From a62c3ac36d528343ca121b478c005175e86c73ce Mon Sep 17 00:00:00 2001 From: WindowsAddict Date: Sun, 18 Aug 2024 03:44:07 +0530 Subject: [PATCH] Optimize checks and fixes for SPP perms, replace slmgr /rilc --- MAS/Separate-Files-Version/Troubleshoot.cmd | 206 ++++++++++++++++---- 1 file changed, 169 insertions(+), 37 deletions(-) diff --git a/MAS/Separate-Files-Version/Troubleshoot.cmd b/MAS/Separate-Files-Version/Troubleshoot.cmd index 27070aa..415f204 100644 --- a/MAS/Separate-Files-Version/Troubleshoot.cmd +++ b/MAS/Separate-Files-Version/Troubleshoot.cmd @@ -462,7 +462,7 @@ if not defined terminal ( mode 125, 32 %psc% "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=200;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}" ) -title Fix Licensing ^(ClipSVC ^+ Office vNext ^+ SPP ^+ OSPP^) +title Fix Licensing ^(ClipSVC ^+ SPP ^+ OSPP^) echo: echo %line% @@ -475,7 +475,7 @@ echo - This option will, echo - Deactivate Windows and Office, you may need to reactivate echo If Windows is activated with motherboard / OEM / Digital license then don't worry echo: -echo - Clear ClipSVC, Office vNext, SPP and OSPP licenses +echo - Clear ClipSVC, SPP and OSPP licenses echo - Fix SPP permissions of tokens folder and registries echo - Trigger the repair option for Office. echo: @@ -614,42 +614,28 @@ echo tokens.dat file: [%token%] ) set tokenstore= +set badregistry= for /f "skip=2 tokens=2*" %%a in ('reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore %nul6%') do call set "tokenstore=%%b" +if %winbuild% GEQ 9200 if /i not "%tokenstore%"=="%SysPath%\spp\store" if /i not "%tokenstore%"=="%SysPath%\spp\store\2.0" if /i not "%tokenstore%"=="%SysPath%\spp\store_test\2.0" ( +set badregistry=1 +echo: +call :dk_color %Red% "Correct path not found in TokenStore Registry [%tokenstore%]" +) :: Check sppsvc permissions and apply fixes -if %winbuild% GEQ 10240 ( - +if %winbuild% GEQ 9200 if not defined badregistry ( echo: echo Checking SPP permission related issues... call :checkperms - if defined permerror ( - -mkdir "%tokenstore%" %nul% -set "d=$sddl = 'O:BAG:BAD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICIIO;GR;;;BU)(A;;FR;;;BU)(A;OICI;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)';" -set "d=!d! $AclObject = New-Object System.Security.AccessControl.DirectorySecurity;" -set "d=!d! $AclObject.SetSecurityDescriptorSddlForm($sddl);" -set "d=!d! Set-Acl -Path %tokenstore% -AclObject $AclObject;" -%psc% "!d!" %nul% - -for %%# in ( -"HKLM:\SYSTEM\WPA_QueryValues, EnumerateSubKeys, WriteKey" -"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform_SetValue" -) do for /f "tokens=1,2 delims=_" %%A in (%%#) do ( -set "d=$acl = Get-Acl '%%A';" -set "d=!d! $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc', '%%B', 'ContainerInherit, ObjectInherit','None','Allow');" -set "d=!d! $acl.ResetAccessRule($rule);" -set "d=!d! $acl.SetAccessRule($rule);" -set "d=!d! Set-Acl -Path '%%A' -AclObject $acl" -%psc% "!d!" %nul% -) - +call :dk_color %Red% "[!permerror!]" +%psc% "$f=[io.file]::ReadAllText('!_batp!') -split ':fixsppperms\:.*';iex ($f[1])" %nul% call :checkperms if defined permerror ( -call :dk_color %Red% "[Failed To Fix]" +call :dk_color %Red% "[!permerror!] [Failed To Fix]" ) else ( -echo [Successfully Fixed] +call :dk_color %Green% "[Successfully Fixed]" ) ) else ( echo [No Error Found] @@ -671,9 +657,9 @@ echo: ) echo: -echo Reinstalling System Licenses [slmgr /rilc]... -cscript //nologo %windir%\system32\slmgr.vbs /rilc %nul% -if %errorlevel% NEQ 0 cscript //nologo %windir%\system32\slmgr.vbs /rilc %nul% +echo Reinstalling System Licenses... +%psc% "Stop-Service sppsvc -force; $sls = Get-WmiObject SoftwareLicensingService; $f=[io.file]::ReadAllText('!_batp!') -split ':xrm\:.*';iex ($f[1]); ReinstallLicenses" %nul% +if %errorlevel% NEQ 0 %psc% "$sls = Get-WmiObject SoftwareLicensingService; $f=[io.file]::ReadAllText('!_batp!') -split ':xrm\:.*';iex ($f[1]); ReinstallLicenses" %nul% if %errorlevel% EQU 0 ( echo [Successful] ) else ( @@ -1102,21 +1088,167 @@ exit /b :checkperms +:: This code checks if SPP has permission access to tokens folder and required registry keys. It's often caused by gaming spoofers. + set permerror= -if not exist "%tokenstore%\" set permerror=1 +if not exist "%tokenstore%\" set "permerror=Error Found In Token Folder" for %%# in ( -"%tokenstore%" -"HKLM:\SYSTEM\WPA" -"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" -) do if not defined permerror ( -%psc% "$acl = Get-Acl '%%#'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}" %nul% -if !errorlevel!==2 set permerror=1 +"%tokenstore%+FullControl" +"HKLM:\SYSTEM\WPA+QueryValues, EnumerateSubKeys, WriteKey" +"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform+SetValue" +) do for /f "tokens=1,2 delims=+" %%A in (%%#) do if not defined permerror ( +%psc% "$acl = (Get-Acl '%%A' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow %%B') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}" %nul% +if !errorlevel!==2 ( +if "%%A"=="%tokenstore%" ( +set "permerror=Error Found In Token Folder" +) else ( +set "permerror=Error Found In SPP Registries" +) +) +) + +REM https://learn.microsoft.com/office/troubleshoot/activation/license-issue-when-start-office-application + +if not defined permerror ( +reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion" %nul% && ( +set "pol=HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies" +reg query "!pol!" %nul% || reg add "!pol!" %nul% +%psc% "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::!pol!' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}" %nul% +if !errorlevel!==3 set "permerror=Error Found In S-1-5-20 SPP" +) ) exit /b ::======================================================================================================================================== +:: Fix SPP related registry and folder permissions + +:fixsppperms: +# Fix perms for Token Folder + +if ($env:permerror -eq 'Error Found In Token Folder') { + New-Item -Path $env:tokenstore -ItemType Directory -Force + $sddl = 'O:BAG:BAD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICIIO;GR;;;BU)(A;;FR;;;BU)(A;OICI;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)' + $AclObject = New-Object System.Security.AccessControl.DirectorySecurity + $AclObject.SetSecurityDescriptorSddlForm($sddl) + Set-Acl -Path $env:tokenstore -AclObject $AclObject + exit +} + +# Fix perms for SPP registries + +if ($env:permerror -eq 'Error Found In SPP Registries') { + $acl = Get-Acl 'HKLM:\SYSTEM\WPA' + $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc', 'QueryValues, EnumerateSubKeys, WriteKey', 'ContainerInherit, ObjectInherit', 'None', 'Allow') + $acl.ResetAccessRule($rule) + $acl.SetAccessRule($rule) + Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl + + $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' + $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc', 'SetValue', 'ContainerInherit, ObjectInherit', 'None', 'Allow') + $acl.ResetAccessRule($rule) + $acl.SetAccessRule($rule) + Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl + exit +} + +# Fix perms for SPP in HKU\S-1-5-20 +# https://learn.microsoft.com/office/troubleshoot/activation/license-issue-when-start-office-application + +if ($env:permerror -ne 'Error Found In S-1-5-20 SPP') { + exit +} +if (-not (Test-Path 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform')) { + exit +} + +# https://stackoverflow.com/a/35843420 + +function Take-Permissions { + param($rootKey, $key, [System.Security.Principal.SecurityIdentifier]$sid = 'S-1-5-32-545', $recurse = $true) + + switch -regex ($rootKey) { + 'HKCU|HKEY_CURRENT_USER' { $rootKey = 'CurrentUser' } + 'HKLM|HKEY_LOCAL_MACHINE' { $rootKey = 'LocalMachine' } + 'HKCR|HKEY_CLASSES_ROOT' { $rootKey = 'ClassesRoot' } + 'HKCC|HKEY_CURRENT_CONFIG' { $rootKey = 'CurrentConfig' } + 'HKU|HKEY_USERS' { $rootKey = 'Users' } + } + + ### Step 1 - escalate current process's privilege + # get SeTakeOwnership, SeBackup and SeRestore privileges before executes next lines, script needs Admin privilege + $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1) + $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False) + $TypeBuilder = $ModuleBuilder.DefineType(0) + $TypeBuilder.DefinePInvokeMethod('RtlAdjustPrivilege', 'ntdll.dll', 'Public, Static', 1, [int], @([int], [bool], [bool], [bool].MakeByRefType()), 1, 3) | Out-Null + 9, 17, 18 | ForEach-Object { $TypeBuilder.CreateType()::RtlAdjustPrivilege($_, $true, $false, [ref]$false) | Out-Null } + + function Take-KeyPermissions { + param($rootKey, $key, $sid, $recurse, $recurseLevel = 0) + + ### Step 2 - get ownerships of key - it works only for current key + $regKey = [Microsoft.Win32.Registry]::$rootKey.OpenSubKey($key, 'ReadWriteSubTree', 'TakeOwnership') + $acl = New-Object System.Security.AccessControl.RegistrySecurity + $acl.SetOwner($sid) + $regKey.SetAccessControl($acl) + + ### Step 3 - enable inheritance of permissions (not ownership) for current key from parent + $acl.SetAccessRuleProtection($false, $false) + $regKey.SetAccessControl($acl) + + ### Step 4 - only for top-level key, change permissions for current key and propagate it for subkeys + # to enable propagations for subkeys, it needs to execute Steps 2-3 for each subkey (Step 5) + if ($recurseLevel -eq 0) { + $regKey = $regKey.OpenSubKey('', 'ReadWriteSubTree', 'ChangePermissions') + $rule = New-Object System.Security.AccessControl.RegistryAccessRule($sid, 'FullControl', 'ContainerInherit', 'None', 'Allow') + $acl.ResetAccessRule($rule) + $regKey.SetAccessControl($acl) + } + + ### Step 5 - recursively repeat steps 2-5 for subkeys + if ($recurse) { + foreach ($subKey in $regKey.OpenSubKey('').GetSubKeyNames()) { + Take-KeyPermissions $rootKey ($key + '\' + $subKey) $sid $recurse ($recurseLevel + 1) + } + } + } + + Take-KeyPermissions $rootKey $key $sid $recurse +} + +Take-Permissions "Users" "S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" "S-1-5-20" +:fixsppperms: + +::======================================================================================================================================== + +:: Install License files using Powershell/WMI instead of slmgr.vbs + +:xrm: +function InstallLicenseFile($Lsc) { + try { + $null = $sls.InstallLicense([IO.File]::ReadAllText($Lsc)) + } catch { + $host.SetShouldExit($_.Exception.HResult) + } +} +function InstallLicenseArr($Str) { + $a = $Str -split ';' + ForEach ($x in $a) {InstallLicenseFile "$x"} +} +function InstallLicenseDir($Loc) { + dir $Loc *.xrm-ms -af -s | select -expand FullName | % {InstallLicenseFile "$_"} +} +function ReinstallLicenses() { + $Oem = "$env:SysPath\oem" + $Spp = "$env:SysPath\spp\tokens" + InstallLicenseDir "$Spp" + If (Test-Path $Oem) {InstallLicenseDir "$Oem"} +} +:xrm: + +::======================================================================================================================================== + :scandat set token=