>>18326235
Let me reiterate:
Here is the gist of what this script, RemoveRestrictions.bat, is doing.
WS2016 in these file name is Windows Server 2016
First line shut off console window output @ECHO OFF and sets a local variable "enableextensions"
Second line outputs "Removing Security Restrictions" to the console.
Third line, secedit, allows you to configure a system with security settings stored in a database.
/db Required. Specifies the path and file name of the database containing the stored configuration. If the file name specifies a database that hasn't had a security template (as represented by the configuration file) associated with it, the /cfg <configuration file nameoption must also be specified.
This uses a temporary file in "Windows\temp\temp.sdb"
/cfg Specifies the path and file name for the security template that will be imported into the database for analysis. This option is only valid when used with the /db <database file nameparameter. If this parameter isn't also specified, the analysis is performed against any configuration already stored in the database.
This file is reading a config file named by line 1 variable combined with -dp0WS2016.inf = "enableextensions-dp0WS2016.inf"
So the database is loaded with the file configuration, overwrites anything in "Windows\temp\temp.sdb", and quite stops output or any user notifications, most likely other MS tools from seeing.
Fourth line xcopy is a full copies files and directories, including subdirectories, including hidden files.
Xcopy <Source[<Destination>] So they are copying all files from "enableextensions-dp0GPO*.*" to "Windows\System32\GroupPolicy"
the /s is for subdirectories unless empty and /y suppresses prompting to confirm that you want to overwrite an existing destination file.
The 5th line adds keys to the systems registry that weren't there for the localuser. Trust Providers are for browsers to accept a digital certificate.
State = 0x00023e00 - Check for publisher's certificate Revocation Unchecked
State = 0x00023c00 - Check for publisher's certificate Revocation Checked
The <trustedProviderselement of the <management> element configures the management providers that are trusted by IIS Manager and the Management Service (WMSVC).
https://docs.microsoft.com/en-us/troubleshoot/windows-server/deployment/error-when-you-validate-copy-windows
The /f Adds the registry entry without prompting for confirmation.
The /v <Valuename Specifies the name of the add registry entry. In this case the "State" value
The return values for the reg add operation are:
REMARKS
Value Description
0 Success
1 Failure
/t <TypeSpecifies the type for the registry entry. Type must be one of the following:
REG_SZ
REG_MULTI_SZ
REG_DWORD_BIG_ENDIAN
REG_DWORD
REG_BINARY
REG_DWORD_LITTLE_ENDIAN
REG_LINK
REG_FULL_RESOURCE_DESCRIPTOR
REG_EXPAND_SZ
So REG_DWORD is just a 32 bit number.
REG_SZ Is a null-terminated string. This will be either a Unicode or an ANSI string, depending on whether you use the Unicode or ANSI functions.
/d <DataSpecifies the data for the new registry entry. In this case 0x00023c00
In order to change ‘State’ value from ‘0x00023c00’ to the magic value ‘0x00023e00’, we need to add flag WTPF_IGNOREREVOKATION. This flag will set policy for trust provider to ignore revocation check.
So they are telling MS that it is Successful return from the operation and storing it in the State Variable.
So in essence they are subverting MS security to trust their code by adding and configuring a registry key.
The 6th line checks for errors or pauses
The 7th line prints to the console "Critical restrictions disabled"
The 8th line prints to the console "Setting Registry value that indicates the current hardening state" to look legit.
The 9th line adds a registry key for the current local machine not user part of the registry, so that this machine can without user prompting or echoing out
add a key for HKEY_LOCAL_MACHINE\SOFTWARE\Dominion Voting System\EMS\Settings" and setting the variable "Hardened" to a null terminated string
called "DeHardened-WS2016"
Line ten outputs "–SQL Server Dehardening" at the console script window.
They stop all SQL Server Database and all dependent services that it relies on then restarts it to read the new security of Windows Server 2016, in essence they are creating their own trusted version by adding and editing Reigstry keys, so the console, management console snap-ins, use a temporary database that is configured from their own .inf config file to thwart security inclusive of the SQL Server database.