C: drive of the host student-lab PC is visible inside the VM as shared drive F:. This will permit us to distribute a solution
The Solution
- Use the CPAU utility to encode administrator credentials and commands to run into a job file.
These will use the scacls utility modacl.exe to open-up the NTFS permissions. - Pass the job file to the students in their microlab.
- Ask the students to execute a batch file which runs the CPAU jobs.
Steps:
1. In the student microlab, students have access to folder F:NTAppsinstalllanMultiterm_patch inside of which resides one sub-folder, MTPATCH, with all the tools we need.
The student runs F:NTAppsinstalllanMultiterm_patchuser.bat which will copy the MTPATCH folder
to C:temp of the student lab PC.
Here is user.bat
@echo off
rem: Path for MultiTerm iX Software
rem: Duncan J. Potter, SML x3400
rem: November 2008
rem:
rem: - Overview -
rem: MultiTerm software runs inside a Microsoft Virtual PC 2007 Environment.
rem: A patch is needed to unlock (NTFS-wise) a certain folder in order for MultiTerm to run.
rem:
rem: The first stage is to copy the MTPATCH folder to C:tempmtpatch on PC Caledonia, which this script does.
rem: The second stage is for the student, within VPC2007, to run f:tempmtpatchinstall.bat
rem:
rem: Take Note:
rem: The VPC environment has no network drives.
rem: From within VPC drive F: refers to the shared C: drive of the PC Caledonia host.
rem:
rem: Set some paths to make batch file tidier:
set APP_PTH=F:NTAppsinstalllanMultiterm_patch
set KIX_PTH=F:NTAppsinstalllanKiXstart
set HWSYS_PTH=F:ntappshwsys
:CHECK_LAB
rem: echo Checking Microlab Identify …
rem: echo Lab variable is %lab%.
rem: if not "%lab%"=="LANREP1" goto WRONGLAB
:FILES
rem: Robocopy switches
rem: /xx - exclude display of "extra" files (in destination, not source)
rem: /xc - exclude copying of "changed" files (same timestamp, different size)
rem: /xn - exclude copying of "newer" files
rem: /xo - exclude copying of "older" files
rem: /e /s - copy directories,including empty ones
rem: Copy files to workstation
echo.
echo 1. Creating folder c:tempmtpatch …
echo.
if not exist c:tempmtpatch mkdir c:tempmtpatch > nul
echo Done.
echo.
echo Copying files to c:tempmtpatch …
echo.
%hwsys_pth%robocopy %APP_PTH%MTPATCH c:tempmtpatch *.* /E /S /XX
echo Done.
echo.
:FINAL
echo.
echo.
echo.
echo ********************* Stage 1 is complete ********************
echo.
echo.
%kix_pth%kix32 %APP_PTH%MTPATCHstage1_message.kix
goto END
:WRONGLAB
echo This microlab is not suitable for the installation of this software.
%hwsys_pth%sleep for 2
:END
Creating the CPAU Job
A single batch file creates the encoded jobs. In the following, the password for the Administrator account has been changed naturally!
@echo offecho MT Patch 1 Jobcd /d c:vpc2007cpau rem: goto EXE :CREATErem: On the HOST PC, drive C: is seen as shared drive F: by the VMcpau -u administrator -p theadminpassword -lwp -ex "regedit /s f:tempmtpatchscacls.reg" -enc -file scacls_reg.job echo Creating job mtpatch1 ...rem: Next three lines are all on one line, split for readability here:cpau -u administrator -p theadminpassword -lwp -ex "f:tempmtpatchmodacl /v "%programfiles%tradosMTiXmultitermtermbase*.*" /ar everyone:full" -enc -file mtpatch1.job echo.echo Creating job mtpatch2 ...rem: Next three lines are all on one line, split for readability here:cpau -u administrator -p theadminpassword -lwp -ex "f:tempmtpatchmodacl /v "%programfiles%tradosMTiXmultitermtermbase" /ar everyone:full" -enc -file mtpatch2.job goto END :ENDecho.echo Done.pause
As can be seen, the modacl command (from scacls) requires placed in a folder f:tempmtpatch. Remember, the commands that CPAU calls are to be executed by the student but running as administrator. The commands themselves are not run at this time, but encoded job files containing the commands are created.
It was the job of user.bat above to make all the executables available to the student, copying from a shared network drive of the student workstation to c:tempmtpatch of that workstation.
Finally, we need to create the batch file that the student will call to apply the encrypted CPAU jobs, and this is named install.bat, held in the MTPATCH folder. This file makes use of KixTart executables also in the folder:
This is Install.bat
@echo off
rem: Patch to unlock MultiTerm database folder
rem: Folder to ‘unlock’ is c:program filestradosMTiXmultitermtermbase
rem: Author: Duncan J Potter
rem: Date: Nov 2008
rem: Ensure Robocopy/SCACLS registry keys are in place else get a
rem: dialogue box with these apps (use /s for silent mode).
echo ———— Patching MultiTerm iX ——————-
echo.
echo 1. Registering SCACLS tool …
rem: regedit /s f:vpc2007cpauMTPATCHscacls.reg
start /wait cpau -dec -file scacls_reg.job -lwp
sleep for 1
echo Stage 1 complete.
echo.
rem ———– Modify File ACL Rights ———————————–
rem: Students need to run a CPAU job to perform this commands.
rem: They are written here as reminders only:
rem: Use SuperCACLS to make MultiTerm folder and contents writeable:
rem: modacl /v "c:program filestradosMTiXmultitermtermbase*.*" /ar everyone:change
start /wait cpau -dec -file mtpatch1.job -lwp
sleep for 1
echo Stage 2 complete.
echo.
rem: Modify ACL to these folders so new databases can be created …
rem: modacl /v "c:program filestradosMTiXmultitermtermbase" /ar everyone:change
start /wait cpau -dec -file mtpatch2.job -lwp
sleep for 1
echo Stage 3 complete.
echo.
echo MultiTerm Patch has been installed.
cd /d f:tempmtpatch
f:tempmtpatchwkix32.exe f:tempmtpatchpatch_installed.kix
xxx