[wpkg-users] [OT?] Nested for on a cmd script...

Marco Gaiarin gaio at sv.lnf.it
Wed Feb 4 09:32:56 CET 2015


Mandi! Rainer Meier
  In chel di` si favelave...

[ouch! It is a bit hard to send a .cmd to the list... third try, sorry
 for the moderator...]

> I think you should enable delayed expansion and use !UUID! in the for loop instead.

At the last, i've enabled delayed expansion but your hints was very
helpful.

Now i've prepared and test the script that apply SRP using only direct
registry editing! Seems to work very well...


Only a thing still does not work. In script i do:

  for /F "eol=; tokens=1,*" %%l in ( %WPKGROOT%\packages\srp.paths ) do (

        set pathrule=%%m

        if "!pathrule!" neq "" (

                set type=REG_SZ
                echo !pathrule! | find "%"
                if %ERRORLEVEL% equ 0 (
                        set type=REG_EXPAND_SZ
                )

                for /F "tokens=1" %%u in ( '%WPKGROOT%\tools\Uuidgen.Exe' ) do (
                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\!level!\Paths\{%%u}" /f /v "ItemData" /t !type! /d "!pathrule!"
                )
        )
  )

but %type% (or !type!) is everytime 'REG_EXPAND_SZ', eg seems that
'find' call does not work, but instead work on commandline...


Also, i've not found an effective way to compute a 64bit timestamp, so
i've inserted fixed value on the script.


My complete script attached.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''                    http://www.sv.lnf.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
    http://www.lanostrafamiglia.it/25/index.php/component/k2/item/123
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
-------------- next part --------------
@ECHO OFF
::
::  Script per l'applicazione registry-based delle Software Restriction Policies.
::  Copyright (C) 2015  Marco Gaiarin (gaio at linux.it)
::
::  This program is free software; you can redistribute it and/or
::  modify it under the terms of the GNU General Public License
::  as published by the Free Software Foundation; either version 2
::  of the License, or (at your option) any later version.
::
::  This program is distributed in the hope that it will be useful,
::  but WITHOUT ANY WARRANTY; without even the implied warranty of
::  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
::  GNU General Public License for more details.
::
::  You should have received a copy of the GNU General Public License
::  along with this program; if not, write to the Free Software
::  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
::  USA.
::
:: CHANGELOG
:: (Tue Feb  3 16:40:04 CET 2015)
::   + prima versione

:: Devo definire 'EnableDelayedExpansion' per poter gestire la complessita delle variabili nei for.
::
Setlocal EnableDelayedExpansion

:: Il parametro passato in cmdline indica se devo operare in modo black (tutto negato a parte whitelist)
:: o white (tutto permesso a parte blacklist).
:: Se non specificato, è white.
::
if "%1" == "black" (
	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /f /v "DefaultLevel" /t REG_DWORD /d "0"
) else (
	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /f /v "DefaultLevel" /t REG_DWORD /d "262144"
)

:: Sistemo gli altri parametri comuni. In particolare le policy sono disabilitate per Administrator.
::
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /f /v "TransparentEnabled" /t REG_DWORD /d "1"
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /f /v "PolicyScope" /t REG_DWORD /d "1"
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /f /v "AuthenticodeEnabled" /t REG_DWORD /d "0"
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /f /v "ExecutableTypes" /t REG_MULTI_SZ /d "WSC\0VB\0URL\0SHS\0SCR\0REG\0PIF\0PCD\0OCX\0MST\0MSP\0MSI\0MSC\0MDE\0MDB\0LNK\0ISP\0INS\0INF\0HTA\0HLP\0EXE\0CRT\0CPL\0COM\0CMD\0CHM\0BAT\0BAS\0ADP\0ADE"

:: Il timestamp delle regole, è fisso, ed è un timestamp di oggi.
::
set ts=130674430620013217

:: Ciclo tra le regole custom, prima generali e poi specifiche.
::
for /F "eol=; tokens=1,*" %%l in ( %WPKGROOT%\packages\srp.paths %WPKGROOT%\packages\srp\%COMPUTERNAME%.paths ) do (

	:: primo campo: il livello.
	set level=262144
	if "%%l" == "black" (
		set level=0
	)

	:: secondo campo: il path
	set pathrule=%%m

	:: faccio qualcosa solo se ho un path... salto le righe nulle o malformate.
	if "!pathrule!" neq "" (

		:: se contiene '%' (è una variabile), la riga deve essere espansa in interpretazione. NON FUNZIONA.
		set type=REG_SZ
		echo !pathrule! | find "%"
		if %ERRORLEVEL% equ 0 (
			set type=REG_EXPAND_SZ
		)

		:: Genero un UUID e inserisco la voce, devo farlo all'interno del for per evitare le delayed expansion.
		for /F "tokens=1" %%u in ( '%WPKGROOT%\tools\Uuidgen.Exe' ) do (
			reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\!level!\Paths\{%%u}" /f /v "ItemData" /t !type! /d "!pathrule!"
			reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\!level!\Paths\{%%u}" /f /v "LastModified" /t REG_QWORD /d "%ts%"
			reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\!level!\Paths\{%%u}" /f /v "SaferFlags" /t REG_DWORD /d "0"
			reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\!level!\Paths\{%%u}" /f /v "Description" /t REG_SZ /d ""
		)
	)
)

:: Esco
::
exit 0


More information about the wpkg-users mailing list