> pshdo

Carbon v0.4.0.0 Released

I’m extremely proud to announce Carbon v0.4.0.0, my favorite release so far. This release contains some backwards incompatible changes, so be sure to read the Upgrade Instructions.

This release contains three major new feature sets. First, I’ve created new functions for granting/getting/revoking Windows security privileges/rights (e.g. the Logon As a Service right). Before this, Carbon used Microsoft’s legacy ntrights.exe program for managing these privileges.

Second, there are new functions for setting/getting/revoking ACLs on Windows services. These service ACLs regulate who can control a service, read a service’s properties, etc. They replace Microsoft’s legacy subinacl.exe program.

Lastly, thanks to Jonathan Valdez, the Grant-Permissions function now has the ability to control inheritance and propagation flags.

As usualy, the full release notes are below and at the Carbon website.

Go get it!

Upgrade Instructions

  • If you install a manual or disabled Windows service with Install-Service, you now have to call Start-Service yourself. Install-Service only starts services whose startup type is set to Automatic (which is the default).
  • We’ve stopped distributing Microsoft’s subinacl.exe program. We didn’t have permission to distribute. Plus its no longer supported. If any of your scripts used Invoke-SubInAcl, you’ll want to download subinacl.exe yourself and copy Invoke-SubInAcl before upgrading (you can find it in the Carbon directory in the Services.ps1 file.
  • If you’re using Grant-Permission without named parameters, the Path parameter moved from position 3 to position 1. Re-order your parameters accordingly.
  • Rename usages of Set-IisDirectoryBrowsing to Enable-IisDirectoryBrowsing. If you use named parameters, rename its Directory paremter to Path.
  • Replace usages of Set-HgrcDefaultPushUrl with Set-IniEntry instead, e.g. Set-IniEntry -Path 'Path\to\repo\.hg\hgrc' -Section paths -Name 'default.push' -Value 'DefaultPushUrl'
  • Rename usages of Test-IisWebsiteExists with Test-IisWebsite.
  • Rename usages of Get-FullPath with ConvertTo-FullPath.


  • Created Get-Privileges, Grant-Privilege, Revoke-Privilege, and Test-Privilege for managing an identity’s security operation privileges.
  • Install-Service now uses Grant-Privilege to grant custom service identities the SeServiceLogonRight privilege. This replaces usage of Microsoft’s legacy ntrights.exe, which we probably didn’t have permission to distribute.
  • Created Get-ServicePermissions function for getting the permissions for a service, i.e. what users can control a service.
  • Created Assert-Service function to write an error if a service doesn’t exist.
  • Created Get-ServiceAcl function to get the discretionary access control list (DACL) for a service.
  • Created Get-ServiceSecurityDescriptor function to get the raw security descriptor for a service.
  • Created Grant-ServicePermission function to grant service control permissions to an identity.
  • Created Revoke-ServicePermission function to revoke all of an identity’s permissioms to control a service.
  • Created Set-ServiceAcl function to set a service’s discretionary access control list (DACL).
  • Created Test-Service function to check if a service exists without writing an error.
  • Removed Invoke-SubInAcl function and the subinacl.exe program. Use the Grant-ServicePermission and Revoke-ServicePermission functions instead. If you still need subinacl.exe, please download it from Microsoft.
  • Grant-Permissions now supports controlling inheritance and propagation flags via the ApplyTo parameter, which should be a value of the new Carbon.Security.ContainerInheritanceFlags enumeration, which encapsualtes all the valid combinations of inheritance/propagation flags. See the help for Grant-Permissions for more information. Thanks to Jonathan Valdez for the feature request and initial code.
  • Created ConvertTo-InheritanceFlags function for converting a Carbon.Security.ContainerInheritanceFlags to the necessary/applicable System.Security.AccessControl.InheritanceFlags.
  • Created ConvertTo-PropagationFlags function for converting a Carbon.Security.ContainerInheritanceFlags to the necessary/applicable System.Security.AccessControl.PropagationFlags.
  • Created Get-Permissions function for getting the non-inherited permissions on a file, directory, registry key, or registry value with the ability to return a specific identity’s permissions and/or inherited permissions.
  • Renamed Set-IisDirectoryBrowsing to Enable-IisDirectoryBrowsing and renamed its Directory parameter to Path.
  • Removed Set-HgrcDefaultPushUrl. Use Set-IniEntry instead.
  • Renamed Test-IisWebsiteExists to Test-IisWebsite to adhere to PowerShell naming conventions.
  • Renamed Get-FullPath to ConvertTo-FullPath to adhere to PowerShell naming conventions.

Bug fixes

  • Install-Service no longer tries to start a service if its StartupType is set to Manual or Disabled.
  • Path is now the first parameter to Grant-Permissions (it was the third) to match PowerShell standards/patterns.
  • Find-ADUser writes an error and returns null instead of throwing an exception.