C
Chris Allen
Guest
Hello all,
Is it possible to change a computer's SID without restarting? More
specifically... What I'm trying to do is this. I'm trying to come up
with a way to do a bare metal restore on Windows. I've written a
program that saves the all of the file metadata (attribs, sacls,
dacls, mod time, etc) for all the files in the filesystem to a single
file which is backed up to another computer. Basically this is like
running SetACL or FileACL recursively and telling it to dump all the
information to a file and then copying this file elsewhere.
The problem I'm having is on restoration. I'm booting up a BartPE
boot disk, copying the files back and then applying the security
information in my metadata backup file to the filesystem. I fix the
mbr, and then boot the newly created filesystem. But... All of the
Administrator entries in the ACLs are screwed. They are set to the
SID of the Administrator of the boot CD, not the SID that's saved in
the backup file. I've come to realize the reason for this, which is
that Windows will not allow you to set a file's Administrator ACL
entry explicitly even though you tell it to ( using
win32security.SetFileSecurity() ), instead it will use the current OS'
Administrator SID which is S-5-21-<COMPUTER SID>-500, where <COMPUTER
SID> is the computer's SID. Anybody know why this is?
So now what I want to do is change the computer's SID on the boot CD
to match the SID of the computer I'm restoring from. I realize NewSID
from Sysinternals can do this, but it requires a reboot. Is there
some way to set the SID of the boot CD on the fly when it starts or
after BartPE comes up? It doesn't have to REALLY change it, just trick
Windows enough so that win32security.SetFileSecurity() works
correctly. Any ideas?
The other easier and more obvious option is to set the file security
after the system comes up with the old computer's files, this way it
will have the old computer's SID. But I'd rather set it all from the
boot CD and avoid extra steps.
Thanks.
Is it possible to change a computer's SID without restarting? More
specifically... What I'm trying to do is this. I'm trying to come up
with a way to do a bare metal restore on Windows. I've written a
program that saves the all of the file metadata (attribs, sacls,
dacls, mod time, etc) for all the files in the filesystem to a single
file which is backed up to another computer. Basically this is like
running SetACL or FileACL recursively and telling it to dump all the
information to a file and then copying this file elsewhere.
The problem I'm having is on restoration. I'm booting up a BartPE
boot disk, copying the files back and then applying the security
information in my metadata backup file to the filesystem. I fix the
mbr, and then boot the newly created filesystem. But... All of the
Administrator entries in the ACLs are screwed. They are set to the
SID of the Administrator of the boot CD, not the SID that's saved in
the backup file. I've come to realize the reason for this, which is
that Windows will not allow you to set a file's Administrator ACL
entry explicitly even though you tell it to ( using
win32security.SetFileSecurity() ), instead it will use the current OS'
Administrator SID which is S-5-21-<COMPUTER SID>-500, where <COMPUTER
SID> is the computer's SID. Anybody know why this is?
So now what I want to do is change the computer's SID on the boot CD
to match the SID of the computer I'm restoring from. I realize NewSID
from Sysinternals can do this, but it requires a reboot. Is there
some way to set the SID of the boot CD on the fly when it starts or
after BartPE comes up? It doesn't have to REALLY change it, just trick
Windows enough so that win32security.SetFileSecurity() works
correctly. Any ideas?
The other easier and more obvious option is to set the file security
after the system comes up with the old computer's files, this way it
will have the old computer's SID. But I'd rather set it all from the
boot CD and avoid extra steps.
Thanks.