uLib
User mode C/C++ extended API library for Win32 programmers.
|
Supplements for working with the LSA.
Typedefs | |
typedef HANDLE | HPRIVILEGE |
Functions | |
PSID | GetAdminGroupSid () |
bool | GetAccountSid (CSTR Machine, CSTR Account, PSID *ppSid) |
PSID | FreeAccountSid (PSID pSid) |
PSID | GetCurrentUserSid () |
bool | GetLogonSid (HANDLE hToken, PSID *ppSid) |
PSID | FreeLogonSid (PSID pSid) |
PACL | GetObjectAcl (HANDLE hObj, SECURITY_INFORMATION Type, size_t cbExtra, PSECURITY_DESCRIPTOR *ppSecDesc OPTOUT=NULL, PDWORD cbSecDesc OPTOUT=NULL) |
PACL | FreeObjectAcl (PACL pAcl) |
PSECURITY_DESCRIPTOR | FreeObjectSecDesc (PSECURITY_DESCRIPTOR pSecDesc) |
PISECURITY_DESCRIPTOR_RELATIVE | GetObjectSecDesc (HANDLE hObj, SECURITY_INFORMATION Type, PDWORD cbDesc) |
PISECURITY_DESCRIPTOR | AllocAbsoluteSecDesc (size_t cbDesc=0) |
PISECURITY_DESCRIPTOR | MakeAbsoluteSecDesc (PSID Owner, PSID Group, PACL Sacl, PACL Dacl, SECURITY_DESCRIPTOR_CONTROL Control) |
bool | GetAccountSystemAccess (LSA_HANDLE hPolicy, PSID AccountSid, ACCESS_MASK *Access) |
bool | SetAccountSystemAccess (LSA_HANDLE hPolicy, PSID AccountSid, ACCESS_MASK AccsType, bool Add) |
bool | AccountHasPrivilege (LSA_HANDLE hPolicy, PSID AccountSid, CSTR Privilege) |
bool | SetAccountPrivilege (LSA_HANDLE hPolicy, PSID AccountSid, CSTR Privilege, bool Add) |
HPRIVILEGE | SetThreadPrivilegeEx (CSTR Privilege) |
HPRIVILEGE | SetThreadPrivilegesEx (UINT NrPriv, CSTR *Privileges) |
HPRIVILEGE | RestoreThreadPrivilege (HPRIVILEGE hPriv) |
HANDLE | GetPrivilegeToken (HPRIVILEGE hPriv) |
typedef HANDLE HPRIVILEGE |
Handle of an extended privilege.
See SetThreadPrivilegeEx().
PSID GetAdminGroupSid | ( | ) |
GetAdminGroupSid returns the SID of the BUILTIN\Administators group.
Note:: Dispose with FreeSid() or mem_Free() when you're done.
GetAccountSid can get User, Group, or BuiltIn SIDs.
[in] | Machine | System name. Use NULL to begin at the local system. |
[in] | Account | Account name. This may be partial, or qualified (domain\user). |
[out] | ppSid | Recieves a pointer to the SID, or NULL on failure. |
Free the SID with FreeAccountSid() or mem_Free().
PSID FreeAccountSid | ( | PSID | pSid | ) |
Free a SID from GetAccountSid().
PSID GetCurrentUserSid | ( | ) |
Get the SID of the user associated with the current thread.
Free the SID with FreeAccountSid() or mem_Free().
bool GetLogonSid | ( | HANDLE | hToken, |
PSID * | ppSid | ||
) |
GetLogonSID gets the SID of the logon session.
[in] | hToken | The user token to query. Must have TOKEN_QUERY access. |
[out] | ppSid | Recieves a pointer to the SID, or NULL on failure. |
Free the SID with FreeLogonSid() or mem_Free().
PSID FreeLogonSid | ( | PSID | pSid | ) |
Free a SID from GetLogonSid().
PACL GetObjectAcl | ( | HANDLE | hObj, |
SECURITY_INFORMATION | Type, | ||
size_t | cbExtra, | ||
PSECURITY_DESCRIPTOR *ppSecDesc | OPTOUT = NULL , |
||
PDWORD cbSecDesc | OPTOUT = NULL |
||
) |
GetObjectAcl copies the DACL or SACL of a user object.
For DACL the hObj must have READ_CONTROL, and for SACL it must have ACCESS_SYSTEM_SECURITY.
The correct way to get SACL access is to enable the SE_SECURITY_NAME privilege in the caller's current token,
open the handle for ACCESS_SYSTEM_SECURITY access, and then disable the privilege when done.
[in] | hObj | Handle of the object to query. |
[in] | Type | One of DACL_SECURITY_INFORMATION or SACL_SECURITY_INFORMATION. |
[in] | cbExtra | Specifies an overallocation size for the copied ACL, which you can use if you need to add ACEs to the returned ACL. |
[out] | ppSecDesc,cbSecDesc | [optional] If provided, ppSecDesc recieves a pointer to the self-relative security descriptor of the hObj from which the ACL was extracted, and cbSecDesc recieves it's size. |
Free the items with FreeObjectAcl() and FreeObjectSecDesc(), or mem_Free().
PACL FreeObjectAcl | ( | PACL | pAcl | ) |
Free an ACL from GetObjectAcl().
PSECURITY_DESCRIPTOR FreeObjectSecDesc | ( | PSECURITY_DESCRIPTOR | pSecDesc | ) |
Free a self-relative (packed) security descriptor.
[in] | pSecDesc | Pointer to the security descriptor. |
Note: FreeObjectSecDesc will not try to free an absolute descriptor, since it doesn't know
where the Owner, Group, Dacl, and Sacl came from, ergo don't know how to dispose of them.
If so, it returns pSecDesc untouched, and sets ERROR_INVALID_PARAMETER.
PISECURITY_DESCRIPTOR_RELATIVE GetObjectSecDesc | ( | HANDLE | hObj, |
SECURITY_INFORMATION | Type, | ||
PDWORD | cbDesc | ||
) |
Allocate and retrieve a self-relative (packed) security descriptor from hObj.
[in] | hObj | Handle of the object to query. |
[in] | Type | Specifies which information to retrieve. |
[out] | cbDesc | Recieves the size of the returned descriptor. |
Dispose with FreeObjectSecDesc() or mem_Free().
PISECURITY_DESCRIPTOR AllocAbsoluteSecDesc | ( | size_t | cbDesc = 0 | ) |
Allocate an absolute (partitioned) security descriptor.
Except for it's revision level, the descriptor is empty, and you add any DACL et c, yourself.
Dispose with mem_Free() when you're done.
See also MakeAbsoluteSecDesc().
PISECURITY_DESCRIPTOR MakeAbsoluteSecDesc | ( | PSID | Owner, |
PSID | Group, | ||
PACL | Sacl, | ||
PACL | Dacl, | ||
SECURITY_DESCRIPTOR_CONTROL | Control | ||
) |
Allocate and initialize an absolute (partitioned) security descriptor.
[in] | Owner | [optional] Owner SID for the descriptor. |
[in] | Group | [optional] Group SID for the descriptor. |
[in] | Sacl | [optional] System access control list. |
[in] | Dacl | [optional] Discretionary access control list. |
[in] | Control | [optional] Descriptor control flags. |
Dispose with mem_Free() when you're done.
Note: Don't forget to dispose of your Owner, Group, Sacl, and Dacl first. See also AllocAbsoluteSecDesc().
bool GetAccountSystemAccess | ( | LSA_HANDLE | hPolicy, |
PSID | AccountSid, | ||
ACCESS_MASK * | Access | ||
) |
Get the system access for the account represented by the SID.
[in] | hPolicy | Handle of the local policy. See OpenLsaPolicy(). |
[in] | AccountSid | SID of the account to query. |
[out] | Access | Recieves the system access flags. |
It the function returns false, GetLastError() returns the reason.
bool SetAccountSystemAccess | ( | LSA_HANDLE | hPolicy, |
PSID | AccountSid, | ||
ACCESS_MASK | AccsType, | ||
bool | Add | ||
) |
SetAccountSystemAccess changes system access on the account represented by the supplied SID.
An example of such access is the SeLogonServiceRight, corresponding to POLICY_MODE_SERVICE.
[in] | hPolicy | Handle of the local policy. See OpenLsaPolicy(). |
[in] | AccountSid | SID of the account to modify. |
[in] | AccsType | Access type to modify: POLICY_MODE_INTERACTIVE, POLICY_MODE_NETWORK, POLICY_MODE_BATCH, POLICY_MODE_SERVICE, POLICY_MODE_PROXY, or POLICY_MODE_REMOTE_INTERACTIVE. |
[in] | Add | True to add the access, or false to remove it. |
Note: If the account identified by the SID doesn't exist, it will be created.
It the function returns false, GetLastError() returns the reason.
bool AccountHasPrivilege | ( | LSA_HANDLE | hPolicy, |
PSID | AccountSid, | ||
CSTR | Privilege | ||
) |
Return true if the account identified by the SID has the specified privilege.
[in] | hPolicy | Handle of the local policy. See OpenLsaPolicy(). |
[in] | AccountSid | SID of the account to query. |
[in] | Privilege | Specifies the privilege to query. |
If the function returns false, GetLastError() returns the reason.
bool SetAccountPrivilege | ( | LSA_HANDLE | hPolicy, |
PSID | AccountSid, | ||
CSTR | Privilege, | ||
bool | Add | ||
) |
Add or remove a privilege from the account identified by the SID.
[in] | hPolicy | Handle of the local policy. See OpenLsaPolicy(). |
[in] | AccountSid | SID of the account to modify. |
[in] | Privilege | Specifies the privilege to modify. |
[in] | Add | True to add the privilege, of false to remove it. |
Note: If the account identified by the SID doesn't exist, it will be created.
If the function returns false, GetLastError() returns the reason.
HPRIVILEGE SetThreadPrivilegeEx | ( | CSTR | Privilege | ) |
Enable the specified privilege for the current thread.
If the privilege is not present in the caller's account, it is added temporarily.
[in] | Privilege | Specifies the privilege to enable. |
The function returns a handle to use when restoring the privilege state.
Restore the privilege state with RestoreThreadPrivilege() when you're done.
See also MSDN "Privilege Constants".
HPRIVILEGE SetThreadPrivilegesEx | ( | UINT | NrPriv, |
CSTR * | Privileges | ||
) |
HPRIVILEGE RestoreThreadPrivilege | ( | HPRIVILEGE | hPriv | ) |
Restore the current thread's privilege state, set by SetThreadPrivilegeEx().
If the privilege was added temporarily to the caller's account, it is removed.
The function returns NULL on success, else hPriv.
HANDLE GetPrivilegeToken | ( | HPRIVILEGE | hPriv | ) |