UmLsa.cpp

Go to the documentation of this file.

//~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
// Project: uLib - User mode library.
// Module:  User mode LSA based functions and helpful security subroutines.
// Author: Copyright (c) Love Nystrom
// License: NNOSL (BSD descendant, see NNOSL.txt in the base directory).
//~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#include <uLib/UtilFunc.h>
#include <uLib/StrFunc.h>
#include <uLib/Debug.h>

#define _INIT_FP_ 1
#include <uLib/UmLsa.h>

// Initialize function pointers to some LSA APIs that are not exported
// in AdvApi32.lib. Some of them have no alternatives.
// These were previously only accesible via NtLsa.h, ergo not in user mode.

bool InitLsaFunc()
{
    static CCSTR ModName = _T("ADVAPI32");

    bool ok = (_LsaOpenAccount != NULL); // Use this as "initialized" flag.
    if ( !ok )
    {
        HMODULE hMod = GetModuleHandle( ModName ); // Already loaded?
        if (!hMod) hMod = LoadLibrary( ModName ); // No.. Load it now.

        ok = (hMod != NULL);
        if (ok)
        {
            LONG_PTR anyPtr = 0;
            // Account
            INIT_LSAFUNC( LsaOpenAccount );
            INIT_LSAFUNC( LsaCreateAccount );
            INIT_LSAFUNC( LsaEnumerateAccounts );
            INIT_LSAFUNC( LsaGetSystemAccessAccount );
            INIT_LSAFUNC( LsaSetSystemAccessAccount );
            INIT_LSAFUNC( LsaEnumeratePrivilegesOfAccount );
            INIT_LSAFUNC( LsaAddPrivilegesToAccount );
            INIT_LSAFUNC( LsaRemovePrivilegesFromAccount );
            INIT_LSAFUNC( LsaGetQuotasForAccount );
            INIT_LSAFUNC( LsaSetQuotasForAccount );
            // Policy
            INIT_LSAFUNC( LsaLookupPrivilegeValue );
            INIT_LSAFUNC( LsaEnumeratePrivileges );
            INIT_LSAFUNC( LsaDelete );
            INIT_LSAFUNC( LsaQuerySecurityObject );
            INIT_LSAFUNC( LsaSetSecurityObject );
            //INIT_LSAFUNC( LsaChangePassword ); // R.I.P...
            INIT_LSAFUNC( LsaClearAuditLog );
            // Trusted Domain
            INIT_LSAFUNC( LsaOpenTrustedDomain );
            INIT_LSAFUNC( LsaCreateTrustedDomain );
            INIT_LSAFUNC( LsaQueryInfoTrustedDomain );
            INIT_LSAFUNC( LsaSetInformationTrustedDomain );
            // Secret
            INIT_LSAFUNC( LsaOpenSecret );
            INIT_LSAFUNC( LsaCreateSecret );
            INIT_LSAFUNC( LsaSetSecret );
            INIT_LSAFUNC( LsaQuerySecret );
            // Privilege Object
            INIT_LSAFUNC( LsaLookupPrivilegeName );
            INIT_LSAFUNC( LsaLookupPrivilegeDisplayName );
            // New APIs for NT 4.0 (SUR release)
            INIT_LSAFUNC( LsaGetUserName );
            INIT_LSAFUNC( LsaGetRemoteUserName );

            if ( !_LsaOpenAccount
            || !_LsaCreateAccount
            || !_LsaEnumerateAccounts
            || !_LsaGetSystemAccessAccount
            || !_LsaSetSystemAccessAccount
            || !_LsaEnumeratePrivilegesOfAccount
            || !_LsaAddPrivilegesToAccount
            || !_LsaRemovePrivilegesFromAccount
            || !_LsaGetQuotasForAccount
            || !_LsaSetQuotasForAccount
            || !_LsaLookupPrivilegeValue
            || !_LsaEnumeratePrivileges
            || !_LsaDelete
            || !_LsaQuerySecurityObject
            || !_LsaSetSecurityObject
            //|| !_LsaChangePassword // R.I.P
            || !_LsaClearAuditLog
            || !_LsaOpenTrustedDomain
            || !_LsaCreateTrustedDomain
            || !_LsaQueryInfoTrustedDomain
            || !_LsaSetInformationTrustedDomain
            || !_LsaOpenSecret
            || !_LsaCreateSecret
            || !_LsaSetSecret
            || !_LsaQuerySecret
            || !_LsaLookupPrivilegeName
            || !_LsaLookupPrivilegeDisplayName
            || !_LsaGetUserName
            || !_LsaGetRemoteUserName )
            {
                // One or more functions not found ...
                if (!anyPtr) SetLastError( ERROR_MOD_NOT_FOUND ); // None
                else SetLastError( ERROR_PROC_NOT_FOUND ); // Some
                ok = false;
            }
        }
    }
    return ok;
}

#undef INIT_LSAFUNC
#undef _INIT_FP_


//== Local (private) subroutines ----------------------------------------------

static NTSTATUS __OpenOrCreateAccount(
    LSA_HANDLE hPolicy, PSID AcctSid, ACCESS_MASK Accs, PLSA_HANDLE phAccount
    )
{
    // Open an account object. If it doesn't exist, create a new one.

    NTSTATUS Status = _LsaOpenAccount( hPolicy, AcctSid, Accs, phAccount );
    if (Status == STATUS_OBJECT_NAME_NOT_FOUND)
        Status = _LsaCreateAccount( hPolicy, AcctSid, Accs, phAccount );

    return Status;
}

//=============================================================================
//  UmLsa addendum
//=============================================================================

bool OpenLsaPolicy( CSTR Machine, ACCESS_MASK Access, PLSA_HANDLE phPolicy )
{
    LSA_OBJECT_ATTRIBUTES ObjAttr;
    PUNICODE_STRING puSys;
    UString uName; // Handy indeed..

    // TODO: This doesn't work on Win11. Examine what's the matter..

    if (!Machine) puSys = NULL;
    else puSys = uName = Machine; // Autoconvert to Unicode if necessary

    // Attempt to open the policy.

    ZeroMemory( &ObjAttr, sizeof(ObjAttr) );
    NTSTATUS rc = LsaOpenPolicy( puSys, &ObjAttr, Access, phPolicy );

    bool ok = NT_SUCCESS( rc );
    if (!ok) SetLastError( LsaNtStatusToWinError( rc ));
    return ok;
}

// LsaCloseEx returns NULL on success, else hLsa and GetLastError.

LSA_HANDLE LsaCloseEx( LSA_HANDLE hLsa )
{
    if (hLsa)
    {
        NTSTATUS rc = LsaClose( hLsa );
        if (NT_SUCCESS( rc )) hLsa = NULL;
        else SetLastError( LsaNtStatusToWinError( rc ));
    }
    return hLsa;
}

// GetAdminGroupSid returns the SID of the BUILTIN\Administators group.
// @note Don't forget FreeSid.

PSID GetAdminGroupSid()
{
    PSID adminGrp = NULL;
  #if 1
    SID_IDENTIFIER_AUTHORITY Authority = SECURITY_NT_AUTHORITY;

    if (!AllocateAndInitializeSid(
        &Authority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS,
        0, 0, 0, 0, 0, 0, &adminGrp
    )) adminGrp = NULL;

  #else
    // Note: This necessitates mem_Free (e.g. FreeAccountSid), not FreeSid.
    WELL_KNOWN_SID_TYPE wkSid = WinBuiltinAdministratorsSid;
    DWORD cbSid = 0;
    if (!CreateWellKnownSid( wkSid, NULL, NULL, &cbSid )
    && (GetLastError() == ERROR_INSUFFICIENT_BUFFER)) // Mandatory error!
    {
        adminGrp = (PSID) mem_Alloc( cbSid );
        if (adminGrp && !CreateWellKnownSid( wkSid, NULL, adminGrp, &cbSid ))
            adminGrp = mem_Free( adminGrp );
    }
  #endif
    return adminGrp;
}

//==---------------------------------------------------------------------------

bool GetAccountSid( CSTR Machine, CSTR Account, PSID* ppSid )
{
    SID_NAME_USE peUse;
    DWORD   cbSid, ccDomain, err;
    bool    ok = false;

    if (!ppSid) SetLastError( ERROR_INVALID_PARAMETER );
    else
    {
        cbSid = ccDomain = 0;
        LookupAccountName( Machine, Account, NULL, &cbSid, NULL, &ccDomain, &peUse );
        if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) // Mandatory error ;)
        {
            *ppSid = mem_Alloc( cbSid );
            if (!*ppSid) err = ERROR_OUTOFMEMORY;
            else
            {
                TCHAR szDomain[ 128 ]; // Local, to avoid a 2nd heap allocation call.
                // Not interested in the domain here, but must give LookupAccountName
                // a domain name buffer to avoid a second ERROR_INSUFFICIENT_BUFFER.
                _ASSERTE( dimof(szDomain) >= ccDomain ); // Assert the max-length assumption
                ccDomain = dimof(szDomain);

                ok = bool_cast( LookupAccountName(
                    Machine, Account, *ppSid, &cbSid, szDomain, &ccDomain, &peUse
                    ));
                if (!ok) err = GetLastError();
            }

            if (!ok)
            {
                *ppSid = mem_Free( *ppSid );
                SetLastError( err );
            }
        }
    }
    return ok;
}

PSID FreeAccountSid( PSID Sid )
{
    return (PSID) mem_Free( Sid );
}

PSID GetCurrentUserSid()
{
    // Get the SID of the user associated with the current thread.
    // Build a fully qualified local username (limit lookup to this machine).

    TCHAR szLocalUser[ MAX_COMPUTERNAME_LENGTH + UNLEN + 1 ];
    DWORD ccMachine = MAX_COMPUTERNAME_LENGTH + 1; // 16
    DWORD ccUser = UNLEN + 1; // 257

    GetComputerName( szLocalUser, &ccMachine );
    szLocalUser[ ccMachine ] = BSLASH;
    GetUserName( &szLocalUser[ ccMachine+1 ], &ccUser );

    PSID userSid; // Get the SID
    if (!GetAccountSid( NULL, szLocalUser, &userSid )) userSid = NULL;
    return userSid;
}

//==---------------------------------------------------------------------------

bool GetLogonSid( HANDLE hToken, PSID *ppSid )
{
    BOOL ok = false;
    DWORD ix, cbGrp = 0;
    PTOKEN_GROUPS ptGrp = NULL;

    //*ppSid = NULL;
    GetTokenInformation( hToken, TokenGroups, NULL, 0, &cbGrp );
    if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
    {
        ptGrp = (PTOKEN_GROUPS) mem_Alloc( cbGrp );
        ok = (ptGrp != NULL);
        if (ok) ok = GetTokenInformation(
            hToken, TokenGroups, (PVOID) ptGrp, cbGrp, &cbGrp
            );
        if (ok)
        {
            for( ix=0; ix < ptGrp->GroupCount; ++ix )
                // SE_GROUP_LOGON_ID is a two bit flag, so use the BITS_SET macro.
                if (BITS_SET( SE_GROUP_LOGON_ID, ptGrp->Groups[ix].Attributes ))
                {
                    DWORD cbSid = GetLengthSid( ptGrp->Groups[ix].Sid );
                    *ppSid = (PSID) mem_Alloc( cbSid );
                    CopySid( cbSid, *ppSid, ptGrp->Groups[ix].Sid );
                    break;
                }
        }
        ptGrp = (PTOKEN_GROUPS) mem_Free( ptGrp );
    }
    return bool_cast( ok );
}

PSID FreeLogonSid( PSID Sid )
{
    return (PSID) mem_Free( Sid );
}

//==---------------------------------------------------------------------------

//PSECURITY_DESCRIPTOR GetObjectAbsSecurityDescriptor( HANDLE hObj, SECURITY_INFORMATION Type )
//{
//    PSECURITY_DESCRIPTOR pRelDsc = NULL;
//    PSECURITY_DESCRIPTOR pAbsDsc = NULL;
//    DWORD cbData = 0;
//
//    PSECURITY_DESCRIPTOR pAbsDsc;
//    DWORD cbAbsDsc, cbDacl, cbSacl, cbOwn, cbPri;
//    PSID psOwn, psPri;
//    PACL pSacl;
//
//    GetUserObjectSecurity( hObj, &Type, pRelDsc, cbData, &cbData );
//    if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
//    {
//        pRelDsc = (PSECURITY_DESCRIPTOR) mem_Alloc( cbData );
//        if (pRelDsc && GetUserObjectSecurity( hObj, &Type, pRelDsc, cbData, &cbData ))
//        {
//            ok = MakeAbsoluteSD( pSecDsc, pAbsDsc, &cbAbsDsc,
//                pDacl, &cbDacl, pSacl, &cbSacl, psOwn, &cbOwn, psPri, &cbPri
//                );
//        }
//    }
//}

// Allocate and initialize an absolute security descriptor.

PISECURITY_DESCRIPTOR AllocAbsoluteSecDesc( size_t cbDesc )
{
    if (!cbDesc) cbDesc = sizeof(SECURITY_DESCRIPTOR);
    PISECURITY_DESCRIPTOR pAbsSec = (PISECURITY_DESCRIPTOR) mem_Alloc( cbDesc );
    if (pAbsSec)
    {
        if (!InitializeSecurityDescriptor( pAbsSec, SECURITY_DESCRIPTOR_REVISION ))
            pAbsSec = (PISECURITY_DESCRIPTOR) mem_Free( pAbsSec );
    }
    return pAbsSec;
}

PISECURITY_DESCRIPTOR MakeAbsoluteSecDesc(
    PSID Owner, PSID Group, PACL Sacl, PACL Dacl,
    SECURITY_DESCRIPTOR_CONTROL Control
    )
{
    PISECURITY_DESCRIPTOR pSec = (PISECURITY_DESCRIPTOR) AllocAbsoluteSecDesc();
    if (pSec)
    {
        if (Control) SetSecurityDescriptorControl( pSec, Control, Control );
        if (Owner) SetSecurityDescriptorOwner( pSec, Owner, false );
        if (Group) SetSecurityDescriptorGroup( pSec, Group, false );
        if (Dacl) SetSecurityDescriptorDacl( pSec, true, Dacl, false );
        if (Sacl) SetSecurityDescriptorSacl( pSec, true, Sacl, false );
    }
    return pSec;
}

//==---------------------------------------------------------------------------

PISECURITY_DESCRIPTOR_RELATIVE GetObjectSecDesc(
    HANDLE hObj, SECURITY_INFORMATION Type, PDWORD cbDesc
    )
{
    PISECURITY_DESCRIPTOR_RELATIVE pSec = NULL;
    DWORD cbData = 0;

    if (!GetUserObjectSecurity( hObj, &Type, NULL, 0, &cbData )
    && (GetLastError() == ERROR_INSUFFICIENT_BUFFER)) // Mandatory error
    {
        pSec = (PISECURITY_DESCRIPTOR_RELATIVE) mem_Alloc( cbData );
        if (pSec)
        {
            pSec->Revision = SECURITY_DESCRIPTOR_REVISION;

            if (!GetUserObjectSecurity( hObj, &Type, pSec, cbData, &cbData ))
                pSec = (PISECURITY_DESCRIPTOR_RELATIVE) mem_Free( pSec );

            if (pSec && cbDesc) *cbDesc = cbData;
        }
    }
    return pSec;
}

PSECURITY_DESCRIPTOR FreeObjectSecDesc( PSECURITY_DESCRIPTOR pSecDesc )
{
    PISECURITY_DESCRIPTOR piSec = (PISECURITY_DESCRIPTOR) pSecDesc;

    // Don't try to free an absolute descriptor, since we don't know where the
    // Owner, Group, Dacl, and Sacl came from, ergo don't know how to dispose them.

    if (BITS_SET( SE_SELF_RELATIVE, piSec->Control ))
    {
        pSecDesc = (PSECURITY_DESCRIPTOR) mem_Free( pSecDesc );
    }
    else SetLastError( ERROR_INVALID_PARAMETER );

    return pSecDesc;
}

//==---------------------------------------------------------------------------

PACL GetObjectAcl(
    HANDLE hObj, // hObj must have READ_CONTROL (DACL) or ACCESS_SYSTEM_SECURITY (SACL).
    SECURITY_INFORMATION Type, size_t cbExtra,
    PSECURITY_DESCRIPTOR* ppSecDesc, PDWORD cbSecDesc
    )
{
    PACL pAcl = NULL;
    PISECURITY_DESCRIPTOR_RELATIVE pDsc = NULL;
    DWORD ix, cbData = 0;

    pDsc = GetObjectSecDesc( hObj, Type, &cbData );
    if (pDsc)
    {
        if (ppSecDesc) *ppSecDesc = pDsc;
        if (cbSecDesc) *cbSecDesc = cbData;

        BOOL haveAcl, defAcl;
        PACL pSrcAcl = NULL;
        BOOL (WINAPI *getAcl)(
            PSECURITY_DESCRIPTOR pSD, LPBOOL pExist, PACL* pAcl, LPBOOL pDef
            );
        switch( Type )
        {
            case DACL_SECURITY_INFORMATION: getAcl = GetSecurityDescriptorDacl; break;
            case SACL_SECURITY_INFORMATION: getAcl = GetSecurityDescriptorSacl; break;
            default: getAcl = NULL;
        }
        if (getAcl && getAcl( pDsc, &haveAcl, &pSrcAcl, &defAcl ) && haveAcl)
        {
            ACL_SIZE_INFORMATION aclInfo = { 0,0,0 };
            aclInfo.AclBytesInUse = sizeof(ACL); //??
            cbData = sizeof(ACL_SIZE_INFORMATION);

            if (GetAclInformation( pSrcAcl, &aclInfo, cbData, AclSizeInformation ))
            {
                cbData = aclInfo.AclBytesInUse + aclInfo.AclBytesFree;
                cbData += (DWORD) cbExtra;
                pAcl = (PACL) mem_Alloc( cbData );
                if (pAcl)
                {
                    static const DWORD aclRev = ACL_REVISION;
                    static const DWORD atEnd = MAXDWORD;

                    if (!InitializeAcl( pAcl, cbData, aclRev ))
                        pAcl = (PACL) mem_Free( pAcl ); // Failed: Return NULL.
                    else if (aclInfo.AceCount)
                    {
                        for( ix = 0; ix < aclInfo.AceCount; ix++ )
                        {
                            PACE_HEADER pAce;
                            if (GetAce( pSrcAcl, ix, (void**)&pAce ))
                            if (!AddAce( pAcl, aclRev, atEnd, pAce, pAce->AceSize ))
                                DPrint( DP_ERROR, _F("AddAce: %s\n"), SysErrorMsg() );
                        }
                    }
                }
            }
        }
        // If caller didn't want the sec.desc, then dispose it.
        if (!ppSecDesc) pDsc = (PISECURITY_DESCRIPTOR_RELATIVE) mem_Free( pDsc );
    }
    return pAcl;
}

PACL FreeObjectAcl( PACL pDacl )
{
    return (PACL) mem_Free( pDacl );
}

//==---------------------------------------------------------------------------

bool SetAccountSystemAccess(
    LSA_HANDLE hPolicy, PSID AcctSid, ACCESS_MASK AccsType, bool Add
    )
{
    // This function changes system access on the account represented by the
    // supplied SID. An example of such access is the SeLogonServiceRight.

    LSA_HANDLE  hAccount;
    ACCESS_MASK Access;
    NTSTATUS    Status;

    // Open the account object. If it doesn't exist, create a new one

    Status = __OpenOrCreateAccount( hPolicy,
        AcctSid, ACCOUNT_ADJUST_SYSTEM_ACCESS | ACCOUNT_VIEW, &hAccount
        );
    if (NT_SUCCESS( Status ))
    {
        // Get current system access flags

        Status = _LsaGetSystemAccessAccount( hAccount, &Access );
        if (NT_SUCCESS( Status ))
        {
           // Change the specified access to the account

            if (Add) Access |= AccsType; else Access &= ~AccsType;
            Status = _LsaSetSystemAccessAccount( hAccount, Access );
        }
        LsaClose( hAccount );
    }

    bool ok = NT_SUCCESS( Status );
    if (!ok) SetLastError( LsaNtStatusToWinError( Status ));
    return ok;
}


bool GetAccountSystemAccess(
    LSA_HANDLE hPolicy, PSID AcctSid, ACCESS_MASK* Access
    )
{
    LSA_HANDLE  hAccount;
    NTSTATUS    Status;

    Status = _LsaOpenAccount( hPolicy, AcctSid, ACCOUNT_VIEW, &hAccount );
    if (NT_SUCCESS( Status ))
    {
        Status = _LsaGetSystemAccessAccount( hAccount, Access );
        LsaClose( hAccount );
    }

    bool ok = NT_SUCCESS( Status );
    if (!ok) SetLastError( LsaNtStatusToWinError( Status ));
    return ok;
}

//==---------------------------------------------------------------------------

bool SetAccountPrivilege(
    LSA_HANDLE hPolicy, PSID AcctSid, CSTR Privilege, bool Add
    )
{
    PRIVILEGE_SET ps;
    LSA_HANDLE  hAccount;
    NTSTATUS    Status;

    // Obtain the LUID of the supplied privilege.

    UString uPrivilege( Privilege ); // Convert if necessary
    Status = _LsaLookupPrivilegeValue( hPolicy, uPrivilege, &ps.Privilege[0].Luid ); // ps..Luid
    if (NT_SUCCESS( Status ))
    {
        // Open the account object. If it doesn't exist, create a new one.

        Status = __OpenOrCreateAccount(
            hPolicy, AcctSid, ACCOUNT_ADJUST_PRIVILEGES, &hAccount
            );
        if (NT_SUCCESS( Status ))
        {
            // Setup the rest of PRIVILEGE_SET

            ps.Privilege[0].Attributes = 0;
            ps.PrivilegeCount = 1;
            ps.Control = 0;

            // Add or remove the privileges to the account

            if (Add) Status = _LsaAddPrivilegesToAccount( hAccount, &ps );
            else Status = _LsaRemovePrivilegesFromAccount( hAccount, false, &ps );

            LsaClose( hAccount );
        }
    }

    bool ok = NT_SUCCESS( Status );
    if (!ok) SetLastError( LsaNtStatusToWinError( Status ));
    return ok;
}

bool ULSA_AccountHasPrivilege( LSA_HANDLE hPolicy, PSID AcctSid, WCSTR Privilege ) // internal
{
    ULONG ix, nRights;
    PUNICODE_STRING puRights;
    NTSTATUS Status = LsaEnumerateAccountRights( hPolicy, AcctSid, &puRights, &nRights );
    if (NT_SUCCESS( Status ))
    {
        UString uRight;
        Status = STATUS_PRIVILEGE_NOT_HELD; // Assume privilege absent
        for( ix=0; ix < nRights; ++ix )
        {
            uRight = puRights[ix]; // Make sure it's NUL terminated
            if (0 == wcscmp( (PCWSTR)uRight, Privilege ))
            {
                Status = STATUS_SUCCESS;
                break;
            }
        }
        LsaFreeMemory( puRights );
    }
    bool ok = NT_SUCCESS( Status );
    if (!ok) SetLastError( LsaNtStatusToWinError( Status ));
    return ok;
}

bool AccountHasPrivilege( LSA_HANDLE hPolicy, PSID AcctSid, CSTR Privilege )
{
    NTSTATUS    Status;
    LUID        prvLuid;

    // Lookup the LUID to see if the privilege exists.

    UString uPrivilege( Privilege ); // Convert if necessary
    Status = _LsaLookupPrivilegeValue( hPolicy, uPrivilege, &prvLuid );
    bool ok = NT_SUCCESS( Status );

    if ( ok ) ok = ULSA_AccountHasPrivilege( hPolicy, AcctSid, (WSTR)uPrivilege );
    else SetLastError( LsaNtStatusToWinError( Status ));

    return ok;
}

// TODO: bool UserHasPrivilege( LSA_HANDLE hPolicy, PSID userSid, CSTR Privilege );
//       ^^ Incl all effective rights from account and groups..

bool UserHasPrivilege( LSA_HANDLE hPolicy, PSID userSid, CSTR Privilege )
{
    bool haveIt = false;
    //LSA_HANDLE hPolicy = NULL;
    //if (OpenLsaPolicy( NULL, POLICY_ALL_ACCESS, &hPolicy ))
    //{
        DebugBreak(); // Not implemented yet..
    //    hPolicy = LsaCloseEx( hPolicy );
    //}
    return haveIt;
}

/*
bool EnablePrivileges( HANDLE hToken, bool Enable, PTOKEN_PRIVILEGES* ppSave, ... )
{
    static const UINT MAX_PRIVS = 24; // 24 privileges defined in Windows 2000
    PTOKEN_PRIVILEGES newTp = AllocPrivileges( MAX_PRIVS, NULL );
    PTOKEN_PRIVILEGES saveTp = NULL;

    DWORD   Attr, rc, cbRtn, cbSave = 0;
    LUID    Luid;
    CSTR    pzPrvName;
    va_list va;

    va_start( va, ppSave );
    Attr = Enable ? SE_PRIVILEGE_ENABLED : 0;

    while( (pzPrvName = va_arg( va, CSTR )) != NULL )
    {
        if (LookupPrivilegeValue( NULL, pzPrvName, &Luid ))
        {
            UINT ix = newTp->PrivilegeCount;
            newTp->Privileges[ ix ].Luid = Luid;
            newTp->Privileges[ ix ].Attributes = Attr;

            if (++newTp->PrivilegeCount == MAX_PRIVS) break;
        }
    }
    if (ppSave)
    {
        saveTp = AllocPrivileges( newTp->PrivilegeCount, &cbSave );
        *ppSave = saveTp;
    }

    bool ok = bool_cast(
        AdjustTokenPrivileges( hToken, FALSE, newTp, cbSave, saveTp, &cbRtn )
        );
    rc = GetLastError();

    if (!ok && saveTp)
    {
        *ppSave = FreePrivileges( *ppSave );
    }
    FreePrivileges( newTp );
    if (!ok) SetLastError( rc );
    return ok;
}

bool RestorePrivileges( HANDLE hTok, PTOKEN_PRIVILEGES pSaved, bool Dispose )
{
    bool ok = bool_cast( AdjustTokenPrivileges( hTok, FALSE, pSaved, 0, NULL, NULL ));
    DWORD rc = ok ? 0 : GetLastError(); //DPrint( DP_ERROR,_T("[RestorePrivilege] AdjustTokenPrivileges failed: %s\n"),  SysErrorMsg() );
    if (Dispose) FreePrivileges( pSaved );
    if (!ok) SetLastError( rc );
    return ok;
}
*/
//==---------------------------------------------------------------------------
// SetThreadPrivilegeEx - Adds temp priv if not in user's account..
//==---------------------------------------------------------------------------

#define HPRIVILEGE_VER 2
#if (HPRIVILEGE_VER == 1)

struct PRIVILEGE_ITEM // (HPRIVILEGE) Privilege item for SetTokenPrivilegeEx
{
    CSTR    Name;       // Privilege name.
    bool    held;       // Privilege already held by caller's account.
    bool    added;      // Privilege successfully added to caller's account.
    bool    enabled;    // Privilege successfully enabled.
    PSID    userSid;    // Caller's SID
    bool    imperSelf;  // ImpersonateSelf successfully called.
    PTOKEN_PRIVILEGES ptPriv; // Buffer for previous privilege state.
};

HPRIVILEGE SetThreadPrivilegeEx( CSTR Privilege )
{
    PRIVILEGE_ITEM* ppi = NULL;

    if (!_LsaLookupPrivilegeValue)
        InitLsaFunc(); // Local Security Authority

    PSID userSid = GetCurrentUserSid(); // User of current thread..
    if (userSid)
    {
        LSA_HANDLE hPolicy = NULL;
        if (OpenLsaPolicy( NULL, POLICY_ALL_ACCESS, &hPolicy ))
        {
            ppi = (PRIVILEGE_ITEM*) mem_Alloc( sizeof(PRIVILEGE_ITEM) );
            ppi->userSid = userSid;
            ppi->Name = mem_DupStr( Privilege );

            ppi->held = AccountHasPrivilege( hPolicy, userSid, Privilege );
            if (!ppi->held) ppi->added = SetAccountPrivilege( hPolicy, userSid, Privilege, true );
            if (AccountHasPrivilege( hPolicy, userSid, Privilege )) // Did it take effect?
            {
                ACCESS_MASK tokenAcc = TOKEN_QUERY| TOKEN_ADJUST_PRIVILEGES;
                HANDLE hThread = GetCurrentThread();
                HANDLE hToken = NULL;

                BOOL ok = OpenThreadToken( hThread, tokenAcc, true, &hToken );
                DWORD err = ok ? 0 : GetLastError();
                if (err == ERROR_NO_TOKEN || err == ERROR_CANT_OPEN_ANONYMOUS)
                {
                    // Add impersonation token to PEB, or change impersonation level.
                    ppi->imperSelf = bool_cast( ImpersonateSelf( SecurityImpersonation ));
                    if (ppi->imperSelf) ok = OpenThreadToken( hThread, tokenAcc, true, &hToken );
                    err = ok ? 0 : GetLastError();
                }
                if (hToken)
                {
                    ppi->enabled = EnablePrivilege( hToken, Privilege, true, &ppi->ptPriv );
                    CloseHandle( hToken ); // I don't need to keep it open.. Do I?
                }
            }
            hPolicy = LsaCloseEx( hPolicy );
        }
        if (!ppi) FreeAccountSid( userSid );
    }
    return (HPRIVILEGE) ppi;
}

HPRIVILEGE RestoreThreadPrivilege( HPRIVILEGE hPrv )
{
    if (hPrv)
    {
        PRIVILEGE_ITEM* ppi = (PRIVILEGE_ITEM*) hPrv;
        if (ppi->enabled)
        {
            ACCESS_MASK tokenAcc = TOKEN_QUERY| TOKEN_ADJUST_PRIVILEGES;
            HANDLE hThread = GetCurrentThread();
            HANDLE hToken = NULL;
            if (OpenThreadToken( hThread, tokenAcc, true, &hToken ))
            {
                if (ppi->ptPriv) RestorePrivileges( hToken, ppi->ptPriv, false );
                CloseHandle( hToken );
            }
        }
        if (ppi->imperSelf) RevertToSelf(); // Dispose the impersonation token (in PEB)
        if (ppi->added)
        {
            LSA_HANDLE hPolicy = NULL;
            if (OpenLsaPolicy( NULL, POLICY_ALL_ACCESS, &hPolicy ))
            {
                SetAccountPrivilege( hPolicy, ppi->userSid, ppi->Name, false );
                LsaCloseEx( hPolicy );
            }
        }
        ppi->Name = mem_FreeStr( ppi->Name );
        ppi->ptPriv = FreePrivileges( ppi->ptPriv );
        ppi->userSid = FreeAccountSid( ppi->userSid );
        hPrv = (HPRIVILEGE) mem_Free( (PVOID) hPrv );
    }
    return hPrv;
}

#elif (HPRIVILEGE_VER == 2)

#pragma pack( push, 1 )
struct PRIVILEGE_ITEM // (HPRIVILEGE) Privilege item for SetTokenPrivilegeEx
{
    HTOKENEX hToken;     // Impersonation token.
    PSID    userSid;    // Caller's SID
    CSTR    Name;       // Privilege name.
    bool    held;       // Privilege already held by caller's account.
    bool    added;      // Privilege successfully added to caller's account.
    bool    enabled;    // Privilege successfully enabled.
    BYTE    _rsv;       // Dword align oldPrv, else AdjustTokenPrivileges fail.
    TOKEN_PRIVILEGES oldPrv; // Buffer for previous privilege state.
    //LUID_AND_ATTRIBUTES more[7]; // Future, for a total of 8 accessible via oldPrv.
};
#pragma pack( pop )

HANDLE GetPrivilegeToken( HPRIVILEGE hPriv )
{
    PRIVILEGE_ITEM* ppi = (PRIVILEGE_ITEM*) hPriv;
    return GetThreadExToken( ppi->hToken );
}

HPRIVILEGE SetThreadPrivilegeEx( CSTR Privilege )
{
    PRIVILEGE_ITEM* ppi = NULL;

    if (!_LsaLookupPrivilegeValue)
        InitLsaFunc(); // Local Security Authority

    PSID userSid = GetCurrentUserSid(); // User of current thread..
    if ( userSid )
    {
        LSA_HANDLE hPolicy;
        if (OpenLsaPolicy( NULL, POLICY_ALL_ACCESS, &hPolicy ))
        {
            ppi = (PRIVILEGE_ITEM*) mem_Alloc( sizeof(PRIVILEGE_ITEM) );
            ppi->userSid = userSid;
            ppi->Name = mem_DupStr( Privilege );

            // FIXME: This ought to check /effective user rights/, incl group rights...
            bool ok = ppi->held = AccountHasPrivilege( hPolicy, userSid, Privilege );
            if ( !ok )
            {
                ppi->added = SetAccountPrivilege( hPolicy, userSid, Privilege, true );
                ok = AccountHasPrivilege( hPolicy, userSid, Privilege ); // Did it take effect?
            }
            if ( ok )
            {
                ACCESS_MASK tokenAcc = TOKEN_QUERY| TOKEN_ADJUST_PRIVILEGES;
                HANDLE hThread = GetCurrentThread();

                ppi->hToken = OpenThreadTokenEx( hThread, tokenAcc );
                if ( ppi->hToken )
                {
                    ppi->oldPrv.PrivilegeCount = 1;
                    HANDLE hToken = GetThreadExToken( ppi->hToken );
                    ppi->enabled = EnablePrivilege(
                        hToken, Privilege, true, &ppi->oldPrv.Privileges[0]
                        );
                }
            }
            hPolicy = LsaCloseEx( hPolicy );
        }
        if (!ppi) FreeAccountSid( userSid );
    }
    return (HPRIVILEGE) ppi;
}

HPRIVILEGE RestoreThreadPrivilege( HPRIVILEGE hPrv )
{
    if (hPrv)
    {
        PRIVILEGE_ITEM* ppi = (PRIVILEGE_ITEM*) hPrv;
        if (ppi->enabled)
        {
            HANDLE hToken = GetPrivilegeToken( hPrv );
            bool ok = RestorePrivilege( hToken, &ppi->oldPrv );
        }
        ppi->hToken = CloseThreadTokenEx( ppi->hToken );
        if (ppi->added)
        {
            LSA_HANDLE hPolicy;
            if (OpenLsaPolicy( NULL, POLICY_ALL_ACCESS, &hPolicy ))
            {
                SetAccountPrivilege( hPolicy, ppi->userSid, ppi->Name, false );
                LsaCloseEx( hPolicy );
            }
        }
        ppi->Name = mem_FreeStr( ppi->Name );
        ppi->userSid = FreeAccountSid( ppi->userSid );
        hPrv = (HPRIVILEGE) mem_Free( (PVOID) hPrv );
    }
    return hPrv;
}

#elif (HPRIVILEGE_VER == 3) // PENDING

struct TPRIV_ITEM
{
    LUID_AND_ATTRIBUTES oldPrv; // Buffer for previous privilege state.
    CSTR    Name;       // Privilege name.
    // Unused (for privileges) Attributes bits.
    #define TPF_HELD    0x01000000 // Privilege already held by caller's account.
    #define TPF_ADDED   0x02000000 // Privilege successfully added to caller's account.
    #define TPF_ENABLED 0x04000000 // Privilege successfully enabled.
    #define TPF_MASK    0x07000000
};
struct PRIVILEGE_ITEM // (HPRIVILEGE) Privilege item for SetTokenPrivilegesEx
{
    HTOKENEX hToken;     // First, so HPRIVILEGE can be cast to token HANDLE.
    PSID    userSid;    // Caller's SID
    UINT    nrPriv;     // Nr of privileges
    TPRIV_ITEM Priv[1]; // Privilege items
};

HPRIVILEGE SetThreadPrivilegeEx( CSTR Privilege )
{
    PRIVILEGE_ITEM* ppi = NULL;
    return (HPRIVILEGE) ppi;
}

HPRIVILEGE SetThreadPrivilegesEx( UINT NrPriv, CSTR* Privileges )
{
    PRIVILEGE_ITEM* ppi = NULL;

    if (!_LsaLookupPrivilegeValue)
        InitLsaFunc(); // Local Security Authority

    PSID userSid = GetCurrentUserSid(); // User of current thread..
    if ( userSid )
    {
        LSA_HANDLE hPolicy;
        if (OpenLsaPolicy( NULL, POLICY_ALL_ACCESS, &hPolicy ))
        {
            ppi = (PRIVILEGE_ITEM*) mem_Alloc(
                sizeof(PRIVILEGE_ITEM) + (NrPriv-1) * sizeof(TPRIV_ITEM)
                );
            ppi->userSid = userSid;
            ppi->nrPriv = NrPriv;
            for( UINT ix = 0; ix < NrPriv; ++ix )
            {
                DPrint( DP_DEBUG, _F("%lu: %s\n"), ix, Privileges[ix] );

                ppi->Priv[ix].Name = mem_DupStr( Privileges[ix] );
                LookupPrivilegeValue( NULL, Privileges[ix], &ppi->Priv[ix].oldPrv.Luid );

                //bool ok = ppi->held = AccountHasPrivilege( hPolicy, userSid, Privilege );
                //if ( !ok )
                //{
                //    ppi->added = SetAccountPrivilege( hPolicy, userSid, Privilege, true );
                //    ok = AccountHasPrivilege( hPolicy, userSid, Privilege ); // Did it take effect?
                //}
                //if ( ok )
                //{
                //    ACCESS_MASK tokenAcc = TOKEN_QUERY| TOKEN_ADJUST_PRIVILEGES;
                //    HANDLE hThread = GetCurrentThread();

                //    ppi->hToken = OpenThreadTokenEx( hThread, tokenAcc );
                //    if ( ppi->hToken )
                //    {
                //        ppi->oldPrv.PrivilegeCount = 1;
                //        HANDLE hToken = GetThreadExToken( ppi->hToken );
                //        ppi->enabled = EnablePrivilege(
                //            hToken, Privilege, true, &ppi->oldPrv.Privileges[0]
                //            );
                //    }
                //}
            }
            hPolicy = LsaCloseEx( hPolicy );
        }
        if (!ppi) FreeAccountSid( userSid );
    }
    return NULL;
}

HPRIVILEGE RestoreThreadPrivileges( HPRIVILEGE hPrv )
{
    if (hPrv)
    {
        PRIVILEGE_ITEM* ppi = (PRIVILEGE_ITEM*) hPrv;
        //if (ppi->enabled)
        //{
        //    HANDLE hToken = GetPrivilegeToken( hPrv );
        //    bool ok = RestorePrivileges( hToken, &ppi->oldPrv, false );
        //}
        //ppi->hToken = CloseThreadTokenEx( ppi->hToken );
        //if (ppi->added)
        //{
        //    LSA_HANDLE hPolicy;
        //    if (OpenLsaPolicy( NULL, POLICY_ALL_ACCESS, &hPolicy ))
        //    {
        //        SetAccountPrivilege( hPolicy, ppi->userSid, ppi->Name, false );
        //        LsaCloseEx( hPolicy );
        //    }
        //}
        //ppi->Name = mem_FreeStr( ppi->Name );
        ppi->userSid = FreeAccountSid( ppi->userSid );
        hPrv = (HPRIVILEGE) mem_Free( (PVOID) hPrv );
    }
    return hPrv;
}
#endif

//==---------------------------------------------------------------------------
#ifdef __cplusplus
#ifndef __GNUC__ // MinGW(64) doesn't have ADSiid.
//==---------------------------------------------------------------------------

BEGIN_NAMESPACE( uLib )

// Since LSA seems unable to enumerate a list of local groups, we're forced
// to enlist the aid of Active Direcory Services to get the group list.
// Once we got it, we can use LSA to get further properties of each.

#define SID_NAME_NONE  SID_NAME_USE(0)

GroupEntry::GroupEntry( CSTR name )
: Domain( NULL ), Sid( NULL ), sidUse( SID_NAME_NONE )
{
    InitializeListEntry( this );
    Name = newStr( name );
}

#ifndef _UNICODE
GroupEntry::GroupEntry( WSTR name ) // Autoconverter
: Domain( NULL ), Sid( NULL ), sidUse( SID_NAME_NONE )
{
    CHAR sBuf[ 128 ];

    InitializeListEntry( this );
    if (!WideCharToMultiByte( CP_ACP, 0, name,-1, sBuf,dimof(sBuf), NULL, NULL ))
    {
        TRACE( DP_ERROR, _F("WideCharToMultiByte failed: %s. Name will be blank.\n"), SysErrorMsg() );
        sBuf[0] = 0;
    }
    Name = newStr( sBuf );
}
#endif

GroupEntry::~GroupEntry()
{
    deleteStr( Name );
    deleteStr( Domain );
    mem_Free( Sid );
}

bool __stdcall GroupEntry::_find_Sid( PLIST_ENTRY Entry, PVOID Ctx ) // static
{
    PGroupEntry pItem = (PGroupEntry) Entry;
    CSTR Machine = (CSTR) Ctx;

    SID_NAME_USE sidUse;
    DWORD   cbSid, ccDom;
    BOOL    ok;

    cbSid = ccDom = 0;
    ok = LookupAccountName( Machine, pItem->Name, NULL, &cbSid, NULL, &ccDom, &sidUse );
    if (!ok && GetLastError() == ERROR_INSUFFICIENT_BUFFER)
    {
        pItem->Sid = (PSID) mem_Alloc( cbSid );
        if (pItem->Sid)
        {
            pItem->Domain = new TCHAR[ ccDom+2 ]; // Comply w newStr
            if (!pItem->Domain) ccDom = 0;

            ok = LookupAccountName( Machine,
                pItem->Name, pItem->Sid, &cbSid, (TSTR)pItem->Domain, &ccDom,
                &pItem->sidUse // Win7: Why are they all SidTypeAlias ?
                );
            if (!ok) ok = (GetLastError() == ERROR_INSUFFICIENT_BUFFER); // Domain
            if (!ok || !IsValidSid( pItem->Sid ))
            {
                deleteStr( pItem->Domain ); // Null safe.
                pItem->Sid = (PSID) mem_Free( pItem->Sid );
            }
        }
    }
    return true; // Continue enumeration
}

//==---------------------------------------------------------------------------

GroupList::GroupList()
: DLinkList(), Machine(NULL)
{}

GroupList::~GroupList()
{
    Clear();
}

void GroupList::Clear()
{
    RemoveAll( _del_Entry );
    Machine = deleteStr( Machine );
}

bool __stdcall GroupList::_del_Entry( PLIST_ENTRY Entry, PVOID Ctx ) // static
{
    delete (PGroupEntry) Entry;
    return true;
}

UINT GroupList::GetFromADS( CSTR Machine ) // Link with: ActiveDS.lib and ADSiid.lib
{
    IADsContainer*  pCont;
    IADsGroup*      pGrp;
    IEnumVARIANT*   pEnum;
    IUnknown*       pUnk;
    IDispatch*      pDisp;

    WCHAR           wzPath[ MAX_PATH ];
    ULONG           nEnum;
    HRESULT         hr;
    BSTR            bstr;
    VARIANT         vDisp;

    #define _OK_  SUCCEEDED // Unhide the forest from behind the trees ;)

    bool shellInited = ShellFuncInitialized();
    if (!shellInited) InitShellFunc();

    // The way this is done is a bit finicky, and not well documented.
    // I found the ancestor for this code through a Google search, and adapted.
    // There may be more efficient algorithms (Computer->GroupCollection?)...
    // PONDER: Can I come up with a neater GetFromADS implementation?

    VariantInit( &vDisp );
    Clear(); // Discard any previous list
    this->Machine = newStr( Machine );

    UString uMachine( Machine ); //<< Auto-convert to Unicode if we're in Ansi mode
    swprintf_s( wzPath, dimof(wzPath), L"WinNT://%s,computer", (PCWSTR)uMachine );

    hr = ADsGetObject( wzPath, IID_IADsContainer, (void**)&pCont );
    if (_OK_( hr ))
    {
        if (_OK_( pCont->get__NewEnum( &pUnk )))
        {
            hr = pUnk->QueryInterface( IID_IEnumVARIANT, (void**)&pEnum );
            pUnk->Release();
            if (_OK_( hr ))
            {
                //#1:hr = pEnum->Next( 1, &vDisp, &nEnum );
                //#1:while( SUCCEEDED( hr ) && (nEnum > 0) )
                while(_OK_( pEnum->Next( 1, &vDisp, &nEnum )) && (nEnum > 0))
                {
                    pDisp = V_DISPATCH( &vDisp );

                    // IADsContainer::put_Filter doesn't seem to work, so
                    // this is by trial and error, querying an IID_IADsGroup :/

                    hr = pDisp->QueryInterface( IID_IADsGroup, (void**)&pGrp );
                    pDisp->Release();
                    if (_OK_( hr )) // A group, since it has an IID_IADsGroup
                    {
                        if (_OK_( pGrp->get_Name( &bstr )))
                        {
                            Append( new GroupEntry( bstr ));
                            SysFreeString( bstr );
                        }
                        hr = pGrp->Release();
                    }
                    VariantInit( &vDisp );
                    //#1:hr = pEnum->Next( 1, &vDisp, &nEnum );
                }
                pEnum->Release();
            }
        }
        pCont->Release();
    }
    if (!shellInited) DoneShellFunc();

    ForEach( GroupEntry::_find_Sid, (PVOID) Machine );
    return Count;
    #undef _OK_
}

END_NAMESPACE( uLib )
#endif//ndef __GNUC__
#endif//def __cplusplus
//==---------------------------------------------------------------------------
/* REFERENCE
How To Manage User Privileges Programmatically in Windows NT

In Windows NT, privileges are used to provide a means of access control that
differs from discretionary access control. A system manager uses privileges to
control which users/groups are able to manipulate various aspects of the system.
An application may use privileges when it changes a system resource, such as the
system time, or when it shuts down the system.

The User Manager tool can be used to grant and revoke privileges from accounts.

Windows NT 3.51 provides functionality which allows the developer to manage
privileges programmatically. This functionality is made available through LSA
(Local Security Authority).

An example of an application that would benefit from LSA is a service install
program. If the service is configured to run under a user account, it is necessary
for that account to have the SeServiceLogonRight "logon as a service" privilege.
This article discusses how to take advantage of LSA to grant and revoke privileges
from users and groups.

Managing user privileges can be achieved programmatically using these steps:

1. Open the policy on the target machine with LsaOpenPolicy().
   To grant privileges, open the policy with POLICY_CREATE_ACCOUNT and
   POLICY_LOOKUP_NAMES access. To revoke privileges, open the policy with
   POLICY_LOOKUP_NAMES access.

2. Obtain a SID (security identifier) representing the user/group of interest.
   The LookupAccountName() and LsaLookupNames() APIs can obtain a SID from an
   account name.

3. Call LsaAddAccountRights() to grant privileges to the user(s)
   represented by the supplied SID.

4. Call LsaRemoveAccountRights() to revoke privileges from the user(s)
   represented by the supplied SID.

5. Close the policy with LsaClose().

To successfully grant and revoke privileges, the caller needs to be an
Administrator on the target system.

The LSA API LsaEnumerateAccountRights() can be used to determine
which privileges have been granted to an account.

The LSA API LsaEnumerateAccountsWithUserRight() can be used to determine
which accounts have been granted a specified privilege.

Documentation and header files for these LSA APIs is provided in the
Windows 32 SDK in the MSTOOLS\SECURITY directory.

In the lastest versions of the Win32 SDK, the headers appear in the
mstools\samples\win32\winnt\security\include directory and the documentation
is in ....\security\lsasamp\lsaapi.hlp.

NOTE: These LSA APIs are currently implemented as Unicode only.
*/
//==---------------------------------------------------------------------------
// EOF