Mouse freezes on VDI machines: A surprising solution - Part 2
Second Part of the story, which actually is about managing ACLs using PowerShell rather than fixing the issues in regards to wisptis.exe. It turns out to be a bit more of an effort but worth mentioning anyway.
A colleague of mine (thanks to Marius Gawenda) has been working on managing ACLs without using SetACL.exe for some time and figured out a solution for the scenario when an administrator wants to gain ownership of a file that is owned by Trusted Installer. There is some Inline Code required in order to set privileges for the operation within the script. The code comes from here:
Three privileges are required. They can be set using the function which is defined in the above mentioned Script.
SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege
Next step is to create an empty ACL Object, which later can be merged with the one of the file we want to configure.
$NewOwnerACL = New-Object System.Security.AccessControl.FileSecurity $NewOwner = New-Object System.Security.Principal.NTAccount("BUILTIN\Administrators") $NewOwnerACL.SetOwner($NewOwner)
Now the owner can be set using
(Get-Item $Env:Windir\System32\wisptis.exe).SetAccessControl($NewOwnerACL) <span style="font-size: 14px; line-height: 21px; white-space: normal;"> </span>
Once this is done, file permissions can be changed.
$UserPermission = "BUILTIN\Users","ReadAndExecute","Deny" $AdminPermission = "BUILTIN\Administrators","ReadAndExecute","Deny" $UserAccessRule = new-object System.Security.AccessControl.FileSystemAccessRule $UserPermission $AdminAccessRule = new-object System.Security.AccessControl.FileSystemAccessRule $AdminPermission $objfile = get-acl (Join-Path $(Join-Path $env:windir system32) wisptis.exe) $objfile.SetAccessRule($UserAccessRule) set-acl -AclObject $objfile -Path $objfile.path $objfile.SetAccessRule($AdminAccessRule) set-acl -AclObject $objfile -Path $objfile.path
Now give it back to Trusted Installer:
$objTrustedInstaller = new-object System.Security.Principal.NTAccount("NT SERVICE","TrustedInstaller") $objfile.SetOwner($objTrustedInstaller) set-acl -AclObject $objfile -Path $objfile.path -ea SilentlyContinue