Calculating Bitwise Values

In the last post, I went into a bit of what bitwise AND does, looked at the binary equivalent of the userAccountControl (UAC) value, and showed some visual examples of how calculations are done to find the applied flags.

In this post, I thought I’d go through exactly how you do this. So first off, dust off your calculator and get into Programmer mode. Since Windows 10 has a beautiful calculator, I’ll be doing my demonstration on that.

 

CONVERTING INTEGERS TO BINARY IN CALCULATOR

You’ll cry when you see how easy this is.

1. Make sure your calculator is set to DEC.
2. Type in your value.
3. Observe the BIN value.

Done! When I copy and paste out of the calculator, I get ‭00010000001000000000‬.

 

HOW ABOUT POWERSHELL?

Well, sure. In this case, we can use the [convert] class to switch the value to base2 format. Check it out:

[Convert]::ToString(66048, 2)

This outputs the exact binary value I had before with the leading zeroes stripped off -- 10000001000000000. Note all I did was add my value 66048. As an aside, you can also change it to hexadecimal by using base16 format.

[Convert]::ToString(66048, 16)

The output is 10200. If you check the UAC chart, you will find that NORMAL_ACCOUNT (200) and DONT_EXPIRE_PASSWORD (10000) together equals 10200.

You can send the binary and hexadecimal values back to the integer value as well.

[Convert]::ToInt32(10000001000000000, 2) <- binary
[Convert]::ToInt32(10200, 16)            <- hex

Try them. You’ll end up with 66048 for both converted values.

Oh, by the way, if you recall, there is one flag called PASSWORD_EXPIRED (dec 8388608). Don’t spend your time searching this out. It doesn’t get used. Instead, the attribute pwdLastSet with a value of “0” is what is the equivalent of an expired password.

 

PERFORMING BITWISE CALCULATIONS

In the last post, we did some bitwise AND calculations by simply lining up the binary equivalents and matching where the 1s fell. If you wanted to do this in calculator, you start with the value at hand, 66048, and subtract the next highest number that is equal to or smaller.

66048 - 65536 = 512
512 - 512 = 0

Once you’re at 0, you’re complete. Since you were able to remove 65536 and 512 integers from 66048, those values are in effect. This method is prone to error but was what I used before learning other methods.

The more effective way to do this is to use the actual bitwise AND operator. This is how you do it.

Ex. 1   66048 AND 65536 = 65536
Ex. 2   66048 AND 16 = 0

I provided two examples. If the value returned is the same as the value you’re validating, it checks out as seen in #1. If the value returns a 0, it isn’t a match. Pretty cool, right?

PowerShell is fundamentally the same. Take a look:

> 66048 -band 65536

65536

> 66048 -band 16

0

 

I DON’T DO ELEGANT CODE

I wrote this more or less as a concept to see how things work. You could push everything into a function to return the values associated with any UAC code you throw at it.

This simple script builds an array of base2 values ranging from 2^1 to 2^26. (Technically, I think it goes up to 31 since we’re dealing with 32-bit.) Why 26? Well, there are no bit flags higher than that in use in UAC so there’s really no point.

Each value is evaluated through bitwise AND against the original integer in $myNum. The output contains the values that evaluated appropriately.

$myNum = 66048

$binArray = 1..26 | % { [math]::pow(2,$_) }

foreach ($bin in $binarray) { 

    if ( $myNum -band $bin ) {

        $binEquation += "$bin "

    }

}

$binEquation

 

Output kicks out as such -- 512 65536. Yeah, not real pretty.

 

EXCELING IN FUN

(Yeah, right.) I have included a link to the worksheet I created for this exercise called Bitwise_UserAccountControl.xlsx. It’s protected with a password -- bitwise. I only did that so you would know which fields to modify to make it work.

I modified the spreadsheet a little bit from the original versions I was using to make it work better. It now has a conditional formatting calculation that changes the flags row if the bit pattern is proper. :o)

1. Modify Row 1 and replace it with the binary value of the UAC attribute.
2. Unlock the spreadsheet and add any other binary values to check against. In the spreadsheet, I only included 2, 256, 512, and 65536 out of laziness. You can add in all of them if you wish -- making it complete.
3. Watch the Flag row magically change to blue/white with a border if the resulting pattern is true.

Here’s a LINK to the spreadsheet if you’re interested in playing around. Anyway, that’s about all I have. I hope you found this as interesting as I did.

 

REFERENCES

Bitwise Help
Decoding advertFlags
How to use the UserAccountControl flags to manipulate user account properties
[Math] in PowerShell