The Win32_SecurityDescriptor instance represents a SECURITY_DESCRIPTOR_CONTROL data type and contains a discretionary access control list (DACL) and a system access control list (SACL). For more information, see Access Control Lists.
If the SeSecurityPrivilege is not granted or enabled when getting a security descriptor, then only the DACL is returned in the returned security descriptor. For more information, see Privilege Constants and Executing Privileged Operations.
You can update both the DACL and the SACL in the Win32_SecurityDescriptor instance when calling this method, but you also can update only the DACL or only the SACL.
The following values in SECURITY_DESCRIPTOR_CONTROL determine whether the DACL, the SACL, or both are updated.
If the Group trustee and the Owner trustee properties are not NULL, then they are updated. Otherwise, WMI preserves the original values. For more information, see WMI Security Descriptor Objects.
When a new SACL is NULL in a call this method, then the security descriptor SACL on the target securable object is left unchanged.
Example
Do not run below example code just to see what happens next. Many methods seriously affect your system. Always make sure you actually understand what the method and the code do.
param
(
[Parameter(Mandatory)]
[Object]
$Descriptor
)
$query = 'Select * From Win32_Service where Name="Spooler"'
Invoke-CimMethod -Query $query -MethodName SetSecurityDescriptor -Arguments $PSBoundParameters |
Add-Member -MemberType ScriptProperty -Name ReturnValueFriendly -Passthru -Value {
switch ([int]$this.ReturnValue)
{
0 {'Success'}
2 {'Access denied'}
8 {'Unknown failure'}
9 {'Privilege missing'}
21 {'Invalid parameter'}
default {"Unknown Error $_"}
}
}
To run this method on one or more remote systems, use New-CimSession
:
param
(
[Parameter(Mandatory)]
[Object]
$Descriptor,
[String[]]
$ComputerName,
[PSCredential]
$Credential
)
$session = New-CimSession -ComputerName $ComputerName -Credential $Credential
$query = 'Select * From Win32_Service where Name="Spooler"'
Invoke-CimMethod -Query $query -MethodName SetSecurityDescriptor -Arguments $PSBoundParameters -CimSession $session |
Add-Member -MemberType ScriptProperty -Name ReturnValueFriendly -Passthru -Value {
switch ([int]$this.ReturnValue)
{
0 {'Success'}
2 {'Access denied'}
8 {'Unknown failure'}
9 {'Privilege missing'}
21 {'Invalid parameter'}
default {"Unknown Error $_"}
}
}
Remove-CimSession -CimSession $session
Learn more about
Invoke-CimMethod
and invoking WMI methods.
Syntax
uint32 SetSecurityDescriptor(
[in] Win32_SecurityDescriptor Descriptor
);
Parameters
Name | Type | Description |
---|---|---|
Descriptor | Object |
Return Value
Returns a value of type UInt32. Return values:
$returnValues = @{
0 = 'Success'
2 = 'Access denied'
8 = 'Unknown failure'
9 = 'Privilege missing'
21 = 'Invalid parameter'
}
See Also
Additional methods implemented by Win32_Service:
Change()
Change() modifies a service.
ChangeStartMode()
ChangeStartMode() modifies the start mode of a service.
Create()
Delete()
Delete() deletes an existing service.
GetSecurityDescriptor()
GetSecurityDescriptor() returns the security descriptor that controls access to the service.
InterrogateService()
InterrogateService() requests that a service update its state to the service manager.
PauseService()
PauseService() attempts to place a service in the paused state.
ResumeService()
ResumeService() attempts to place a service in the resumed state.
StartService()
StartService() attempts to place a service into the startup state.
StopService()
StopService() places a service in the stopped state.
UserControlService()
UserControlService() attempts to send a user-defined control code to a service.
Requirements
To use Win32_Service, the following requirements apply:
PowerShell
Get-CimInstance
was introduced with PowerShell Version 3.0, which in turn was introduced on clients with Windows 8 and on servers with Windows Server 2012.
If necessary, update Windows PowerShell to Windows PowerShell 5.1, or install PowerShell 7 side-by-side.
Operating System
Win32_Service was introduced on clients with Windows Vista and on servers with Windows Server 2008.
Namespace
Win32_Service lives in the Namespace Root/CIMV2. This is the default namespace. There is no need to use the -Namespace parameter in Get-CimInstance
.
Implementation
Win32_Service is implemented in CIMWin32.dll and defined in CIMWin32.mof. Both files are located in the folder C:\Windows\system32\wbem
:
explorer $env:windir\system32\wbem
notepad $env:windir\system32\wbem\CIMWin32.mof