Skip to main content

Calculating Bitwise Values

In the last post, I went into a bit of what bitwise AND does, looked at the binary equivalent of the userAccountControl (UAC) value, and showed some visual examples of how calculations are done to find the applied flags.

In this post, I thought I’d go through exactly how you do this. So first off, dust off your calculator and get into Programmer mode. Since Windows 10 has a beautiful calculator, I’ll be doing my demonstration on that.

 

CONVERTING INTEGERS TO BINARY IN CALCULATOR

You’ll cry when you see how easy this is.

  1. Make sure your calculator is set to DEC.
  2. Type in your value.
  3. Observe the BIN value.

SNAGHTML42acf92a

Done! When I copy and paste out of the calculator, I get ‭00010000001000000000‬.

 

HOW ABOUT POWERSHELL?

Well, sure. In this case, we can use the [convert] class to switch the value to base2 format. Check it out:

[Convert]::ToString(66048, 2)

This outputs the exact binary value I had before with the leading zeroes stripped off -- 10000001000000000. Note all I did was add my value 66048. As an aside, you can also change it to hexadecimal by using base16 format.

[Convert]::ToString(66048, 16)

The output is 10200. If you check the UAC chart, you will find that NORMAL_ACCOUNT (200) and DONT_EXPIRE_PASSWORD (10000) together equals 10200.

You can send the binary and hexadecimal values back to the integer value as well.

[Convert]::ToInt32(10000001000000000, 2) <- binary
[Convert]::ToInt32(10200, 16)            <- hex

Try them. You’ll end up with 66048 for both converted values.

Oh, by the way, if you recall, there is one flag called PASSWORD_EXPIRED (dec 8388608). Don’t spend your time searching this out. It doesn’t get used. Instead, the attribute pwdLastSet with a value of “0” is what is the equivalent of an expired password.

 

PERFORMING BITWISE CALCULATIONS

In the last post, we did some bitwise AND calculations by simply lining up the binary equivalents and matching where the 1s fell. If you wanted to do this in calculator, you start with the value at hand, 66048, and subtract the next highest number that is equal to or smaller.

66048 - 65536 = 512
512 - 512 = 0

Once you’re at 0, you’re complete. Since you were able to remove 65536 and 512 integers from 66048, those values are in effect. This method is prone to error but was what I used before learning other methods.

The more effective way to do this is to use the actual bitwise AND operator. This is how you do it.

Ex. 1   66048 AND 65536 = 65536
Ex. 2   66048 AND 16 = 0

I provided two examples. If the value returned is the same as the value you’re validating, it checks out as seen in #1. If the value returns a 0, it isn’t a match. Pretty cool, right?

PowerShell is fundamentally the same. Take a look:

> 66048 -band 65536
65536
 
> 66048 -band 16
0

 

I DON’T DO ELEGANT CODE

I wrote this more or less as a concept to see how things work. You could push everything into a function to return the values associated with any UAC code you throw at it.

This simple script builds an array of base2 values ranging from 2^1 to 2^26. (Technically, I think it goes up to 31 since we’re dealing with 32-bit.) Why 26? Well, there are no bit flags higher than that in use in UAC so there’s really no point.

Each value is evaluated through bitwise AND against the original integer in $myNum. The output contains the values that evaluated appropriately.

$myNum = 66048
 
$binArray = 1..26 | % { [math]::pow(2,$_) }
 
foreach ($bin in $binarray) { 
    if ( $myNum -band $bin ) {
        $binEquation += "$bin "
    }
}
 
$binEquation

 

Output kicks out as such -- 512 65536. Yeah, not real pretty.

 

EXCELING IN FUN

(Yeah, right.) I have included a link to the worksheet I created for this exercise called Bitwise_UserAccountControl.xlsx. It’s protected with a password -- bitwise. I only did that so you would know which fields to modify to make it work.

image

I modified the spreadsheet a little bit from the original versions I was using to make it work better. It now has a conditional formatting calculation that changes the flags row if the bit pattern is proper. :o)

  1. Modify Row 1 and replace it with the binary value of the UAC attribute.
  2. Unlock the spreadsheet and add any other binary values to check against. In the spreadsheet, I only included 2, 256, 512, and 65536 out of laziness. You can add in all of them if you wish -- making it complete.
  3. Watch the Flag row magically change to blue/white with a border if the resulting pattern is true.

Here’s a LINK to the spreadsheet if you’re interested in playing around. Anyway, that’s about all I have. I hope you found this as interesting as I did.

 

REFERENCES

Bitwise Help
Decoding advertFlags
How to use the UserAccountControl flags to manipulate user account properties
[Math] in PowerShell

Comments

Popular posts from this blog

using preloadpkgonsite.exe to stage compressed copies to child site distribution points

UPDATE: john marcum sent me a kind email to let me know about a problem he ran into with preloadpkgonsite.exe in the new SCCM Toolkit V2 where under certain conditions, packages will not uncompress.  if you are using the v2 toolkit, PLEASE read this blog post before proceeding.   here’s a scenario that came up on the mssms@lists.myitforum.com mailing list. when confronted with a situation of large packages and wan links, it’s generally best to get the data to the other location without going over the wire. in this case, 75gb. :/ the “how” you get the files there is really not the most important thing to worry about. once they’re there and moved to the appropriate location, preloadpkgonsite.exe is required to install the compressed source files. once done, a status message goes back to the parent server which should stop the upstream server from copying the package source files over the wan to the child site. anyway, if it’s a relatively small amount of packages, you can

How to Identify Applications Using Your Domain Controller

Problem Everyone has been through it. We've all had to retire or replace a domain controller at some point in our checkered collective experiences. While AD provides very intelligent high availability, some applications are just plain dumb. They do not observe site awareness or participate in locating a domain controller. All they want is the name or IP of one domain controller which gets hardcoded in a configuration file somewhere, deeply embedded in some file folder or setting that you are never going to find. How do you look at a DC and decide which applications might be doing it? Packet trace? Logs? Shut it down and wait for screaming? It seems very tedious and nearly impossible. Potential Solution Obviously I wouldn't even bother posting this if I hadn't run across something interesting. :) I ran across something in draftcalled Domain Controller Isolation. Since it's in draft, I don't know that it's published yet. HOWEVER, the concept is based off

sccm: content hash fails to match

back in 2008, I wrote up a little thing about how distribution manager fails to send a package to a distribution point . even though a lot of what I wrote that for was the failure of packages to get delivered to child sites, the result was pretty much the same. when the client tries to run the advertisement with an old package, the result was a failure because of content mismatch. I went through an ordeal recently capturing these exact kinds of failures and corrected quite a number of problems with these packages. the resulting blog post is my effort to capture how these problems were resolved. if nothing else, it's a basic checklist of things you can use.   DETECTION status messages take a look at your status messages. this has to be the easiest way to determine where these problems exist. unfortunately, it requires that a client is already experiencing problems. there are client logs you can examine as well such as cas, but I wasn't even sure I was going to have enough m