1 /****************************************************************************** 2 * Security Manager Types * 3 ******************************************************************************/ 4 $if (_WDMDDK_ || _WINNT_) 5 6 /* Simple types */ 7 typedef PVOID PSECURITY_DESCRIPTOR; 8 typedef $ULONG SECURITY_INFORMATION, *PSECURITY_INFORMATION; 9 typedef $ULONG ACCESS_MASK, *PACCESS_MASK; 10 11 typedef PVOID PACCESS_TOKEN; 12 typedef PVOID PSID; 13 14 #define DELETE 0x00010000L 15 #define READ_CONTROL 0x00020000L 16 #define WRITE_DAC 0x00040000L 17 #define WRITE_OWNER 0x00080000L 18 #define SYNCHRONIZE 0x00100000L 19 #define STANDARD_RIGHTS_REQUIRED 0x000F0000L 20 #define STANDARD_RIGHTS_READ READ_CONTROL 21 #define STANDARD_RIGHTS_WRITE READ_CONTROL 22 #define STANDARD_RIGHTS_EXECUTE READ_CONTROL 23 #define STANDARD_RIGHTS_ALL 0x001F0000L 24 #define SPECIFIC_RIGHTS_ALL 0x0000FFFFL 25 #define ACCESS_SYSTEM_SECURITY 0x01000000L 26 #define MAXIMUM_ALLOWED 0x02000000L 27 #define GENERIC_READ 0x80000000L 28 #define GENERIC_WRITE 0x40000000L 29 #define GENERIC_EXECUTE 0x20000000L 30 #define GENERIC_ALL 0x10000000L 31 32 typedef struct _GENERIC_MAPPING { 33 ACCESS_MASK GenericRead; 34 ACCESS_MASK GenericWrite; 35 ACCESS_MASK GenericExecute; 36 ACCESS_MASK GenericAll; 37 } GENERIC_MAPPING, *PGENERIC_MAPPING; 38 39 #define ACL_REVISION 2 40 #define ACL_REVISION_DS 4 41 42 #define ACL_REVISION1 1 43 #define ACL_REVISION2 2 44 #define ACL_REVISION3 3 45 #define ACL_REVISION4 4 46 #define MIN_ACL_REVISION ACL_REVISION2 47 #define MAX_ACL_REVISION ACL_REVISION4 48 49 typedef struct _ACL { 50 $UCHAR AclRevision; 51 $UCHAR Sbz1; 52 $USHORT AclSize; 53 $USHORT AceCount; 54 $USHORT Sbz2; 55 } ACL, *PACL; 56 57 /* Current security descriptor revision value */ 58 #define SECURITY_DESCRIPTOR_REVISION (1) 59 #define SECURITY_DESCRIPTOR_REVISION1 (1) 60 61 /* Privilege attributes */ 62 #define SE_PRIVILEGE_ENABLED_BY_DEFAULT (0x00000001L) 63 #define SE_PRIVILEGE_ENABLED (0x00000002L) 64 #define SE_PRIVILEGE_REMOVED (0x00000004L) 65 #define SE_PRIVILEGE_USED_FOR_ACCESS (0x80000000L) 66 67 #define SE_PRIVILEGE_VALID_ATTRIBUTES (SE_PRIVILEGE_ENABLED_BY_DEFAULT | \ 68 SE_PRIVILEGE_ENABLED | \ 69 SE_PRIVILEGE_REMOVED | \ 70 SE_PRIVILEGE_USED_FOR_ACCESS) 71 72 #include <pshpack4.h> 73 typedef struct _LUID_AND_ATTRIBUTES { 74 LUID Luid; 75 $ULONG Attributes; 76 } LUID_AND_ATTRIBUTES, *PLUID_AND_ATTRIBUTES; 77 #include <poppack.h> 78 79 typedef LUID_AND_ATTRIBUTES LUID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY]; 80 typedef LUID_AND_ATTRIBUTES_ARRAY *PLUID_AND_ATTRIBUTES_ARRAY; 81 82 /* Privilege sets */ 83 #define PRIVILEGE_SET_ALL_NECESSARY (1) 84 85 typedef struct _PRIVILEGE_SET { 86 $ULONG PrivilegeCount; 87 $ULONG Control; 88 LUID_AND_ATTRIBUTES Privilege[ANYSIZE_ARRAY]; 89 } PRIVILEGE_SET, *PPRIVILEGE_SET; 90 91 typedef enum _SECURITY_IMPERSONATION_LEVEL { 92 SecurityAnonymous, 93 SecurityIdentification, 94 SecurityImpersonation, 95 SecurityDelegation 96 } SECURITY_IMPERSONATION_LEVEL, * PSECURITY_IMPERSONATION_LEVEL; 97 98 #define SECURITY_MAX_IMPERSONATION_LEVEL SecurityDelegation 99 #define SECURITY_MIN_IMPERSONATION_LEVEL SecurityAnonymous 100 #define DEFAULT_IMPERSONATION_LEVEL SecurityImpersonation 101 #define VALID_IMPERSONATION_LEVEL(Level) (((Level) >= SECURITY_MIN_IMPERSONATION_LEVEL) && ((Level) <= SECURITY_MAX_IMPERSONATION_LEVEL)) 102 103 #define SECURITY_DYNAMIC_TRACKING (TRUE) 104 #define SECURITY_STATIC_TRACKING (FALSE) 105 106 typedef BOOLEAN SECURITY_CONTEXT_TRACKING_MODE, *PSECURITY_CONTEXT_TRACKING_MODE; 107 108 typedef struct _SECURITY_QUALITY_OF_SERVICE { 109 $ULONG Length; 110 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; 111 SECURITY_CONTEXT_TRACKING_MODE ContextTrackingMode; 112 BOOLEAN EffectiveOnly; 113 } SECURITY_QUALITY_OF_SERVICE, *PSECURITY_QUALITY_OF_SERVICE; 114 115 typedef struct _SE_IMPERSONATION_STATE { 116 PACCESS_TOKEN Token; 117 BOOLEAN CopyOnOpen; 118 BOOLEAN EffectiveOnly; 119 SECURITY_IMPERSONATION_LEVEL Level; 120 } SE_IMPERSONATION_STATE, *PSE_IMPERSONATION_STATE; 121 122 123 #define OWNER_SECURITY_INFORMATION (0x00000001L) 124 #define GROUP_SECURITY_INFORMATION (0x00000002L) 125 #define DACL_SECURITY_INFORMATION (0x00000004L) 126 #define SACL_SECURITY_INFORMATION (0x00000008L) 127 #define LABEL_SECURITY_INFORMATION (0x00000010L) 128 129 #define PROTECTED_DACL_SECURITY_INFORMATION (0x80000000L) 130 #define PROTECTED_SACL_SECURITY_INFORMATION (0x40000000L) 131 #define UNPROTECTED_DACL_SECURITY_INFORMATION (0x20000000L) 132 #define UNPROTECTED_SACL_SECURITY_INFORMATION (0x10000000L) 133 134 /* Auto inherit ACE flags */ 135 #define SEF_DACL_AUTO_INHERIT 0x01 136 #define SEF_SACL_AUTO_INHERIT 0x02 137 #define SEF_DEFAULT_DESCRIPTOR_FOR_OBJECT 0x04 138 #define SEF_AVOID_PRIVILEGE_CHECK 0x08 139 #define SEF_AVOID_OWNER_CHECK 0x10 140 #define SEF_DEFAULT_OWNER_FROM_PARENT 0x20 141 #define SEF_DEFAULT_GROUP_FROM_PARENT 0x40 142 #define SEF_MACL_NO_WRITE_UP 0x100 143 #define SEF_MACL_NO_READ_UP 0x200 144 #define SEF_MACL_NO_EXECUTE_UP 0x400 145 #define SEF_AI_USE_EXTRA_PARAMS 0x800 146 #define SEF_AVOID_OWNER_RESTRICTION 0x1000 147 #define SEF_MACL_VALID_FLAGS (SEF_MACL_NO_WRITE_UP | SEF_MACL_NO_READ_UP | SEF_MACL_NO_EXECUTE_UP) 148 149 $endif (_WDMDDK_ || _WINNT_) 150 151 $if (_WINNT_) 152 153 /* Privilege token filtering flags */ 154 #define DISABLE_MAX_PRIVILEGE 0x1 155 #define SANDBOX_INERT 0x2 156 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 157 #define LUA_TOKEN 0x4 158 #define WRITE_RESTRICTED 0x8 159 #endif 160 161 $endif (_WINNT_) 162 163 $if (_WDMDDK_) 164 165 typedef enum _SECURITY_OPERATION_CODE { 166 SetSecurityDescriptor, 167 QuerySecurityDescriptor, 168 DeleteSecurityDescriptor, 169 AssignSecurityDescriptor 170 } SECURITY_OPERATION_CODE, *PSECURITY_OPERATION_CODE; 171 172 #define INITIAL_PRIVILEGE_COUNT 3 173 174 typedef struct _INITIAL_PRIVILEGE_SET { 175 ULONG PrivilegeCount; 176 ULONG Control; 177 LUID_AND_ATTRIBUTES Privilege[INITIAL_PRIVILEGE_COUNT]; 178 } INITIAL_PRIVILEGE_SET, * PINITIAL_PRIVILEGE_SET; 179 180 #define SE_MIN_WELL_KNOWN_PRIVILEGE 2 181 #define SE_CREATE_TOKEN_PRIVILEGE 2 182 #define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE 3 183 #define SE_LOCK_MEMORY_PRIVILEGE 4 184 #define SE_INCREASE_QUOTA_PRIVILEGE 5 185 #define SE_MACHINE_ACCOUNT_PRIVILEGE 6 186 #define SE_TCB_PRIVILEGE 7 187 #define SE_SECURITY_PRIVILEGE 8 188 #define SE_TAKE_OWNERSHIP_PRIVILEGE 9 189 #define SE_LOAD_DRIVER_PRIVILEGE 10 190 #define SE_SYSTEM_PROFILE_PRIVILEGE 11 191 #define SE_SYSTEMTIME_PRIVILEGE 12 192 #define SE_PROF_SINGLE_PROCESS_PRIVILEGE 13 193 #define SE_INC_BASE_PRIORITY_PRIVILEGE 14 194 #define SE_CREATE_PAGEFILE_PRIVILEGE 15 195 #define SE_CREATE_PERMANENT_PRIVILEGE 16 196 #define SE_BACKUP_PRIVILEGE 17 197 #define SE_RESTORE_PRIVILEGE 18 198 #define SE_SHUTDOWN_PRIVILEGE 19 199 #define SE_DEBUG_PRIVILEGE 20 200 #define SE_AUDIT_PRIVILEGE 21 201 #define SE_SYSTEM_ENVIRONMENT_PRIVILEGE 22 202 #define SE_CHANGE_NOTIFY_PRIVILEGE 23 203 #define SE_REMOTE_SHUTDOWN_PRIVILEGE 24 204 #define SE_UNDOCK_PRIVILEGE 25 205 #define SE_SYNC_AGENT_PRIVILEGE 26 206 #define SE_ENABLE_DELEGATION_PRIVILEGE 27 207 #define SE_MANAGE_VOLUME_PRIVILEGE 28 208 #define SE_IMPERSONATE_PRIVILEGE 29 209 #define SE_CREATE_GLOBAL_PRIVILEGE 30 210 #define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE 31 211 #define SE_RELABEL_PRIVILEGE 32 212 #define SE_INC_WORKING_SET_PRIVILEGE 33 213 #define SE_TIME_ZONE_PRIVILEGE 34 214 #define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE 35 215 #define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_SYMBOLIC_LINK_PRIVILEGE 216 217 typedef struct _SECURITY_SUBJECT_CONTEXT { 218 PACCESS_TOKEN ClientToken; 219 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; 220 PACCESS_TOKEN PrimaryToken; 221 PVOID ProcessAuditId; 222 } SECURITY_SUBJECT_CONTEXT, *PSECURITY_SUBJECT_CONTEXT; 223 224 typedef struct _ACCESS_STATE { 225 LUID OperationID; 226 BOOLEAN SecurityEvaluated; 227 BOOLEAN GenerateAudit; 228 BOOLEAN GenerateOnClose; 229 BOOLEAN PrivilegesAllocated; 230 ULONG Flags; 231 ACCESS_MASK RemainingDesiredAccess; 232 ACCESS_MASK PreviouslyGrantedAccess; 233 ACCESS_MASK OriginalDesiredAccess; 234 SECURITY_SUBJECT_CONTEXT SubjectSecurityContext; 235 PSECURITY_DESCRIPTOR SecurityDescriptor; 236 PVOID AuxData; 237 union { 238 INITIAL_PRIVILEGE_SET InitialPrivilegeSet; 239 PRIVILEGE_SET PrivilegeSet; 240 } Privileges; 241 BOOLEAN AuditPrivileges; 242 UNICODE_STRING ObjectName; 243 UNICODE_STRING ObjectTypeName; 244 } ACCESS_STATE, *PACCESS_STATE; 245 246 typedef VOID 247 (NTAPI *PNTFS_DEREF_EXPORTED_SECURITY_DESCRIPTOR)( 248 _In_ PVOID Vcb, 249 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor); 250 251 #ifndef _NTLSA_IFS_ 252 253 #ifndef _NTLSA_AUDIT_ 254 #define _NTLSA_AUDIT_ 255 256 #define SE_MAX_AUDIT_PARAMETERS 32 257 #define SE_MAX_GENERIC_AUDIT_PARAMETERS 28 258 259 #define SE_ADT_OBJECT_ONLY 0x1 260 261 #define SE_ADT_PARAMETERS_SELF_RELATIVE 0x00000001 262 #define SE_ADT_PARAMETERS_SEND_TO_LSA 0x00000002 263 #define SE_ADT_PARAMETER_EXTENSIBLE_AUDIT 0x00000004 264 #define SE_ADT_PARAMETER_GENERIC_AUDIT 0x00000008 265 #define SE_ADT_PARAMETER_WRITE_SYNCHRONOUS 0x00000010 266 267 #define LSAP_SE_ADT_PARAMETER_ARRAY_TRUE_SIZE(Parameters) \ 268 ( sizeof(SE_ADT_PARAMETER_ARRAY) - sizeof(SE_ADT_PARAMETER_ARRAY_ENTRY) * \ 269 (SE_MAX_AUDIT_PARAMETERS - Parameters->ParameterCount) ) 270 271 typedef enum _SE_ADT_PARAMETER_TYPE { 272 SeAdtParmTypeNone = 0, 273 SeAdtParmTypeString, 274 SeAdtParmTypeFileSpec, 275 SeAdtParmTypeUlong, 276 SeAdtParmTypeSid, 277 SeAdtParmTypeLogonId, 278 SeAdtParmTypeNoLogonId, 279 SeAdtParmTypeAccessMask, 280 SeAdtParmTypePrivs, 281 SeAdtParmTypeObjectTypes, 282 SeAdtParmTypeHexUlong, 283 SeAdtParmTypePtr, 284 SeAdtParmTypeTime, 285 SeAdtParmTypeGuid, 286 SeAdtParmTypeLuid, 287 SeAdtParmTypeHexInt64, 288 SeAdtParmTypeStringList, 289 SeAdtParmTypeSidList, 290 SeAdtParmTypeDuration, 291 SeAdtParmTypeUserAccountControl, 292 SeAdtParmTypeNoUac, 293 SeAdtParmTypeMessage, 294 SeAdtParmTypeDateTime, 295 SeAdtParmTypeSockAddr, 296 SeAdtParmTypeSD, 297 SeAdtParmTypeLogonHours, 298 SeAdtParmTypeLogonIdNoSid, 299 SeAdtParmTypeUlongNoConv, 300 SeAdtParmTypeSockAddrNoPort, 301 SeAdtParmTypeAccessReason 302 } SE_ADT_PARAMETER_TYPE, *PSE_ADT_PARAMETER_TYPE; 303 304 typedef struct _SE_ADT_OBJECT_TYPE { 305 GUID ObjectType; 306 USHORT Flags; 307 USHORT Level; 308 ACCESS_MASK AccessMask; 309 } SE_ADT_OBJECT_TYPE, *PSE_ADT_OBJECT_TYPE; 310 311 typedef struct _SE_ADT_PARAMETER_ARRAY_ENTRY { 312 SE_ADT_PARAMETER_TYPE Type; 313 ULONG Length; 314 ULONG_PTR Data[2]; 315 PVOID Address; 316 } SE_ADT_PARAMETER_ARRAY_ENTRY, *PSE_ADT_PARAMETER_ARRAY_ENTRY; 317 318 typedef struct _SE_ADT_ACCESS_REASON { 319 ACCESS_MASK AccessMask; 320 ULONG AccessReasons[32]; 321 ULONG ObjectTypeIndex; 322 ULONG AccessGranted; 323 PSECURITY_DESCRIPTOR SecurityDescriptor; 324 } SE_ADT_ACCESS_REASON, *PSE_ADT_ACCESS_REASON; 325 326 typedef struct _SE_ADT_PARAMETER_ARRAY { 327 ULONG CategoryId; 328 ULONG AuditId; 329 ULONG ParameterCount; 330 ULONG Length; 331 USHORT FlatSubCategoryId; 332 USHORT Type; 333 ULONG Flags; 334 SE_ADT_PARAMETER_ARRAY_ENTRY Parameters[ SE_MAX_AUDIT_PARAMETERS ]; 335 } SE_ADT_PARAMETER_ARRAY, *PSE_ADT_PARAMETER_ARRAY; 336 337 #endif /* !_NTLSA_AUDIT_ */ 338 #endif /* !_NTLSA_IFS_ */ 339 $endif (_WDMDDK_) 340 $if (_NTDDK_) 341 #define SE_UNSOLICITED_INPUT_PRIVILEGE 6 342 343 $endif (_NTDDK_) 344 $if (_NTDDK_ || _WINNT_) 345 346 typedef enum _WELL_KNOWN_SID_TYPE { 347 WinNullSid = 0, 348 WinWorldSid = 1, 349 WinLocalSid = 2, 350 WinCreatorOwnerSid = 3, 351 WinCreatorGroupSid = 4, 352 WinCreatorOwnerServerSid = 5, 353 WinCreatorGroupServerSid = 6, 354 WinNtAuthoritySid = 7, 355 WinDialupSid = 8, 356 WinNetworkSid = 9, 357 WinBatchSid = 10, 358 WinInteractiveSid = 11, 359 WinServiceSid = 12, 360 WinAnonymousSid = 13, 361 WinProxySid = 14, 362 WinEnterpriseControllersSid = 15, 363 WinSelfSid = 16, 364 WinAuthenticatedUserSid = 17, 365 WinRestrictedCodeSid = 18, 366 WinTerminalServerSid = 19, 367 WinRemoteLogonIdSid = 20, 368 WinLogonIdsSid = 21, 369 WinLocalSystemSid = 22, 370 WinLocalServiceSid = 23, 371 WinNetworkServiceSid = 24, 372 WinBuiltinDomainSid = 25, 373 WinBuiltinAdministratorsSid = 26, 374 WinBuiltinUsersSid = 27, 375 WinBuiltinGuestsSid = 28, 376 WinBuiltinPowerUsersSid = 29, 377 WinBuiltinAccountOperatorsSid = 30, 378 WinBuiltinSystemOperatorsSid = 31, 379 WinBuiltinPrintOperatorsSid = 32, 380 WinBuiltinBackupOperatorsSid = 33, 381 WinBuiltinReplicatorSid = 34, 382 WinBuiltinPreWindows2000CompatibleAccessSid = 35, 383 WinBuiltinRemoteDesktopUsersSid = 36, 384 WinBuiltinNetworkConfigurationOperatorsSid = 37, 385 WinAccountAdministratorSid = 38, 386 WinAccountGuestSid = 39, 387 WinAccountKrbtgtSid = 40, 388 WinAccountDomainAdminsSid = 41, 389 WinAccountDomainUsersSid = 42, 390 WinAccountDomainGuestsSid = 43, 391 WinAccountComputersSid = 44, 392 WinAccountControllersSid = 45, 393 WinAccountCertAdminsSid = 46, 394 WinAccountSchemaAdminsSid = 47, 395 WinAccountEnterpriseAdminsSid = 48, 396 WinAccountPolicyAdminsSid = 49, 397 WinAccountRasAndIasServersSid = 50, 398 WinNTLMAuthenticationSid = 51, 399 WinDigestAuthenticationSid = 52, 400 WinSChannelAuthenticationSid = 53, 401 WinThisOrganizationSid = 54, 402 WinOtherOrganizationSid = 55, 403 WinBuiltinIncomingForestTrustBuildersSid = 56, 404 WinBuiltinPerfMonitoringUsersSid = 57, 405 WinBuiltinPerfLoggingUsersSid = 58, 406 WinBuiltinAuthorizationAccessSid = 59, 407 WinBuiltinTerminalServerLicenseServersSid = 60, 408 WinBuiltinDCOMUsersSid = 61, 409 WinBuiltinIUsersSid = 62, 410 WinIUserSid = 63, 411 WinBuiltinCryptoOperatorsSid = 64, 412 WinUntrustedLabelSid = 65, 413 WinLowLabelSid = 66, 414 WinMediumLabelSid = 67, 415 WinHighLabelSid = 68, 416 WinSystemLabelSid = 69, 417 WinWriteRestrictedCodeSid = 70, 418 WinCreatorOwnerRightsSid = 71, 419 WinCacheablePrincipalsGroupSid = 72, 420 WinNonCacheablePrincipalsGroupSid = 73, 421 WinEnterpriseReadonlyControllersSid = 74, 422 WinAccountReadonlyControllersSid = 75, 423 WinBuiltinEventLogReadersGroup = 76, 424 WinNewEnterpriseReadonlyControllersSid = 77, 425 WinBuiltinCertSvcDComAccessGroup = 78, 426 WinMediumPlusLabelSid = 79, 427 WinLocalLogonSid = 80, 428 WinConsoleLogonSid = 81, 429 WinThisOrganizationCertificateSid = 82, 430 WinApplicationPackageAuthoritySid = 83, 431 WinBuiltinAnyPackageSid = 84, 432 WinCapabilityInternetClientSid = 85, 433 WinCapabilityInternetClientServerSid = 86, 434 WinCapabilityPrivateNetworkClientServerSid = 87, 435 WinCapabilityPicturesLibrarySid = 88, 436 WinCapabilityVideosLibrarySid = 89, 437 WinCapabilityMusicLibrarySid = 90, 438 WinCapabilityDocumentsLibrarySid = 91, 439 WinCapabilitySharedUserCertificatesSid = 92, 440 WinCapabilityEnterpriseAuthenticationSid = 93, 441 WinCapabilityRemovableStorageSid = 94, 442 WinBuiltinRDSRemoteAccessServersSid = 95, 443 WinBuiltinRDSEndpointServersSid = 96, 444 WinBuiltinRDSManagementServersSid = 97, 445 WinUserModeDriversSid = 98, 446 WinBuiltinHyperVAdminsSid = 99, 447 WinAccountCloneableControllersSid = 100, 448 WinBuiltinAccessControlAssistanceOperatorsSid = 101, 449 WinBuiltinRemoteManagementUsersSid = 102, 450 WinAuthenticationAuthorityAssertedSid = 103, 451 WinAuthenticationServiceAssertedSid = 104, 452 WinLocalAccountSid = 105, 453 WinLocalAccountAndAdministratorSid = 106, 454 WinAccountProtectedUsersSid = 107, 455 } WELL_KNOWN_SID_TYPE; 456 457 $endif (_NTDDK_ || _WINNT_) 458 $if (_NTIFS_ || _WINNT_) 459 460 #ifndef SID_IDENTIFIER_AUTHORITY_DEFINED 461 #define SID_IDENTIFIER_AUTHORITY_DEFINED 462 typedef struct _SID_IDENTIFIER_AUTHORITY { 463 $UCHAR Value[6]; 464 } SID_IDENTIFIER_AUTHORITY,*PSID_IDENTIFIER_AUTHORITY,*LPSID_IDENTIFIER_AUTHORITY; 465 #endif 466 467 #ifndef SID_DEFINED 468 #define SID_DEFINED 469 typedef struct _SID { 470 $UCHAR Revision; 471 $UCHAR SubAuthorityCount; 472 SID_IDENTIFIER_AUTHORITY IdentifierAuthority; 473 #ifdef MIDL_PASS 474 [size_is(SubAuthorityCount)] $ULONG SubAuthority[*]; 475 #else 476 $ULONG SubAuthority[ANYSIZE_ARRAY]; 477 #endif 478 } SID, *PISID; 479 #endif 480 481 #define SID_REVISION 1 482 #define SID_MAX_SUB_AUTHORITIES 15 483 #define SID_RECOMMENDED_SUB_AUTHORITIES 1 484 485 #ifndef MIDL_PASS 486 #define SECURITY_MAX_SID_SIZE (sizeof(SID) - sizeof($ULONG) + (SID_MAX_SUB_AUTHORITIES * sizeof($ULONG))) 487 #endif 488 489 typedef enum _SID_NAME_USE { 490 SidTypeUser = 1, 491 SidTypeGroup, 492 SidTypeDomain, 493 SidTypeAlias, 494 SidTypeWellKnownGroup, 495 SidTypeDeletedAccount, 496 SidTypeInvalid, 497 SidTypeUnknown, 498 SidTypeComputer, 499 SidTypeLabel 500 } SID_NAME_USE, *PSID_NAME_USE; 501 502 typedef struct _SID_AND_ATTRIBUTES { 503 #ifdef MIDL_PASS 504 PISID Sid; 505 #else 506 PSID Sid; 507 #endif 508 $ULONG Attributes; 509 } SID_AND_ATTRIBUTES, *PSID_AND_ATTRIBUTES; 510 typedef SID_AND_ATTRIBUTES SID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY]; 511 typedef SID_AND_ATTRIBUTES_ARRAY *PSID_AND_ATTRIBUTES_ARRAY; 512 513 #define SID_HASH_SIZE 32 514 typedef ULONG_PTR SID_HASH_ENTRY, *PSID_HASH_ENTRY; 515 516 typedef struct _SID_AND_ATTRIBUTES_HASH { 517 $ULONG SidCount; 518 PSID_AND_ATTRIBUTES SidAttr; 519 SID_HASH_ENTRY Hash[SID_HASH_SIZE]; 520 } SID_AND_ATTRIBUTES_HASH, *PSID_AND_ATTRIBUTES_HASH; 521 522 /* Universal well-known SIDs */ 523 524 #define SECURITY_NULL_SID_AUTHORITY {0,0,0,0,0,0} 525 526 /* S-1-1 */ 527 #define SECURITY_WORLD_SID_AUTHORITY {0,0,0,0,0,1} 528 529 /* S-1-2 */ 530 #define SECURITY_LOCAL_SID_AUTHORITY {0,0,0,0,0,2} 531 532 /* S-1-3 */ 533 #define SECURITY_CREATOR_SID_AUTHORITY {0,0,0,0,0,3} 534 535 /* S-1-4 */ 536 #define SECURITY_NON_UNIQUE_AUTHORITY {0,0,0,0,0,4} 537 538 #define SECURITY_RESOURCE_MANAGER_AUTHORITY {0,0,0,0,0,9} 539 540 #define SECURITY_NULL_RID (0x00000000L) 541 #define SECURITY_WORLD_RID (0x00000000L) 542 #define SECURITY_LOCAL_RID (0x00000000L) 543 #define SECURITY_LOCAL_LOGON_RID (0x00000001L) 544 545 #define SECURITY_CREATOR_OWNER_RID (0x00000000L) 546 #define SECURITY_CREATOR_GROUP_RID (0x00000001L) 547 #define SECURITY_CREATOR_OWNER_SERVER_RID (0x00000002L) 548 #define SECURITY_CREATOR_GROUP_SERVER_RID (0x00000003L) 549 #define SECURITY_CREATOR_OWNER_RIGHTS_RID (0x00000004L) 550 551 /* NT well-known SIDs */ 552 553 /* S-1-5 */ 554 #define SECURITY_NT_AUTHORITY {0,0,0,0,0,5} 555 556 #define SECURITY_DIALUP_RID (0x00000001L) 557 #define SECURITY_NETWORK_RID (0x00000002L) 558 #define SECURITY_BATCH_RID (0x00000003L) 559 #define SECURITY_INTERACTIVE_RID (0x00000004L) 560 #define SECURITY_LOGON_IDS_RID (0x00000005L) 561 #define SECURITY_LOGON_IDS_RID_COUNT (3L) 562 #define SECURITY_SERVICE_RID (0x00000006L) 563 #define SECURITY_ANONYMOUS_LOGON_RID (0x00000007L) 564 #define SECURITY_PROXY_RID (0x00000008L) 565 #define SECURITY_ENTERPRISE_CONTROLLERS_RID (0x00000009L) 566 #define SECURITY_SERVER_LOGON_RID SECURITY_ENTERPRISE_CONTROLLERS_RID 567 #define SECURITY_PRINCIPAL_SELF_RID (0x0000000AL) 568 #define SECURITY_AUTHENTICATED_USER_RID (0x0000000BL) 569 #define SECURITY_RESTRICTED_CODE_RID (0x0000000CL) 570 #define SECURITY_TERMINAL_SERVER_RID (0x0000000DL) 571 #define SECURITY_REMOTE_LOGON_RID (0x0000000EL) 572 #define SECURITY_THIS_ORGANIZATION_RID (0x0000000FL) 573 #define SECURITY_IUSER_RID (0x00000011L) 574 #define SECURITY_LOCAL_SYSTEM_RID (0x00000012L) 575 #define SECURITY_LOCAL_SERVICE_RID (0x00000013L) 576 #define SECURITY_NETWORK_SERVICE_RID (0x00000014L) 577 #define SECURITY_NT_NON_UNIQUE (0x00000015L) 578 #define SECURITY_NT_NON_UNIQUE_SUB_AUTH_COUNT (3L) 579 #define SECURITY_ENTERPRISE_READONLY_CONTROLLERS_RID (0x00000016L) 580 581 #define SECURITY_BUILTIN_DOMAIN_RID (0x00000020L) 582 #define SECURITY_WRITE_RESTRICTED_CODE_RID (0x00000021L) 583 584 585 #define SECURITY_PACKAGE_BASE_RID (0x00000040L) 586 #define SECURITY_PACKAGE_RID_COUNT (2L) 587 #define SECURITY_PACKAGE_NTLM_RID (0x0000000AL) 588 #define SECURITY_PACKAGE_SCHANNEL_RID (0x0000000EL) 589 #define SECURITY_PACKAGE_DIGEST_RID (0x00000015L) 590 591 #define SECURITY_CRED_TYPE_BASE_RID (0x00000041L) 592 #define SECURITY_CRED_TYPE_RID_COUNT (2L) 593 #define SECURITY_CRED_TYPE_THIS_ORG_CERT_RID (0x00000001L) 594 595 #define SECURITY_MIN_BASE_RID (0x00000050L) 596 #define SECURITY_SERVICE_ID_BASE_RID (0x00000050L) 597 #define SECURITY_SERVICE_ID_RID_COUNT (6L) 598 #define SECURITY_RESERVED_ID_BASE_RID (0x00000051L) 599 #define SECURITY_APPPOOL_ID_BASE_RID (0x00000052L) 600 #define SECURITY_APPPOOL_ID_RID_COUNT (6L) 601 #define SECURITY_VIRTUALSERVER_ID_BASE_RID (0x00000053L) 602 #define SECURITY_VIRTUALSERVER_ID_RID_COUNT (6L) 603 #define SECURITY_USERMODEDRIVERHOST_ID_BASE_RID (0x00000054L) 604 #define SECURITY_USERMODEDRIVERHOST_ID_RID_COUNT (6L) 605 #define SECURITY_CLOUD_INFRASTRUCTURE_SERVICES_ID_BASE_RID (0x00000055L) 606 #define SECURITY_CLOUD_INFRASTRUCTURE_SERVICES_ID_RID_COUNT (6L) 607 #define SECURITY_WMIHOST_ID_BASE_RID (0x00000056L) 608 #define SECURITY_WMIHOST_ID_RID_COUNT (6L) 609 #define SECURITY_TASK_ID_BASE_RID (0x00000057L) 610 #define SECURITY_NFS_ID_BASE_RID (0x00000058L) 611 #define SECURITY_COM_ID_BASE_RID (0x00000059L) 612 #define SECURITY_VIRTUALACCOUNT_ID_RID_COUNT (6L) 613 614 #define SECURITY_MAX_BASE_RID (0x0000006FL) 615 616 #define SECURITY_MAX_ALWAYS_FILTERED (0x000003E7L) 617 #define SECURITY_MIN_NEVER_FILTERED (0x000003E8L) 618 619 #define SECURITY_OTHER_ORGANIZATION_RID (0x000003E8L) 620 621 #define SECURITY_WINDOWSMOBILE_ID_BASE_RID (0x00000070L) 622 623 /* Well-known domain relative sub-authority values (RIDs) */ 624 625 #define DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS (0x000001F2L) 626 627 #define FOREST_USER_RID_MAX (0x000001F3L) 628 629 /* Well-known users */ 630 631 #define DOMAIN_USER_RID_ADMIN (0x000001F4L) 632 #define DOMAIN_USER_RID_GUEST (0x000001F5L) 633 #define DOMAIN_USER_RID_KRBTGT (0x000001F6L) 634 635 #define DOMAIN_USER_RID_MAX (0x000003E7L) 636 637 /* Well-known groups */ 638 639 #define DOMAIN_GROUP_RID_ADMINS (0x00000200L) 640 #define DOMAIN_GROUP_RID_USERS (0x00000201L) 641 #define DOMAIN_GROUP_RID_GUESTS (0x00000202L) 642 #define DOMAIN_GROUP_RID_COMPUTERS (0x00000203L) 643 #define DOMAIN_GROUP_RID_CONTROLLERS (0x00000204L) 644 #define DOMAIN_GROUP_RID_CERT_ADMINS (0x00000205L) 645 #define DOMAIN_GROUP_RID_SCHEMA_ADMINS (0x00000206L) 646 #define DOMAIN_GROUP_RID_ENTERPRISE_ADMINS (0x00000207L) 647 #define DOMAIN_GROUP_RID_POLICY_ADMINS (0x00000208L) 648 #define DOMAIN_GROUP_RID_READONLY_CONTROLLERS (0x00000209L) 649 650 /* Well-known aliases */ 651 652 #define DOMAIN_ALIAS_RID_ADMINS (0x00000220L) 653 #define DOMAIN_ALIAS_RID_USERS (0x00000221L) 654 #define DOMAIN_ALIAS_RID_GUESTS (0x00000222L) 655 #define DOMAIN_ALIAS_RID_POWER_USERS (0x00000223L) 656 657 #define DOMAIN_ALIAS_RID_ACCOUNT_OPS (0x00000224L) 658 #define DOMAIN_ALIAS_RID_SYSTEM_OPS (0x00000225L) 659 #define DOMAIN_ALIAS_RID_PRINT_OPS (0x00000226L) 660 #define DOMAIN_ALIAS_RID_BACKUP_OPS (0x00000227L) 661 662 #define DOMAIN_ALIAS_RID_REPLICATOR (0x00000228L) 663 #define DOMAIN_ALIAS_RID_RAS_SERVERS (0x00000229L) 664 #define DOMAIN_ALIAS_RID_PREW2KCOMPACCESS (0x0000022AL) 665 #define DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS (0x0000022BL) 666 #define DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS (0x0000022CL) 667 #define DOMAIN_ALIAS_RID_INCOMING_FOREST_TRUST_BUILDERS (0x0000022DL) 668 669 #define DOMAIN_ALIAS_RID_MONITORING_USERS (0x0000022EL) 670 #define DOMAIN_ALIAS_RID_LOGGING_USERS (0x0000022FL) 671 #define DOMAIN_ALIAS_RID_AUTHORIZATIONACCESS (0x00000230L) 672 #define DOMAIN_ALIAS_RID_TS_LICENSE_SERVERS (0x00000231L) 673 #define DOMAIN_ALIAS_RID_DCOM_USERS (0x00000232L) 674 675 #define DOMAIN_ALIAS_RID_IUSERS (0x00000238L) 676 #define DOMAIN_ALIAS_RID_CRYPTO_OPERATORS (0x00000239L) 677 #define DOMAIN_ALIAS_RID_CACHEABLE_PRINCIPALS_GROUP (0x0000023BL) 678 #define DOMAIN_ALIAS_RID_NON_CACHEABLE_PRINCIPALS_GROUP (0x0000023CL) 679 #define DOMAIN_ALIAS_RID_EVENT_LOG_READERS_GROUP (0x0000023DL) 680 #define DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP (0x0000023EL) 681 682 #define SECURITY_MANDATORY_LABEL_AUTHORITY {0,0,0,0,0,16} 683 #define SECURITY_MANDATORY_UNTRUSTED_RID (0x00000000L) 684 #define SECURITY_MANDATORY_LOW_RID (0x00001000L) 685 #define SECURITY_MANDATORY_MEDIUM_RID (0x00002000L) 686 #define SECURITY_MANDATORY_HIGH_RID (0x00003000L) 687 #define SECURITY_MANDATORY_SYSTEM_RID (0x00004000L) 688 #define SECURITY_MANDATORY_PROTECTED_PROCESS_RID (0x00005000L) 689 690 /* SECURITY_MANDATORY_MAXIMUM_USER_RID is the highest RID that 691 can be set by a usermode caller.*/ 692 693 #define SECURITY_MANDATORY_MAXIMUM_USER_RID SECURITY_MANDATORY_SYSTEM_RID 694 695 #define MANDATORY_LEVEL_TO_MANDATORY_RID(IL) (IL * 0x1000) 696 697 /* Allocate the System Luid. The first 1000 LUIDs are reserved. 698 Use #999 here (0x3e7 = 999) */ 699 700 #define SYSTEM_LUID {0x3e7, 0x0} 701 #define ANONYMOUS_LOGON_LUID {0x3e6, 0x0} 702 #define LOCALSERVICE_LUID {0x3e5, 0x0} 703 #define NETWORKSERVICE_LUID {0x3e4, 0x0} 704 #define IUSER_LUID {0x3e3, 0x0} 705 706 /* Logon session reference flags */ 707 708 #define SEP_LOGON_SESSION_TERMINATION_NOTIFY 0x0001 709 710 typedef struct _ACE_HEADER { 711 $UCHAR AceType; 712 $UCHAR AceFlags; 713 $USHORT AceSize; 714 } ACE_HEADER, *PACE_HEADER; 715 716 #define ACCESS_MIN_MS_ACE_TYPE (0x0) 717 #define ACCESS_ALLOWED_ACE_TYPE (0x0) 718 #define ACCESS_DENIED_ACE_TYPE (0x1) 719 #define SYSTEM_AUDIT_ACE_TYPE (0x2) 720 #define SYSTEM_ALARM_ACE_TYPE (0x3) 721 #define ACCESS_MAX_MS_V2_ACE_TYPE (0x3) 722 #define ACCESS_ALLOWED_COMPOUND_ACE_TYPE (0x4) 723 #define ACCESS_MAX_MS_V3_ACE_TYPE (0x4) 724 #define ACCESS_MIN_MS_OBJECT_ACE_TYPE (0x5) 725 #define ACCESS_ALLOWED_OBJECT_ACE_TYPE (0x5) 726 #define ACCESS_DENIED_OBJECT_ACE_TYPE (0x6) 727 #define SYSTEM_AUDIT_OBJECT_ACE_TYPE (0x7) 728 #define SYSTEM_ALARM_OBJECT_ACE_TYPE (0x8) 729 #define ACCESS_MAX_MS_OBJECT_ACE_TYPE (0x8) 730 #define ACCESS_MAX_MS_V4_ACE_TYPE (0x8) 731 #define ACCESS_MAX_MS_ACE_TYPE (0x8) 732 #define ACCESS_ALLOWED_CALLBACK_ACE_TYPE (0x9) 733 #define ACCESS_DENIED_CALLBACK_ACE_TYPE (0xA) 734 #define ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE (0xB) 735 #define ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE (0xC) 736 #define SYSTEM_AUDIT_CALLBACK_ACE_TYPE (0xD) 737 #define SYSTEM_ALARM_CALLBACK_ACE_TYPE (0xE) 738 #define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE (0xF) 739 #define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE (0x10) 740 #define ACCESS_MAX_MS_V5_ACE_TYPE (0x11) 741 #define SYSTEM_MANDATORY_LABEL_ACE_TYPE (0x11) 742 743 /* The following are the inherit flags that go into the AceFlags field 744 of an Ace header. */ 745 746 #define OBJECT_INHERIT_ACE (0x1) 747 #define CONTAINER_INHERIT_ACE (0x2) 748 #define NO_PROPAGATE_INHERIT_ACE (0x4) 749 #define INHERIT_ONLY_ACE (0x8) 750 #define INHERITED_ACE (0x10) 751 #define VALID_INHERIT_FLAGS (0x1F) 752 753 #define SUCCESSFUL_ACCESS_ACE_FLAG (0x40) 754 #define FAILED_ACCESS_ACE_FLAG (0x80) 755 756 typedef struct _ACCESS_ALLOWED_ACE { 757 ACE_HEADER Header; 758 ACCESS_MASK Mask; 759 $ULONG SidStart; 760 } ACCESS_ALLOWED_ACE, *PACCESS_ALLOWED_ACE; 761 762 typedef struct _ACCESS_DENIED_ACE { 763 ACE_HEADER Header; 764 ACCESS_MASK Mask; 765 $ULONG SidStart; 766 } ACCESS_DENIED_ACE, *PACCESS_DENIED_ACE; 767 768 typedef struct _ACCESS_ALLOWED_OBJECT_ACE { 769 ACE_HEADER Header; 770 ACCESS_MASK Mask; 771 $ULONG Flags; 772 GUID ObjectType; 773 GUID InheritedObjectType; 774 $ULONG SidStart; 775 } ACCESS_ALLOWED_OBJECT_ACE, *PACCESS_ALLOWED_OBJECT_ACE; 776 777 typedef struct _ACCESS_DENIED_OBJECT_ACE { 778 ACE_HEADER Header; 779 ACCESS_MASK Mask; 780 $ULONG Flags; 781 GUID ObjectType; 782 GUID InheritedObjectType; 783 $ULONG SidStart; 784 } ACCESS_DENIED_OBJECT_ACE, *PACCESS_DENIED_OBJECT_ACE; 785 786 typedef struct _SYSTEM_AUDIT_ACE { 787 ACE_HEADER Header; 788 ACCESS_MASK Mask; 789 $ULONG SidStart; 790 } SYSTEM_AUDIT_ACE, *PSYSTEM_AUDIT_ACE; 791 792 typedef struct _SYSTEM_ALARM_ACE { 793 ACE_HEADER Header; 794 ACCESS_MASK Mask; 795 $ULONG SidStart; 796 } SYSTEM_ALARM_ACE, *PSYSTEM_ALARM_ACE; 797 798 typedef struct _SYSTEM_MANDATORY_LABEL_ACE { 799 ACE_HEADER Header; 800 ACCESS_MASK Mask; 801 $ULONG SidStart; 802 } SYSTEM_MANDATORY_LABEL_ACE, *PSYSTEM_MANDATORY_LABEL_ACE; 803 804 /* Object ACE flags */ 805 #define ACE_OBJECT_TYPE_PRESENT 0x00000001 806 #define ACE_INHERITED_OBJECT_TYPE_PRESENT 0x00000002 807 808 #define SYSTEM_MANDATORY_LABEL_NO_WRITE_UP 0x1 809 #define SYSTEM_MANDATORY_LABEL_NO_READ_UP 0x2 810 #define SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP 0x4 811 #define SYSTEM_MANDATORY_LABEL_VALID_MASK (SYSTEM_MANDATORY_LABEL_NO_WRITE_UP | \ 812 SYSTEM_MANDATORY_LABEL_NO_READ_UP | \ 813 SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP) 814 815 #define SECURITY_DESCRIPTOR_MIN_LENGTH (sizeof(SECURITY_DESCRIPTOR)) 816 817 typedef $USHORT SECURITY_DESCRIPTOR_CONTROL, *PSECURITY_DESCRIPTOR_CONTROL; 818 819 #define SE_OWNER_DEFAULTED 0x0001 820 #define SE_GROUP_DEFAULTED 0x0002 821 #define SE_DACL_PRESENT 0x0004 822 #define SE_DACL_DEFAULTED 0x0008 823 #define SE_SACL_PRESENT 0x0010 824 #define SE_SACL_DEFAULTED 0x0020 825 #define SE_DACL_UNTRUSTED 0x0040 826 #define SE_SERVER_SECURITY 0x0080 827 #define SE_DACL_AUTO_INHERIT_REQ 0x0100 828 #define SE_SACL_AUTO_INHERIT_REQ 0x0200 829 #define SE_DACL_AUTO_INHERITED 0x0400 830 #define SE_SACL_AUTO_INHERITED 0x0800 831 #define SE_DACL_PROTECTED 0x1000 832 #define SE_SACL_PROTECTED 0x2000 833 #define SE_RM_CONTROL_VALID 0x4000 834 #define SE_SELF_RELATIVE 0x8000 835 836 typedef struct _SECURITY_DESCRIPTOR_RELATIVE { 837 $UCHAR Revision; 838 $UCHAR Sbz1; 839 SECURITY_DESCRIPTOR_CONTROL Control; 840 $ULONG Owner; 841 $ULONG Group; 842 $ULONG Sacl; 843 $ULONG Dacl; 844 } SECURITY_DESCRIPTOR_RELATIVE, *PISECURITY_DESCRIPTOR_RELATIVE; 845 846 typedef struct _SECURITY_DESCRIPTOR { 847 $UCHAR Revision; 848 $UCHAR Sbz1; 849 SECURITY_DESCRIPTOR_CONTROL Control; 850 PSID Owner; 851 PSID Group; 852 PACL Sacl; 853 PACL Dacl; 854 } SECURITY_DESCRIPTOR, *PISECURITY_DESCRIPTOR; 855 856 typedef struct _OBJECT_TYPE_LIST { 857 $USHORT Level; 858 $USHORT Sbz; 859 GUID *ObjectType; 860 } OBJECT_TYPE_LIST, *POBJECT_TYPE_LIST; 861 862 #define ACCESS_OBJECT_GUID 0 863 #define ACCESS_PROPERTY_SET_GUID 1 864 #define ACCESS_PROPERTY_GUID 2 865 #define ACCESS_MAX_LEVEL 4 866 867 typedef enum _AUDIT_EVENT_TYPE { 868 AuditEventObjectAccess, 869 AuditEventDirectoryServiceAccess 870 } AUDIT_EVENT_TYPE, *PAUDIT_EVENT_TYPE; 871 872 #define AUDIT_ALLOW_NO_PRIVILEGE 0x1 873 874 #define ACCESS_DS_SOURCE_A "DS" 875 #define ACCESS_DS_SOURCE_W L"DS" 876 #define ACCESS_DS_OBJECT_TYPE_NAME_A "Directory Service Object" 877 #define ACCESS_DS_OBJECT_TYPE_NAME_W L"Directory Service Object" 878 879 #define ACCESS_REASON_TYPE_MASK 0xffff0000 880 #define ACCESS_REASON_DATA_MASK 0x0000ffff 881 882 typedef enum _ACCESS_REASON_TYPE { 883 AccessReasonNone = 0x00000000, 884 AccessReasonAllowedAce = 0x00010000, 885 AccessReasonDeniedAce = 0x00020000, 886 AccessReasonAllowedParentAce = 0x00030000, 887 AccessReasonDeniedParentAce = 0x00040000, 888 AccessReasonMissingPrivilege = 0x00100000, 889 AccessReasonFromPrivilege = 0x00200000, 890 AccessReasonIntegrityLevel = 0x00300000, 891 AccessReasonOwnership = 0x00400000, 892 AccessReasonNullDacl = 0x00500000, 893 AccessReasonEmptyDacl = 0x00600000, 894 AccessReasonNoSD = 0x00700000, 895 AccessReasonNoGrant = 0x00800000 896 } ACCESS_REASON_TYPE; 897 898 typedef $ULONG ACCESS_REASON; 899 900 typedef struct _ACCESS_REASONS { 901 ACCESS_REASON Data[32]; 902 } ACCESS_REASONS, *PACCESS_REASONS; 903 904 #define SE_SECURITY_DESCRIPTOR_FLAG_NO_OWNER_ACE 0x00000001 905 #define SE_SECURITY_DESCRIPTOR_FLAG_NO_LABEL_ACE 0x00000002 906 #define SE_SECURITY_DESCRIPTOR_VALID_FLAGS 0x00000003 907 908 typedef struct _SE_SECURITY_DESCRIPTOR { 909 $ULONG Size; 910 $ULONG Flags; 911 PSECURITY_DESCRIPTOR SecurityDescriptor; 912 } SE_SECURITY_DESCRIPTOR, *PSE_SECURITY_DESCRIPTOR; 913 914 typedef struct _SE_ACCESS_REQUEST { 915 $ULONG Size; 916 PSE_SECURITY_DESCRIPTOR SeSecurityDescriptor; 917 ACCESS_MASK DesiredAccess; 918 ACCESS_MASK PreviouslyGrantedAccess; 919 PSID PrincipalSelfSid; 920 PGENERIC_MAPPING GenericMapping; 921 $ULONG ObjectTypeListCount; 922 POBJECT_TYPE_LIST ObjectTypeList; 923 } SE_ACCESS_REQUEST, *PSE_ACCESS_REQUEST; 924 925 #define TOKEN_ASSIGN_PRIMARY (0x0001) 926 #define TOKEN_DUPLICATE (0x0002) 927 #define TOKEN_IMPERSONATE (0x0004) 928 #define TOKEN_QUERY (0x0008) 929 #define TOKEN_QUERY_SOURCE (0x0010) 930 #define TOKEN_ADJUST_PRIVILEGES (0x0020) 931 #define TOKEN_ADJUST_GROUPS (0x0040) 932 #define TOKEN_ADJUST_DEFAULT (0x0080) 933 #define TOKEN_ADJUST_SESSIONID (0x0100) 934 935 #define TOKEN_ALL_ACCESS_P (STANDARD_RIGHTS_REQUIRED |\ 936 TOKEN_ASSIGN_PRIMARY |\ 937 TOKEN_DUPLICATE |\ 938 TOKEN_IMPERSONATE |\ 939 TOKEN_QUERY |\ 940 TOKEN_QUERY_SOURCE |\ 941 TOKEN_ADJUST_PRIVILEGES |\ 942 TOKEN_ADJUST_GROUPS |\ 943 TOKEN_ADJUST_DEFAULT) 944 945 #if ((defined(_WIN32_WINNT) && (_WIN32_WINNT > 0x0400)) || (!defined(_WIN32_WINNT))) 946 #define TOKEN_ALL_ACCESS (TOKEN_ALL_ACCESS_P | TOKEN_ADJUST_SESSIONID) 947 #else 948 #define TOKEN_ALL_ACCESS (TOKEN_ALL_ACCESS_P) 949 #endif 950 951 #define TOKEN_READ (STANDARD_RIGHTS_READ | TOKEN_QUERY) 952 953 #define TOKEN_WRITE (STANDARD_RIGHTS_WRITE |\ 954 TOKEN_ADJUST_PRIVILEGES |\ 955 TOKEN_ADJUST_GROUPS |\ 956 TOKEN_ADJUST_DEFAULT) 957 958 #define TOKEN_EXECUTE (STANDARD_RIGHTS_EXECUTE) 959 960 typedef enum _TOKEN_TYPE { 961 TokenPrimary = 1, 962 TokenImpersonation 963 } TOKEN_TYPE, *PTOKEN_TYPE; 964 965 typedef enum _TOKEN_INFORMATION_CLASS { 966 TokenUser = 1, 967 TokenGroups, 968 TokenPrivileges, 969 TokenOwner, 970 TokenPrimaryGroup, 971 TokenDefaultDacl, 972 TokenSource, 973 TokenType, 974 TokenImpersonationLevel, 975 TokenStatistics, 976 TokenRestrictedSids, 977 TokenSessionId, 978 TokenGroupsAndPrivileges, 979 TokenSessionReference, 980 TokenSandBoxInert, 981 TokenAuditPolicy, 982 TokenOrigin, 983 TokenElevationType, 984 TokenLinkedToken, 985 TokenElevation, 986 TokenHasRestrictions, 987 TokenAccessInformation, 988 TokenVirtualizationAllowed, 989 TokenVirtualizationEnabled, 990 TokenIntegrityLevel, 991 TokenUIAccess, 992 TokenMandatoryPolicy, 993 TokenLogonSid, 994 TokenIsAppContainer, 995 TokenCapabilities, 996 TokenAppContainerSid, 997 TokenAppContainerNumber, 998 TokenUserClaimAttributes, 999 TokenDeviceClaimAttributes, 1000 TokenRestrictedUserClaimAttributes, 1001 TokenRestrictedDeviceClaimAttributes, 1002 TokenDeviceGroups, 1003 TokenRestrictedDeviceGroups, 1004 TokenSecurityAttributes, 1005 TokenIsRestricted, 1006 MaxTokenInfoClass 1007 } TOKEN_INFORMATION_CLASS, *PTOKEN_INFORMATION_CLASS; 1008 1009 typedef struct _TOKEN_USER { 1010 SID_AND_ATTRIBUTES User; 1011 } TOKEN_USER, *PTOKEN_USER; 1012 1013 typedef struct _TOKEN_GROUPS { 1014 $ULONG GroupCount; 1015 #ifdef MIDL_PASS 1016 [size_is(GroupCount)] SID_AND_ATTRIBUTES Groups[*]; 1017 #else 1018 SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]; 1019 #endif 1020 } TOKEN_GROUPS, *PTOKEN_GROUPS, *LPTOKEN_GROUPS; 1021 1022 typedef struct _TOKEN_PRIVILEGES { 1023 $ULONG PrivilegeCount; 1024 LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY]; 1025 } TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES, *LPTOKEN_PRIVILEGES; 1026 1027 typedef struct _TOKEN_OWNER { 1028 PSID Owner; 1029 } TOKEN_OWNER, *PTOKEN_OWNER; 1030 1031 typedef struct _TOKEN_PRIMARY_GROUP { 1032 PSID PrimaryGroup; 1033 } TOKEN_PRIMARY_GROUP, *PTOKEN_PRIMARY_GROUP; 1034 1035 typedef struct _TOKEN_DEFAULT_DACL { 1036 PACL DefaultDacl; 1037 } TOKEN_DEFAULT_DACL, *PTOKEN_DEFAULT_DACL; 1038 1039 typedef struct _TOKEN_GROUPS_AND_PRIVILEGES { 1040 $ULONG SidCount; 1041 $ULONG SidLength; 1042 PSID_AND_ATTRIBUTES Sids; 1043 $ULONG RestrictedSidCount; 1044 $ULONG RestrictedSidLength; 1045 PSID_AND_ATTRIBUTES RestrictedSids; 1046 $ULONG PrivilegeCount; 1047 $ULONG PrivilegeLength; 1048 PLUID_AND_ATTRIBUTES Privileges; 1049 LUID AuthenticationId; 1050 } TOKEN_GROUPS_AND_PRIVILEGES, *PTOKEN_GROUPS_AND_PRIVILEGES; 1051 1052 typedef struct _TOKEN_LINKED_TOKEN { 1053 HANDLE LinkedToken; 1054 } TOKEN_LINKED_TOKEN, *PTOKEN_LINKED_TOKEN; 1055 1056 typedef struct _TOKEN_ELEVATION { 1057 $ULONG TokenIsElevated; 1058 } TOKEN_ELEVATION, *PTOKEN_ELEVATION; 1059 1060 typedef struct _TOKEN_MANDATORY_LABEL { 1061 SID_AND_ATTRIBUTES Label; 1062 } TOKEN_MANDATORY_LABEL, *PTOKEN_MANDATORY_LABEL; 1063 1064 #define TOKEN_MANDATORY_POLICY_OFF 0x0 1065 #define TOKEN_MANDATORY_POLICY_NO_WRITE_UP 0x1 1066 #define TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN 0x2 1067 1068 #define TOKEN_MANDATORY_POLICY_VALID_MASK (TOKEN_MANDATORY_POLICY_NO_WRITE_UP | \ 1069 TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN) 1070 1071 #define POLICY_AUDIT_SUBCATEGORY_COUNT (56) 1072 1073 typedef struct _TOKEN_AUDIT_POLICY { 1074 $UCHAR PerUserPolicy[((POLICY_AUDIT_SUBCATEGORY_COUNT) >> 1) + 1]; 1075 } TOKEN_AUDIT_POLICY, *PTOKEN_AUDIT_POLICY; 1076 1077 #define TOKEN_SOURCE_LENGTH 8 1078 1079 typedef struct _TOKEN_SOURCE { 1080 CHAR SourceName[TOKEN_SOURCE_LENGTH]; 1081 LUID SourceIdentifier; 1082 } TOKEN_SOURCE, *PTOKEN_SOURCE; 1083 1084 #include <pshpack4.h> 1085 typedef struct _TOKEN_STATISTICS { 1086 LUID TokenId; 1087 LUID AuthenticationId; 1088 LARGE_INTEGER ExpirationTime; 1089 TOKEN_TYPE TokenType; 1090 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; 1091 $ULONG DynamicCharged; 1092 $ULONG DynamicAvailable; 1093 $ULONG GroupCount; 1094 $ULONG PrivilegeCount; 1095 LUID ModifiedId; 1096 } TOKEN_STATISTICS, *PTOKEN_STATISTICS; 1097 #include <poppack.h> 1098 1099 typedef struct _TOKEN_CONTROL { 1100 LUID TokenId; 1101 LUID AuthenticationId; 1102 LUID ModifiedId; 1103 TOKEN_SOURCE TokenSource; 1104 } TOKEN_CONTROL, *PTOKEN_CONTROL; 1105 1106 typedef struct _TOKEN_ORIGIN { 1107 LUID OriginatingLogonSession; 1108 } TOKEN_ORIGIN, *PTOKEN_ORIGIN; 1109 1110 typedef enum _MANDATORY_LEVEL { 1111 MandatoryLevelUntrusted = 0, 1112 MandatoryLevelLow, 1113 MandatoryLevelMedium, 1114 MandatoryLevelHigh, 1115 MandatoryLevelSystem, 1116 MandatoryLevelSecureProcess, 1117 MandatoryLevelCount 1118 } MANDATORY_LEVEL, *PMANDATORY_LEVEL; 1119 1120 $endif(_NTIFS_ || _WINNT_) 1121 $if(_NTIFS_) 1122 1123 typedef struct _SE_ACCESS_REPLY { 1124 $ULONG Size; 1125 $ULONG ResultListCount; 1126 PACCESS_MASK GrantedAccess; 1127 PNTSTATUS AccessStatus; 1128 PACCESS_REASONS AccessReason; 1129 PPRIVILEGE_SET* Privileges; 1130 } SE_ACCESS_REPLY, *PSE_ACCESS_REPLY; 1131 1132 typedef enum _SE_AUDIT_OPERATION { 1133 AuditPrivilegeObject, 1134 AuditPrivilegeService, 1135 AuditAccessCheck, 1136 AuditOpenObject, 1137 AuditOpenObjectWithTransaction, 1138 AuditCloseObject, 1139 AuditDeleteObject, 1140 AuditOpenObjectForDelete, 1141 AuditOpenObjectForDeleteWithTransaction, 1142 AuditCloseNonObject, 1143 AuditOpenNonObject, 1144 AuditObjectReference, 1145 AuditHandleCreation, 1146 } SE_AUDIT_OPERATION, *PSE_AUDIT_OPERATION; 1147 1148 typedef struct _SE_AUDIT_INFO { 1149 ULONG Size; 1150 AUDIT_EVENT_TYPE AuditType; 1151 SE_AUDIT_OPERATION AuditOperation; 1152 ULONG AuditFlags; 1153 UNICODE_STRING SubsystemName; 1154 UNICODE_STRING ObjectTypeName; 1155 UNICODE_STRING ObjectName; 1156 PVOID HandleId; 1157 GUID* TransactionId; 1158 LUID* OperationId; 1159 BOOLEAN ObjectCreation; 1160 BOOLEAN GenerateOnClose; 1161 } SE_AUDIT_INFO, *PSE_AUDIT_INFO; 1162 1163 typedef struct _TOKEN_MANDATORY_POLICY { 1164 $ULONG Policy; 1165 } TOKEN_MANDATORY_POLICY, *PTOKEN_MANDATORY_POLICY; 1166 1167 typedef struct _TOKEN_ACCESS_INFORMATION { 1168 PSID_AND_ATTRIBUTES_HASH SidHash; 1169 PSID_AND_ATTRIBUTES_HASH RestrictedSidHash; 1170 PTOKEN_PRIVILEGES Privileges; 1171 LUID AuthenticationId; 1172 TOKEN_TYPE TokenType; 1173 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; 1174 TOKEN_MANDATORY_POLICY MandatoryPolicy; 1175 $ULONG Flags; 1176 } TOKEN_ACCESS_INFORMATION, *PTOKEN_ACCESS_INFORMATION; 1177 1178 #define TOKEN_HAS_TRAVERSE_PRIVILEGE 0x0001 1179 #define TOKEN_HAS_BACKUP_PRIVILEGE 0x0002 1180 #define TOKEN_HAS_RESTORE_PRIVILEGE 0x0004 1181 #define TOKEN_WRITE_RESTRICTED 0x0008 1182 #define TOKEN_HAS_ADMIN_GROUP TOKEN_WRITE_RESTRICTED 1183 #define TOKEN_IS_RESTRICTED 0x0010 1184 #define TOKEN_SESSION_NOT_REFERENCED 0x0020 1185 #define TOKEN_SANDBOX_INERT 0x0040 1186 #define TOKEN_HAS_IMPERSONATE_PRIVILEGE 0x0080 1187 #define SE_BACKUP_PRIVILEGES_CHECKED 0x0100 1188 #define TOKEN_VIRTUALIZE_ALLOWED 0x0200 1189 #define TOKEN_VIRTUALIZE_ENABLED 0x0400 1190 #define TOKEN_IS_FILTERED 0x0800 1191 #define TOKEN_UIACCESS 0x1000 1192 #define TOKEN_NOT_LOW 0x2000 1193 1194 typedef struct _SE_EXPORTS { 1195 LUID SeCreateTokenPrivilege; 1196 LUID SeAssignPrimaryTokenPrivilege; 1197 LUID SeLockMemoryPrivilege; 1198 LUID SeIncreaseQuotaPrivilege; 1199 LUID SeUnsolicitedInputPrivilege; 1200 LUID SeTcbPrivilege; 1201 LUID SeSecurityPrivilege; 1202 LUID SeTakeOwnershipPrivilege; 1203 LUID SeLoadDriverPrivilege; 1204 LUID SeCreatePagefilePrivilege; 1205 LUID SeIncreaseBasePriorityPrivilege; 1206 LUID SeSystemProfilePrivilege; 1207 LUID SeSystemtimePrivilege; 1208 LUID SeProfileSingleProcessPrivilege; 1209 LUID SeCreatePermanentPrivilege; 1210 LUID SeBackupPrivilege; 1211 LUID SeRestorePrivilege; 1212 LUID SeShutdownPrivilege; 1213 LUID SeDebugPrivilege; 1214 LUID SeAuditPrivilege; 1215 LUID SeSystemEnvironmentPrivilege; 1216 LUID SeChangeNotifyPrivilege; 1217 LUID SeRemoteShutdownPrivilege; 1218 PSID SeNullSid; 1219 PSID SeWorldSid; 1220 PSID SeLocalSid; 1221 PSID SeCreatorOwnerSid; 1222 PSID SeCreatorGroupSid; 1223 PSID SeNtAuthoritySid; 1224 PSID SeDialupSid; 1225 PSID SeNetworkSid; 1226 PSID SeBatchSid; 1227 PSID SeInteractiveSid; 1228 PSID SeLocalSystemSid; 1229 PSID SeAliasAdminsSid; 1230 PSID SeAliasUsersSid; 1231 PSID SeAliasGuestsSid; 1232 PSID SeAliasPowerUsersSid; 1233 PSID SeAliasAccountOpsSid; 1234 PSID SeAliasSystemOpsSid; 1235 PSID SeAliasPrintOpsSid; 1236 PSID SeAliasBackupOpsSid; 1237 PSID SeAuthenticatedUsersSid; 1238 PSID SeRestrictedSid; 1239 PSID SeAnonymousLogonSid; 1240 LUID SeUndockPrivilege; 1241 LUID SeSyncAgentPrivilege; 1242 LUID SeEnableDelegationPrivilege; 1243 PSID SeLocalServiceSid; 1244 PSID SeNetworkServiceSid; 1245 LUID SeManageVolumePrivilege; 1246 LUID SeImpersonatePrivilege; 1247 LUID SeCreateGlobalPrivilege; 1248 LUID SeTrustedCredManAccessPrivilege; 1249 LUID SeRelabelPrivilege; 1250 LUID SeIncreaseWorkingSetPrivilege; 1251 LUID SeTimeZonePrivilege; 1252 LUID SeCreateSymbolicLinkPrivilege; 1253 PSID SeIUserSid; 1254 PSID SeUntrustedMandatorySid; 1255 PSID SeLowMandatorySid; 1256 PSID SeMediumMandatorySid; 1257 PSID SeHighMandatorySid; 1258 PSID SeSystemMandatorySid; 1259 PSID SeOwnerRightsSid; 1260 } SE_EXPORTS, *PSE_EXPORTS; 1261 1262 typedef NTSTATUS 1263 (NTAPI *PSE_LOGON_SESSION_TERMINATED_ROUTINE)( 1264 IN PLUID LogonId); 1265 1266 typedef struct _SECURITY_CLIENT_CONTEXT { 1267 SECURITY_QUALITY_OF_SERVICE SecurityQos; 1268 PACCESS_TOKEN ClientToken; 1269 BOOLEAN DirectlyAccessClientToken; 1270 BOOLEAN DirectAccessEffectiveOnly; 1271 BOOLEAN ServerIsRemote; 1272 TOKEN_CONTROL ClientTokenControl; 1273 } SECURITY_CLIENT_CONTEXT, *PSECURITY_CLIENT_CONTEXT; 1274 1275 $endif (_NTIFS_) 1276