Wahmans Powershell Blog

ConvertFrom-SddlString

Exploring ConvertFrom-SddlString – Unlocking the Secrets of SDDL

Welcome back to Wahmans Powershell blog! Today, we’re diving deep into a lesser-known, but extremely powerful cmdlet in PowerShell: ConvertFrom-SddlString.

The ConvertFrom-SddlString cmdlet is used to convert a Security Descriptor Definition Language (SDDL) string into a custom PowerShell object that is easier to understand and manipulate. This is particularly useful when dealing with permissions and security descriptors.

So what is SDDL?

SDDL is a string format used to define security descriptors, which include details about ownership, permissions, and auditing for securable objects in Windows like files, registry keys, services, Active Directory objects, etc. Unfortunately, these strings are not human-readable — and that’s where ConvertFrom-SddlString shines.

Example 1: Simple Conversion of a Known SDDL String

Let’s start with a simple SDDL string and see what the cmdlet gives us:

"A;;FA;;;BA" | ConvertFrom-SddlString

Output:


Owner : 
Group : 
DiscretionaryAcl :
(
    AccessControlType: Allow
    IdentityReference : BUILTIN\Administrators
    FileSystemRights  : FullControl
    IsInherited       : False
)
SystemAcl :

This tells us that full access is granted to built-in Administrators.

Example 2: Extracting Permissions from an Existing File

Now, let’s get the SDDL for a file and convert it:

$sddl = (Get-Acl "C:\TestFolder\example.txt").Sddl
$sddl | ConvertFrom-SddlString

This can help administrators understand the exact access control settings on a file or folder.

Example 3: Auditing Who Has Full Control to a Registry Key

Let’s say you want to figure out who has full control to a registry key in an easier-to-read format:

$regKey = "HKLM:\SOFTWARE\MyCompany\Settings"
$sddl = (Get-Acl $regKey).Sddl
$permissions = $sddl | ConvertFrom-SddlString

$permissions.DiscretionaryAcl | Where-Object { $_.FileSystemRights -eq 'FullControl' }

This is a practical use for compliance and auditing system configurations.

Example 4: Automating Cleanup of Insecure File Permissions

In this more advanced scenario, we’ll get all files in a folder and flag ones where “Everyone” has write permission:

$folder = "C:\SensitiveData"
Get-ChildItem -Path $folder -Recurse -File | ForEach-Object {
    $sddl = (Get-Acl $_.FullName).Sddl
    $acl = $sddl | ConvertFrom-SddlString
    $acl.DiscretionaryAcl | Where-Object {
        $_.IdentityReference -eq 'Everyone' -and $_.FileSystemRights -match 'Write'
    } | ForEach-Object {
        Write-Host "[!] Warning: $($_.IdentityReference) has write rights to $($_.FullName)"
    }
}

This is incredibly useful in penetration testing, audits, or system hardening scripts.

Wrapping it Up

ConvertFrom-SddlString is an invaluable cmdlet for Windows administrators, security auditors, and anyone working with NTFS, registry, or other securable system objects. It removes the guesswork from SDDL by providing structured, machine-parsable permissions output you can automate!

Happy scripting, and I will see you in the next post!

Leave a Reply

Your email address will not be published. Required fields are marked *