uLib  User mode C/C++ extended API library for Win32 programmers.
Typedefs | Functions
Supplementary uLib APIs
UserMode LSA Support

Module Description

Supplements for working with the LSA.

Typedefs

typedef HANDLE HPRIVILEGE
 

Functions

PSID GetAdminGroupSid ()
 
bool GetAccountSid (CSTR Machine, CSTR Account, PSID *ppSid)
 
PSID FreeAccountSid (PSID pSid)
 
PSID GetCurrentUserSid ()
 
bool GetLogonSid (HANDLE hToken, PSID *ppSid)
 
PSID FreeLogonSid (PSID pSid)
 
PACL GetObjectAcl (HANDLE hObj, SECURITY_INFORMATION Type, size_t cbExtra, PSECURITY_DESCRIPTOR *ppSecDesc OPTOUT=NULL, PDWORD cbSecDesc OPTOUT=NULL)
 
PACL FreeObjectAcl (PACL pAcl)
 
PSECURITY_DESCRIPTOR FreeObjectSecDesc (PSECURITY_DESCRIPTOR pSecDesc)
 
PISECURITY_DESCRIPTOR_RELATIVE GetObjectSecDesc (HANDLE hObj, SECURITY_INFORMATION Type, PDWORD cbDesc)
 
PISECURITY_DESCRIPTOR AllocAbsoluteSecDesc (size_t cbDesc=0)
 
PISECURITY_DESCRIPTOR MakeAbsoluteSecDesc (PSID Owner, PSID Group, PACL Sacl, PACL Dacl, SECURITY_DESCRIPTOR_CONTROL Control)
 
bool GetAccountSystemAccess (LSA_HANDLE hPolicy, PSID AccountSid, ACCESS_MASK *Access)
 
bool SetAccountSystemAccess (LSA_HANDLE hPolicy, PSID AccountSid, ACCESS_MASK AccsType, bool Add)
 
bool AccountHasPrivilege (LSA_HANDLE hPolicy, PSID AccountSid, CSTR Privilege)
 
bool SetAccountPrivilege (LSA_HANDLE hPolicy, PSID AccountSid, CSTR Privilege, bool Add)
 
HPRIVILEGE SetThreadPrivilegeEx (CSTR Privilege)
 
HPRIVILEGE SetThreadPrivilegesEx (UINT NrPriv, CSTR *Privileges)
 
HPRIVILEGE RestoreThreadPrivilege (HPRIVILEGE hPriv)
 
HANDLE GetPrivilegeToken (HPRIVILEGE hPriv)
 

Typedef Documentation

◆ HPRIVILEGE

typedef HANDLE HPRIVILEGE

Handle of an extended privilege.
See SetThreadPrivilegeEx().

Definition at line 260 of file UmLsa.h.

Function Documentation

◆ GetAdminGroupSid()

PSID GetAdminGroupSid ( )

GetAdminGroupSid returns the SID of the BUILTIN\Administators group.
Note:: Dispose with FreeSid() or mem_Free() when you're done.

Definition at line 169 of file UmLsa.cpp.

◆ GetAccountSid()

bool GetAccountSid ( CSTR  Machine,
CSTR  Account,
PSID *  ppSid 
)

GetAccountSid can get User, Group, or BuiltIn SIDs.

Parameters
[in]MachineSystem name. Use NULL to begin at the local system.
[in]AccountAccount name. This may be partial, or qualified (domain\user).
[out]ppSidRecieves a pointer to the SID, or NULL on failure.

Free the SID with FreeAccountSid() or mem_Free().

Definition at line 197 of file UmLsa.cpp.

◆ FreeAccountSid()

PSID FreeAccountSid ( PSID  pSid)

Free a SID from GetAccountSid().

Definition at line 236 of file UmLsa.cpp.

◆ GetCurrentUserSid()

PSID GetCurrentUserSid ( )

Get the SID of the user associated with the current thread.
Free the SID with FreeAccountSid() or mem_Free().

Definition at line 241 of file UmLsa.cpp.

◆ GetLogonSid()

bool GetLogonSid ( HANDLE  hToken,
PSID *  ppSid 
)

GetLogonSID gets the SID of the logon session.

Parameters
[in]hTokenThe user token to query. Must have TOKEN_QUERY access.
[out]ppSidRecieves a pointer to the SID, or NULL on failure.

Free the SID with FreeLogonSid() or mem_Free().

Definition at line 261 of file UmLsa.cpp.

◆ FreeLogonSid()

PSID FreeLogonSid ( PSID  pSid)

Free a SID from GetLogonSid().

Definition at line 293 of file UmLsa.cpp.

◆ GetObjectAcl()

PACL GetObjectAcl ( HANDLE  hObj,
SECURITY_INFORMATION  Type,
size_t  cbExtra,
PSECURITY_DESCRIPTOR *ppSecDesc  OPTOUT = NULL,
PDWORD cbSecDesc  OPTOUT = NULL 
)

GetObjectAcl copies the DACL or SACL of a user object.

For DACL the hObj must have READ_CONTROL, and for SACL it must have ACCESS_SYSTEM_SECURITY.
The correct way to get SACL access is to enable the SE_SECURITY_NAME privilege in the caller's current token,
open the handle for ACCESS_SYSTEM_SECURITY access, and then disable the privilege when done.

Parameters
[in]hObjHandle of the object to query.
[in]TypeOne of DACL_SECURITY_INFORMATION or SACL_SECURITY_INFORMATION.
[in]cbExtraSpecifies an overallocation size for the copied ACL, which you can use if you need to add ACEs to the returned ACL.
[out]ppSecDesc,cbSecDesc[optional] If provided, ppSecDesc recieves a pointer to the self-relative security descriptor of the hObj from which the ACL was extracted, and cbSecDesc recieves it's size.
Returns
On success the copied ACL is returned, on failure, NULL.

Free the items with FreeObjectAcl() and FreeObjectSecDesc(), or mem_Free().

◆ FreeObjectAcl()

PACL FreeObjectAcl ( PACL  pAcl)

Free an ACL from GetObjectAcl().

Definition at line 463 of file UmLsa.cpp.

◆ FreeObjectSecDesc()

PSECURITY_DESCRIPTOR FreeObjectSecDesc ( PSECURITY_DESCRIPTOR  pSecDesc)

Free a self-relative (packed) security descriptor.

Parameters
[in]pSecDescPointer to the security descriptor.
Returns
Returns NULL on success, else pSecDesc.

Note: FreeObjectSecDesc will not try to free an absolute descriptor, since it doesn't know
where the Owner, Group, Dacl, and Sacl came from, ergo don't know how to dispose of them.
If so, it returns pSecDesc untouched, and sets ERROR_INVALID_PARAMETER.

Definition at line 381 of file UmLsa.cpp.

◆ GetObjectSecDesc()

PISECURITY_DESCRIPTOR_RELATIVE GetObjectSecDesc ( HANDLE  hObj,
SECURITY_INFORMATION  Type,
PDWORD  cbDesc 
)

Allocate and retrieve a self-relative (packed) security descriptor from hObj.

Parameters
[in]hObjHandle of the object to query.
[in]TypeSpecifies which information to retrieve.
[out]cbDescRecieves the size of the returned descriptor.
Returns
Returns a pointer to the descriptor, or NULL on failure.

Dispose with FreeObjectSecDesc() or mem_Free().

Definition at line 357 of file UmLsa.cpp.

◆ AllocAbsoluteSecDesc()

PISECURITY_DESCRIPTOR AllocAbsoluteSecDesc ( size_t  cbDesc = 0)

Allocate an absolute (partitioned) security descriptor.
Except for it's revision level, the descriptor is empty, and you add any DACL et c, yourself.

Dispose with mem_Free() when you're done.
See also MakeAbsoluteSecDesc().

Definition at line 326 of file UmLsa.cpp.

◆ MakeAbsoluteSecDesc()

PISECURITY_DESCRIPTOR MakeAbsoluteSecDesc ( PSID  Owner,
PSID  Group,
PACL  Sacl,
PACL  Dacl,
SECURITY_DESCRIPTOR_CONTROL  Control 
)

Allocate and initialize an absolute (partitioned) security descriptor.

Parameters
[in]Owner[optional] Owner SID for the descriptor.
[in]Group[optional] Group SID for the descriptor.
[in]Sacl[optional] System access control list.
[in]Dacl[optional] Discretionary access control list.
[in]Control[optional] Descriptor control flags.

Dispose with mem_Free() when you're done.
Note: Don't forget to dispose of your Owner, Group, Sacl, and Dacl first. See also AllocAbsoluteSecDesc().

Definition at line 338 of file UmLsa.cpp.

◆ GetAccountSystemAccess()

bool GetAccountSystemAccess ( LSA_HANDLE  hPolicy,
PSID  AccountSid,
ACCESS_MASK *  Access 
)

Get the system access for the account represented by the SID.

Parameters
[in]hPolicyHandle of the local policy. See OpenLsaPolicy().
[in]AccountSidSID of the account to query.
[out]AccessRecieves the system access flags.

It the function returns false, GetLastError() returns the reason.

Definition at line 507 of file UmLsa.cpp.

◆ SetAccountSystemAccess()

bool SetAccountSystemAccess ( LSA_HANDLE  hPolicy,
PSID  AccountSid,
ACCESS_MASK  AccsType,
bool  Add 
)

SetAccountSystemAccess changes system access on the account represented by the supplied SID.
An example of such access is the SeLogonServiceRight, corresponding to POLICY_MODE_SERVICE.

Parameters
[in]hPolicyHandle of the local policy. See OpenLsaPolicy().
[in]AccountSidSID of the account to modify.
[in]AccsTypeAccess type to modify:
POLICY_MODE_INTERACTIVE, POLICY_MODE_NETWORK, POLICY_MODE_BATCH, POLICY_MODE_SERVICE, POLICY_MODE_PROXY, or POLICY_MODE_REMOTE_INTERACTIVE.
[in]AddTrue to add the access, or false to remove it.

Note: If the account identified by the SID doesn't exist, it will be created.

It the function returns false, GetLastError() returns the reason.

Definition at line 470 of file UmLsa.cpp.

◆ AccountHasPrivilege()

bool AccountHasPrivilege ( LSA_HANDLE  hPolicy,
PSID  AccountSid,
CSTR  Privilege 
)

Return true if the account identified by the SID has the specified privilege.

Parameters
[in]hPolicyHandle of the local policy. See OpenLsaPolicy().
[in]AccountSidSID of the account to query.
[in]PrivilegeSpecifies the privilege to query.

If the function returns false, GetLastError() returns the reason.

Definition at line 594 of file UmLsa.cpp.

◆ SetAccountPrivilege()

bool SetAccountPrivilege ( LSA_HANDLE  hPolicy,
PSID  AccountSid,
CSTR  Privilege,
bool  Add 
)

Add or remove a privilege from the account identified by the SID.

Parameters
[in]hPolicyHandle of the local policy. See OpenLsaPolicy().
[in]AccountSidSID of the account to modify.
[in]PrivilegeSpecifies the privilege to modify.
[in]AddTrue to add the privilege, of false to remove it.

Note: If the account identified by the SID doesn't exist, it will be created.
If the function returns false, GetLastError() returns the reason.

Definition at line 528 of file UmLsa.cpp.

◆ SetThreadPrivilegeEx()

HPRIVILEGE SetThreadPrivilegeEx ( CSTR  Privilege)

Enable the specified privilege for the current thread.
If the privilege is not present in the caller's account, it is added temporarily.

Parameters
[in]PrivilegeSpecifies the privilege to enable.

The function returns a handle to use when restoring the privilege state.
Restore the privilege state with RestoreThreadPrivilege() when you're done.

NT Defined Privileges
  • SE_CREATE_TOKEN_NAME : Create a token object.
  • SE_ASSIGNPRIMARYTOKEN_NAME : Replace a process level token.
  • SE_LOCK_MEMORY_NAME : Lock pages in memory.
  • SE_INCREASE_QUOTA_NAME : Adjust memory quotas for a process.
  • SE_UNSOLICITED_INPUT_NAME : A specified privilege does not exist.
  • SE_MACHINE_ACCOUNT_NAME : Add workstations to domain.
  • SE_TCB_NAME : Act as part of the operating system.
  • SE_SECURITY_NAME : Manage auditing and security log.
  • SE_TAKE_OWNERSHIP_NAME : Take ownership of files or other objects.
  • SE_LOAD_DRIVER_NAME : Load and unload device drivers.
  • SE_SYSTEM_PROFILE_NAME : Profile system performance.
  • SE_SYSTEMTIME_NAME : Change the system time.
  • SE_PROF_SINGLE_PROCESS_NAME : Profile single process.
  • SE_INC_BASE_PRIORITY_NAME : Increase scheduling priority.
  • SE_CREATE_PAGEFILE_NAME : Create a pagefile.
  • SE_CREATE_PERMANENT_NAME : Create permanent shared objects.
  • SE_BACKUP_NAME : Back up files and directories.
  • SE_RESTORE_NAME : Restore files and directories.
  • SE_SHUTDOWN_NAME : Shut down the system.
  • SE_DEBUG_NAME : Debug programs.
  • SE_AUDIT_NAME : Generate security audits.
  • SE_SYSTEM_ENVIRONMENT_NAME : Modify firmware environment values.
  • SE_CHANGE_NOTIFY_NAME : Bypass traverse checking.
  • SE_REMOTE_SHUTDOWN_NAME : Force shutdown from a remote system.
  • SE_UNDOCK_NAME : Remove computer from docking station.
  • SE_SYNC_AGENT_NAME : Synchronize directory service data.
  • SE_ENABLE_DELEGATION_NAME : Enable computer and user accounts to be trusted for delegation.
  • SE_MANAGE_VOLUME_NAME : Perform volume maintenance tasks.
  • SE_IMPERSONATE_NAME : Impersonate a client after authentication.
  • SE_CREATE_GLOBAL_NAME : Create global objects.
  • SE_TRUSTED_CREDMAN_ACCESS_NAME : Access Credential Manager as a trusted caller.
  • SE_RELABEL_NAME : Modify an object label.
  • SE_INC_WORKING_SET_NAME : Increase a process working set.
  • SE_TIME_ZONE_NAME : Change the time zone.
  • SE_CREATE_SYMBOLIC_LINK_NAME : Create symbolic links.

See also MSDN "Privilege Constants".

Definition at line 803 of file UmLsa.cpp.

◆ SetThreadPrivilegesEx()

HPRIVILEGE SetThreadPrivilegesEx ( UINT  NrPriv,
CSTR Privileges 
)

◆ RestoreThreadPrivilege()

HPRIVILEGE RestoreThreadPrivilege ( HPRIVILEGE  hPriv)

Restore the current thread's privilege state, set by SetThreadPrivilegeEx().
If the privilege was added temporarily to the caller's account, it is removed.
The function returns NULL on success, else hPriv.

Definition at line 849 of file UmLsa.cpp.

◆ GetPrivilegeToken()

HANDLE GetPrivilegeToken ( HPRIVILEGE  hPriv)

Get the token HANDLE from an HPRIVILEGE.

Definition at line 797 of file UmLsa.cpp.