O R G A N I C / F E R T I L I Z E R: 10.15

Oct 12, 2015

Calculating Bitwise Values

In the last post, I went into a bit of what bitwise AND does, looked at the binary equivalent of the userAccountControl (UAC) value, and showed some visual examples of how calculations are done to find the applied flags.

In this post, I thought I’d go through exactly how you do this. So first off, dust off your calculator and get into Programmer mode. Since Windows 10 has a beautiful calculator, I’ll be doing my demonstration on that.



You’ll cry when you see how easy this is.

  1. Make sure your calculator is set to DEC.
  2. Type in your value.
  3. Observe the BIN value.


Done! When I copy and paste out of the calculator, I get ‭00010000001000000000‬.



Well, sure. In this case, we can use the [convert] class to switch the value to base2 format. Check it out:

[Convert]::ToString(66048, 2)

This outputs the exact binary value I had before with the leading zeroes stripped off -- 10000001000000000. Note all I did was add my value 66048. As an aside, you can also change it to hexadecimal by using base16 format.

[Convert]::ToString(66048, 16)

The output is 10200. If you check the UAC chart, you will find that NORMAL_ACCOUNT (200) and DONT_EXPIRE_PASSWORD (10000) together equals 10200.

You can send the binary and hexadecimal values back to the integer value as well.

[Convert]::ToInt32(10000001000000000, 2) <- binary
[Convert]::ToInt32(10200, 16)            <- hex

Try them. You’ll end up with 66048 for both converted values.

Oh, by the way, if you recall, there is one flag called PASSWORD_EXPIRED (dec 8388608). Don’t spend your time searching this out. It doesn’t get used. Instead, the attribute pwdLastSet with a value of “0” is what is the equivalent of an expired password.



In the last post, we did some bitwise AND calculations by simply lining up the binary equivalents and matching where the 1s fell. If you wanted to do this in calculator, you start with the value at hand, 66048, and subtract the next highest number that is equal to or smaller.

66048 - 65536 = 512
512 - 512 = 0

Once you’re at 0, you’re complete. Since you were able to remove 65536 and 512 integers from 66048, those values are in effect. This method is prone to error but was what I used before learning other methods.

The more effective way to do this is to use the actual bitwise AND operator. This is how you do it.

Ex. 1   66048 AND 65536 = 65536
Ex. 2   66048 AND 16 = 0

I provided two examples. If the value returned is the same as the value you’re validating, it checks out as seen in #1. If the value returns a 0, it isn’t a match. Pretty cool, right?

PowerShell is fundamentally the same. Take a look:

> 66048 -band 65536
> 66048 -band 16



I wrote this more or less as a concept to see how things work. You could push everything into a function to return the values associated with any UAC code you throw at it.

This simple script builds an array of base2 values ranging from 2^1 to 2^26. (Technically, I think it goes up to 31 since we’re dealing with 32-bit.) Why 26? Well, there are no bit flags higher than that in use in UAC so there’s really no point.

Each value is evaluated through bitwise AND against the original integer in $myNum. The output contains the values that evaluated appropriately.

$myNum = 66048
$binArray = 1..26 | % { [math]::pow(2,$_) }
foreach ($bin in $binarray) { 
    if ( $myNum -band $bin ) {
        $binEquation += "$bin "


Output kicks out as such -- 512 65536. Yeah, not real pretty.



(Yeah, right.) I have included a link to the worksheet I created for this exercise called Bitwise_UserAccountControl.xlsx. It’s protected with a password -- bitwise. I only did that so you would know which fields to modify to make it work.


I modified the spreadsheet a little bit from the original versions I was using to make it work better. It now has a conditional formatting calculation that changes the flags row if the bit pattern is proper. :o)

  1. Modify Row 1 and replace it with the binary value of the UAC attribute.
  2. Unlock the spreadsheet and add any other binary values to check against. In the spreadsheet, I only included 2, 256, 512, and 65536 out of laziness. You can add in all of them if you wish -- making it complete.
  3. Watch the Flag row magically change to blue/white with a border if the resulting pattern is true.

Here’s a LINK to the spreadsheet if you’re interested in playing around. Anyway, that’s about all I have. I hope you found this as interesting as I did.



Bitwise Help
Decoding advertFlags
How to use the UserAccountControl flags to manipulate user account properties
[Math] in PowerShell

Oct 5, 2015

My Feeble Understanding of Bitwise

I thought I would set the record straight that by posting something about bitwise does not make me an authority. It doesn’t even make me mildly educated about the concept. In fact, if you have been with me since the beginning, you will know the intention of my blog to create posts that would serve as reminders of how I did something previously -- or interesting stuff that I might have found. With that meager attempt at excusing my ignorance, let’s talk bitwise.

In my last post, I mentioned deciphering userAccountControl (UAC). As an aside, this bitwise stuff isn’t just AD. You can find it in other things like ConfigMgr for example. Remember advertFlags? That post contained some detail on decoding, bitwise, etc., as well.



Back to our previous example, we had a user with UAC value of 66048. We decoded 66048 into its two parts, 65536 and 512. I didn’t go into much detail on how I got those two values, so I thought I’d explain all that here.

First, a background on bitwise AND. Basically, you multiply two binary values together. Since you’re dealing with 0s and 1s, you can only end up with two conclusions -- a 0 or a 1:

0 x 0 = 0 0 x 1 = 0
1 x 0 = 0 1 x 1 = 1

It’s easier to show you what I mean.



Back to UAC 66048. If we convert this decimal value to binary, we get ‭10000001000000000‬. I’ll bring this up again in a minute, but for now, here are the list of flags again, since we’re going to need to reference it.



Ordinarily, you would run a bitwise AND for all these values against 66048 to see what came back as true. Let’s pick just a few as an example (since we already know how it’s going to go.)

Decimal Binary Flag
66048 ‭0001 0000 0010 0000 0000‬
65536 0001 0000 0000 0000 0000 DONT_EXPIRE_PASSWORD
512 ‭0000 0000 0010 0000 0000‬ NORMAL_ACCOUNT
256 ‭0000 0000 0001 0000 0000‬ TEMP_DUPLICATE_ACCOUNT
2 0000 0000 0000 0000 0010 ACCOUNTDISABLE

Added some leading zeroes just to make things line up correctly.

If we lay these values back over the table of all states, this is how it looks. Remember, where the 1s line up ( 1 x 1 = 1) the state is active. The far left column is the decimal equivalent of the binary value.


Removed the leading zeroes here to compress the display.

It’s as we expected. The 1s only line up on the 65536 and 512 values which means it’s a normal account with a password that never expires. GREAT!



There are other bitwise operators such as bitwise OR which is typically used to set a value. If the value already exists, then it doesn’t set it again. I haven’t had a chance to use it so I won’t get into it much.



Bet you’re wondering if there’s a faster way to do this. Well, that’s the great thing about bitwise operators. There is. Next post though.