1 /****************************************************************************** 2 * Security Manager Types * 3 ******************************************************************************/ 4 $if (_WDMDDK_ || _WINNT_) 5 6 /* Simple types */ 7 typedef PVOID PSECURITY_DESCRIPTOR; 8 typedef $ULONG SECURITY_INFORMATION, *PSECURITY_INFORMATION; 9 typedef $ULONG ACCESS_MASK, *PACCESS_MASK; 10 11 typedef PVOID PACCESS_TOKEN; 12 typedef PVOID PSID; 13 14 #define DELETE 0x00010000L 15 #define READ_CONTROL 0x00020000L 16 #define WRITE_DAC 0x00040000L 17 #define WRITE_OWNER 0x00080000L 18 #define SYNCHRONIZE 0x00100000L 19 #define STANDARD_RIGHTS_REQUIRED 0x000F0000L 20 #define STANDARD_RIGHTS_READ READ_CONTROL 21 #define STANDARD_RIGHTS_WRITE READ_CONTROL 22 #define STANDARD_RIGHTS_EXECUTE READ_CONTROL 23 #define STANDARD_RIGHTS_ALL 0x001F0000L 24 #define SPECIFIC_RIGHTS_ALL 0x0000FFFFL 25 #define ACCESS_SYSTEM_SECURITY 0x01000000L 26 #define MAXIMUM_ALLOWED 0x02000000L 27 #define GENERIC_READ 0x80000000L 28 #define GENERIC_WRITE 0x40000000L 29 #define GENERIC_EXECUTE 0x20000000L 30 #define GENERIC_ALL 0x10000000L 31 32 typedef struct _GENERIC_MAPPING { 33 ACCESS_MASK GenericRead; 34 ACCESS_MASK GenericWrite; 35 ACCESS_MASK GenericExecute; 36 ACCESS_MASK GenericAll; 37 } GENERIC_MAPPING, *PGENERIC_MAPPING; 38 39 #define ACL_REVISION 2 40 #define ACL_REVISION_DS 4 41 42 #define ACL_REVISION1 1 43 #define ACL_REVISION2 2 44 #define ACL_REVISION3 3 45 #define ACL_REVISION4 4 46 #define MIN_ACL_REVISION ACL_REVISION2 47 #define MAX_ACL_REVISION ACL_REVISION4 48 49 typedef struct _ACL { 50 $UCHAR AclRevision; 51 $UCHAR Sbz1; 52 $USHORT AclSize; 53 $USHORT AceCount; 54 $USHORT Sbz2; 55 } ACL, *PACL; 56 57 /* Current security descriptor revision value */ 58 #define SECURITY_DESCRIPTOR_REVISION (1) 59 #define SECURITY_DESCRIPTOR_REVISION1 (1) 60 61 /* Privilege attributes */ 62 #define SE_PRIVILEGE_ENABLED_BY_DEFAULT (0x00000001L) 63 #define SE_PRIVILEGE_ENABLED (0x00000002L) 64 #define SE_PRIVILEGE_REMOVED (0x00000004L) 65 #define SE_PRIVILEGE_USED_FOR_ACCESS (0x80000000L) 66 67 #define SE_PRIVILEGE_VALID_ATTRIBUTES (SE_PRIVILEGE_ENABLED_BY_DEFAULT | \ 68 SE_PRIVILEGE_ENABLED | \ 69 SE_PRIVILEGE_REMOVED | \ 70 SE_PRIVILEGE_USED_FOR_ACCESS) 71 72 #include <pshpack4.h> 73 typedef struct _LUID_AND_ATTRIBUTES { 74 LUID Luid; 75 $ULONG Attributes; 76 } LUID_AND_ATTRIBUTES, *PLUID_AND_ATTRIBUTES; 77 #include <poppack.h> 78 79 typedef LUID_AND_ATTRIBUTES LUID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY]; 80 typedef LUID_AND_ATTRIBUTES_ARRAY *PLUID_AND_ATTRIBUTES_ARRAY; 81 82 /* Privilege sets */ 83 #define PRIVILEGE_SET_ALL_NECESSARY (1) 84 85 typedef struct _PRIVILEGE_SET { 86 $ULONG PrivilegeCount; 87 $ULONG Control; 88 LUID_AND_ATTRIBUTES Privilege[ANYSIZE_ARRAY]; 89 } PRIVILEGE_SET, *PPRIVILEGE_SET; 90 91 typedef enum _SECURITY_IMPERSONATION_LEVEL { 92 SecurityAnonymous, 93 SecurityIdentification, 94 SecurityImpersonation, 95 SecurityDelegation 96 } SECURITY_IMPERSONATION_LEVEL, * PSECURITY_IMPERSONATION_LEVEL; 97 98 #define SECURITY_MAX_IMPERSONATION_LEVEL SecurityDelegation 99 #define SECURITY_MIN_IMPERSONATION_LEVEL SecurityAnonymous 100 #define DEFAULT_IMPERSONATION_LEVEL SecurityImpersonation 101 #define VALID_IMPERSONATION_LEVEL(Level) (((Level) >= SECURITY_MIN_IMPERSONATION_LEVEL) && ((Level) <= SECURITY_MAX_IMPERSONATION_LEVEL)) 102 103 #define SECURITY_DYNAMIC_TRACKING (TRUE) 104 #define SECURITY_STATIC_TRACKING (FALSE) 105 106 typedef BOOLEAN SECURITY_CONTEXT_TRACKING_MODE, *PSECURITY_CONTEXT_TRACKING_MODE; 107 108 typedef struct _SECURITY_QUALITY_OF_SERVICE { 109 $ULONG Length; 110 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; 111 SECURITY_CONTEXT_TRACKING_MODE ContextTrackingMode; 112 BOOLEAN EffectiveOnly; 113 } SECURITY_QUALITY_OF_SERVICE, *PSECURITY_QUALITY_OF_SERVICE; 114 115 typedef struct _SE_IMPERSONATION_STATE { 116 PACCESS_TOKEN Token; 117 BOOLEAN CopyOnOpen; 118 BOOLEAN EffectiveOnly; 119 SECURITY_IMPERSONATION_LEVEL Level; 120 } SE_IMPERSONATION_STATE, *PSE_IMPERSONATION_STATE; 121 122 123 #define OWNER_SECURITY_INFORMATION (0x00000001L) 124 #define GROUP_SECURITY_INFORMATION (0x00000002L) 125 #define DACL_SECURITY_INFORMATION (0x00000004L) 126 #define SACL_SECURITY_INFORMATION (0x00000008L) 127 #define LABEL_SECURITY_INFORMATION (0x00000010L) 128 129 #define PROTECTED_DACL_SECURITY_INFORMATION (0x80000000L) 130 #define PROTECTED_SACL_SECURITY_INFORMATION (0x40000000L) 131 #define UNPROTECTED_DACL_SECURITY_INFORMATION (0x20000000L) 132 #define UNPROTECTED_SACL_SECURITY_INFORMATION (0x10000000L) 133 134 $endif (_WDMDDK_ || _WINNT_) 135 $if (_WDMDDK_) 136 137 typedef enum _SECURITY_OPERATION_CODE { 138 SetSecurityDescriptor, 139 QuerySecurityDescriptor, 140 DeleteSecurityDescriptor, 141 AssignSecurityDescriptor 142 } SECURITY_OPERATION_CODE, *PSECURITY_OPERATION_CODE; 143 144 #define INITIAL_PRIVILEGE_COUNT 3 145 146 typedef struct _INITIAL_PRIVILEGE_SET { 147 ULONG PrivilegeCount; 148 ULONG Control; 149 LUID_AND_ATTRIBUTES Privilege[INITIAL_PRIVILEGE_COUNT]; 150 } INITIAL_PRIVILEGE_SET, * PINITIAL_PRIVILEGE_SET; 151 152 #define SE_MIN_WELL_KNOWN_PRIVILEGE 2 153 #define SE_CREATE_TOKEN_PRIVILEGE 2 154 #define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE 3 155 #define SE_LOCK_MEMORY_PRIVILEGE 4 156 #define SE_INCREASE_QUOTA_PRIVILEGE 5 157 #define SE_MACHINE_ACCOUNT_PRIVILEGE 6 158 #define SE_TCB_PRIVILEGE 7 159 #define SE_SECURITY_PRIVILEGE 8 160 #define SE_TAKE_OWNERSHIP_PRIVILEGE 9 161 #define SE_LOAD_DRIVER_PRIVILEGE 10 162 #define SE_SYSTEM_PROFILE_PRIVILEGE 11 163 #define SE_SYSTEMTIME_PRIVILEGE 12 164 #define SE_PROF_SINGLE_PROCESS_PRIVILEGE 13 165 #define SE_INC_BASE_PRIORITY_PRIVILEGE 14 166 #define SE_CREATE_PAGEFILE_PRIVILEGE 15 167 #define SE_CREATE_PERMANENT_PRIVILEGE 16 168 #define SE_BACKUP_PRIVILEGE 17 169 #define SE_RESTORE_PRIVILEGE 18 170 #define SE_SHUTDOWN_PRIVILEGE 19 171 #define SE_DEBUG_PRIVILEGE 20 172 #define SE_AUDIT_PRIVILEGE 21 173 #define SE_SYSTEM_ENVIRONMENT_PRIVILEGE 22 174 #define SE_CHANGE_NOTIFY_PRIVILEGE 23 175 #define SE_REMOTE_SHUTDOWN_PRIVILEGE 24 176 #define SE_UNDOCK_PRIVILEGE 25 177 #define SE_SYNC_AGENT_PRIVILEGE 26 178 #define SE_ENABLE_DELEGATION_PRIVILEGE 27 179 #define SE_MANAGE_VOLUME_PRIVILEGE 28 180 #define SE_IMPERSONATE_PRIVILEGE 29 181 #define SE_CREATE_GLOBAL_PRIVILEGE 30 182 #define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE 31 183 #define SE_RELABEL_PRIVILEGE 32 184 #define SE_INC_WORKING_SET_PRIVILEGE 33 185 #define SE_TIME_ZONE_PRIVILEGE 34 186 #define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE 35 187 #define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_SYMBOLIC_LINK_PRIVILEGE 188 189 typedef struct _SECURITY_SUBJECT_CONTEXT { 190 PACCESS_TOKEN ClientToken; 191 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; 192 PACCESS_TOKEN PrimaryToken; 193 PVOID ProcessAuditId; 194 } SECURITY_SUBJECT_CONTEXT, *PSECURITY_SUBJECT_CONTEXT; 195 196 typedef struct _ACCESS_STATE { 197 LUID OperationID; 198 BOOLEAN SecurityEvaluated; 199 BOOLEAN GenerateAudit; 200 BOOLEAN GenerateOnClose; 201 BOOLEAN PrivilegesAllocated; 202 ULONG Flags; 203 ACCESS_MASK RemainingDesiredAccess; 204 ACCESS_MASK PreviouslyGrantedAccess; 205 ACCESS_MASK OriginalDesiredAccess; 206 SECURITY_SUBJECT_CONTEXT SubjectSecurityContext; 207 PSECURITY_DESCRIPTOR SecurityDescriptor; 208 PVOID AuxData; 209 union { 210 INITIAL_PRIVILEGE_SET InitialPrivilegeSet; 211 PRIVILEGE_SET PrivilegeSet; 212 } Privileges; 213 BOOLEAN AuditPrivileges; 214 UNICODE_STRING ObjectName; 215 UNICODE_STRING ObjectTypeName; 216 } ACCESS_STATE, *PACCESS_STATE; 217 218 typedef VOID 219 (NTAPI *PNTFS_DEREF_EXPORTED_SECURITY_DESCRIPTOR)( 220 _In_ PVOID Vcb, 221 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor); 222 223 #ifndef _NTLSA_IFS_ 224 225 #ifndef _NTLSA_AUDIT_ 226 #define _NTLSA_AUDIT_ 227 228 #define SE_MAX_AUDIT_PARAMETERS 32 229 #define SE_MAX_GENERIC_AUDIT_PARAMETERS 28 230 231 #define SE_ADT_OBJECT_ONLY 0x1 232 233 #define SE_ADT_PARAMETERS_SELF_RELATIVE 0x00000001 234 #define SE_ADT_PARAMETERS_SEND_TO_LSA 0x00000002 235 #define SE_ADT_PARAMETER_EXTENSIBLE_AUDIT 0x00000004 236 #define SE_ADT_PARAMETER_GENERIC_AUDIT 0x00000008 237 #define SE_ADT_PARAMETER_WRITE_SYNCHRONOUS 0x00000010 238 239 #define LSAP_SE_ADT_PARAMETER_ARRAY_TRUE_SIZE(Parameters) \ 240 ( sizeof(SE_ADT_PARAMETER_ARRAY) - sizeof(SE_ADT_PARAMETER_ARRAY_ENTRY) * \ 241 (SE_MAX_AUDIT_PARAMETERS - Parameters->ParameterCount) ) 242 243 typedef enum _SE_ADT_PARAMETER_TYPE { 244 SeAdtParmTypeNone = 0, 245 SeAdtParmTypeString, 246 SeAdtParmTypeFileSpec, 247 SeAdtParmTypeUlong, 248 SeAdtParmTypeSid, 249 SeAdtParmTypeLogonId, 250 SeAdtParmTypeNoLogonId, 251 SeAdtParmTypeAccessMask, 252 SeAdtParmTypePrivs, 253 SeAdtParmTypeObjectTypes, 254 SeAdtParmTypeHexUlong, 255 SeAdtParmTypePtr, 256 SeAdtParmTypeTime, 257 SeAdtParmTypeGuid, 258 SeAdtParmTypeLuid, 259 SeAdtParmTypeHexInt64, 260 SeAdtParmTypeStringList, 261 SeAdtParmTypeSidList, 262 SeAdtParmTypeDuration, 263 SeAdtParmTypeUserAccountControl, 264 SeAdtParmTypeNoUac, 265 SeAdtParmTypeMessage, 266 SeAdtParmTypeDateTime, 267 SeAdtParmTypeSockAddr, 268 SeAdtParmTypeSD, 269 SeAdtParmTypeLogonHours, 270 SeAdtParmTypeLogonIdNoSid, 271 SeAdtParmTypeUlongNoConv, 272 SeAdtParmTypeSockAddrNoPort, 273 SeAdtParmTypeAccessReason 274 } SE_ADT_PARAMETER_TYPE, *PSE_ADT_PARAMETER_TYPE; 275 276 typedef struct _SE_ADT_OBJECT_TYPE { 277 GUID ObjectType; 278 USHORT Flags; 279 USHORT Level; 280 ACCESS_MASK AccessMask; 281 } SE_ADT_OBJECT_TYPE, *PSE_ADT_OBJECT_TYPE; 282 283 typedef struct _SE_ADT_PARAMETER_ARRAY_ENTRY { 284 SE_ADT_PARAMETER_TYPE Type; 285 ULONG Length; 286 ULONG_PTR Data[2]; 287 PVOID Address; 288 } SE_ADT_PARAMETER_ARRAY_ENTRY, *PSE_ADT_PARAMETER_ARRAY_ENTRY; 289 290 typedef struct _SE_ADT_ACCESS_REASON { 291 ACCESS_MASK AccessMask; 292 ULONG AccessReasons[32]; 293 ULONG ObjectTypeIndex; 294 ULONG AccessGranted; 295 PSECURITY_DESCRIPTOR SecurityDescriptor; 296 } SE_ADT_ACCESS_REASON, *PSE_ADT_ACCESS_REASON; 297 298 typedef struct _SE_ADT_PARAMETER_ARRAY { 299 ULONG CategoryId; 300 ULONG AuditId; 301 ULONG ParameterCount; 302 ULONG Length; 303 USHORT FlatSubCategoryId; 304 USHORT Type; 305 ULONG Flags; 306 SE_ADT_PARAMETER_ARRAY_ENTRY Parameters[ SE_MAX_AUDIT_PARAMETERS ]; 307 } SE_ADT_PARAMETER_ARRAY, *PSE_ADT_PARAMETER_ARRAY; 308 309 #endif /* !_NTLSA_AUDIT_ */ 310 #endif /* !_NTLSA_IFS_ */ 311 $endif (_WDMDDK_) 312 $if (_NTDDK_) 313 #define SE_UNSOLICITED_INPUT_PRIVILEGE 6 314 315 $endif (_NTDDK_) 316 $if (_NTDDK_ || _WINNT_) 317 318 typedef enum _WELL_KNOWN_SID_TYPE { 319 WinNullSid = 0, 320 WinWorldSid = 1, 321 WinLocalSid = 2, 322 WinCreatorOwnerSid = 3, 323 WinCreatorGroupSid = 4, 324 WinCreatorOwnerServerSid = 5, 325 WinCreatorGroupServerSid = 6, 326 WinNtAuthoritySid = 7, 327 WinDialupSid = 8, 328 WinNetworkSid = 9, 329 WinBatchSid = 10, 330 WinInteractiveSid = 11, 331 WinServiceSid = 12, 332 WinAnonymousSid = 13, 333 WinProxySid = 14, 334 WinEnterpriseControllersSid = 15, 335 WinSelfSid = 16, 336 WinAuthenticatedUserSid = 17, 337 WinRestrictedCodeSid = 18, 338 WinTerminalServerSid = 19, 339 WinRemoteLogonIdSid = 20, 340 WinLogonIdsSid = 21, 341 WinLocalSystemSid = 22, 342 WinLocalServiceSid = 23, 343 WinNetworkServiceSid = 24, 344 WinBuiltinDomainSid = 25, 345 WinBuiltinAdministratorsSid = 26, 346 WinBuiltinUsersSid = 27, 347 WinBuiltinGuestsSid = 28, 348 WinBuiltinPowerUsersSid = 29, 349 WinBuiltinAccountOperatorsSid = 30, 350 WinBuiltinSystemOperatorsSid = 31, 351 WinBuiltinPrintOperatorsSid = 32, 352 WinBuiltinBackupOperatorsSid = 33, 353 WinBuiltinReplicatorSid = 34, 354 WinBuiltinPreWindows2000CompatibleAccessSid = 35, 355 WinBuiltinRemoteDesktopUsersSid = 36, 356 WinBuiltinNetworkConfigurationOperatorsSid = 37, 357 WinAccountAdministratorSid = 38, 358 WinAccountGuestSid = 39, 359 WinAccountKrbtgtSid = 40, 360 WinAccountDomainAdminsSid = 41, 361 WinAccountDomainUsersSid = 42, 362 WinAccountDomainGuestsSid = 43, 363 WinAccountComputersSid = 44, 364 WinAccountControllersSid = 45, 365 WinAccountCertAdminsSid = 46, 366 WinAccountSchemaAdminsSid = 47, 367 WinAccountEnterpriseAdminsSid = 48, 368 WinAccountPolicyAdminsSid = 49, 369 WinAccountRasAndIasServersSid = 50, 370 WinNTLMAuthenticationSid = 51, 371 WinDigestAuthenticationSid = 52, 372 WinSChannelAuthenticationSid = 53, 373 WinThisOrganizationSid = 54, 374 WinOtherOrganizationSid = 55, 375 WinBuiltinIncomingForestTrustBuildersSid = 56, 376 WinBuiltinPerfMonitoringUsersSid = 57, 377 WinBuiltinPerfLoggingUsersSid = 58, 378 WinBuiltinAuthorizationAccessSid = 59, 379 WinBuiltinTerminalServerLicenseServersSid = 60, 380 WinBuiltinDCOMUsersSid = 61, 381 WinBuiltinIUsersSid = 62, 382 WinIUserSid = 63, 383 WinBuiltinCryptoOperatorsSid = 64, 384 WinUntrustedLabelSid = 65, 385 WinLowLabelSid = 66, 386 WinMediumLabelSid = 67, 387 WinHighLabelSid = 68, 388 WinSystemLabelSid = 69, 389 WinWriteRestrictedCodeSid = 70, 390 WinCreatorOwnerRightsSid = 71, 391 WinCacheablePrincipalsGroupSid = 72, 392 WinNonCacheablePrincipalsGroupSid = 73, 393 WinEnterpriseReadonlyControllersSid = 74, 394 WinAccountReadonlyControllersSid = 75, 395 WinBuiltinEventLogReadersGroup = 76, 396 WinNewEnterpriseReadonlyControllersSid = 77, 397 WinBuiltinCertSvcDComAccessGroup = 78, 398 WinMediumPlusLabelSid = 79, 399 WinLocalLogonSid = 80, 400 WinConsoleLogonSid = 81, 401 WinThisOrganizationCertificateSid = 82, 402 WinApplicationPackageAuthoritySid = 83, 403 WinBuiltinAnyPackageSid = 84, 404 WinCapabilityInternetClientSid = 85, 405 WinCapabilityInternetClientServerSid = 86, 406 WinCapabilityPrivateNetworkClientServerSid = 87, 407 WinCapabilityPicturesLibrarySid = 88, 408 WinCapabilityVideosLibrarySid = 89, 409 WinCapabilityMusicLibrarySid = 90, 410 WinCapabilityDocumentsLibrarySid = 91, 411 WinCapabilitySharedUserCertificatesSid = 92, 412 WinCapabilityEnterpriseAuthenticationSid = 93, 413 WinCapabilityRemovableStorageSid = 94, 414 WinBuiltinRDSRemoteAccessServersSid = 95, 415 WinBuiltinRDSEndpointServersSid = 96, 416 WinBuiltinRDSManagementServersSid = 97, 417 WinUserModeDriversSid = 98, 418 WinBuiltinHyperVAdminsSid = 99, 419 WinAccountCloneableControllersSid = 100, 420 WinBuiltinAccessControlAssistanceOperatorsSid = 101, 421 WinBuiltinRemoteManagementUsersSid = 102, 422 WinAuthenticationAuthorityAssertedSid = 103, 423 WinAuthenticationServiceAssertedSid = 104, 424 WinLocalAccountSid = 105, 425 WinLocalAccountAndAdministratorSid = 106, 426 WinAccountProtectedUsersSid = 107, 427 } WELL_KNOWN_SID_TYPE; 428 429 $endif (_NTDDK_ || _WINNT_) 430 $if (_NTIFS_ || _WINNT_) 431 432 #ifndef SID_IDENTIFIER_AUTHORITY_DEFINED 433 #define SID_IDENTIFIER_AUTHORITY_DEFINED 434 typedef struct _SID_IDENTIFIER_AUTHORITY { 435 $UCHAR Value[6]; 436 } SID_IDENTIFIER_AUTHORITY,*PSID_IDENTIFIER_AUTHORITY,*LPSID_IDENTIFIER_AUTHORITY; 437 #endif 438 439 #ifndef SID_DEFINED 440 #define SID_DEFINED 441 typedef struct _SID { 442 $UCHAR Revision; 443 $UCHAR SubAuthorityCount; 444 SID_IDENTIFIER_AUTHORITY IdentifierAuthority; 445 #ifdef MIDL_PASS 446 [size_is(SubAuthorityCount)] $ULONG SubAuthority[*]; 447 #else 448 $ULONG SubAuthority[ANYSIZE_ARRAY]; 449 #endif 450 } SID, *PISID; 451 #endif 452 453 #define SID_REVISION 1 454 #define SID_MAX_SUB_AUTHORITIES 15 455 #define SID_RECOMMENDED_SUB_AUTHORITIES 1 456 457 #ifndef MIDL_PASS 458 #define SECURITY_MAX_SID_SIZE (sizeof(SID) - sizeof($ULONG) + (SID_MAX_SUB_AUTHORITIES * sizeof($ULONG))) 459 #endif 460 461 typedef enum _SID_NAME_USE { 462 SidTypeUser = 1, 463 SidTypeGroup, 464 SidTypeDomain, 465 SidTypeAlias, 466 SidTypeWellKnownGroup, 467 SidTypeDeletedAccount, 468 SidTypeInvalid, 469 SidTypeUnknown, 470 SidTypeComputer, 471 SidTypeLabel 472 } SID_NAME_USE, *PSID_NAME_USE; 473 474 typedef struct _SID_AND_ATTRIBUTES { 475 #ifdef MIDL_PASS 476 PISID Sid; 477 #else 478 PSID Sid; 479 #endif 480 $ULONG Attributes; 481 } SID_AND_ATTRIBUTES, *PSID_AND_ATTRIBUTES; 482 typedef SID_AND_ATTRIBUTES SID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY]; 483 typedef SID_AND_ATTRIBUTES_ARRAY *PSID_AND_ATTRIBUTES_ARRAY; 484 485 #define SID_HASH_SIZE 32 486 typedef ULONG_PTR SID_HASH_ENTRY, *PSID_HASH_ENTRY; 487 488 typedef struct _SID_AND_ATTRIBUTES_HASH { 489 $ULONG SidCount; 490 PSID_AND_ATTRIBUTES SidAttr; 491 SID_HASH_ENTRY Hash[SID_HASH_SIZE]; 492 } SID_AND_ATTRIBUTES_HASH, *PSID_AND_ATTRIBUTES_HASH; 493 494 /* Universal well-known SIDs */ 495 496 #define SECURITY_NULL_SID_AUTHORITY {0,0,0,0,0,0} 497 498 /* S-1-1 */ 499 #define SECURITY_WORLD_SID_AUTHORITY {0,0,0,0,0,1} 500 501 /* S-1-2 */ 502 #define SECURITY_LOCAL_SID_AUTHORITY {0,0,0,0,0,2} 503 504 /* S-1-3 */ 505 #define SECURITY_CREATOR_SID_AUTHORITY {0,0,0,0,0,3} 506 507 /* S-1-4 */ 508 #define SECURITY_NON_UNIQUE_AUTHORITY {0,0,0,0,0,4} 509 510 #define SECURITY_RESOURCE_MANAGER_AUTHORITY {0,0,0,0,0,9} 511 512 #define SECURITY_NULL_RID (0x00000000L) 513 #define SECURITY_WORLD_RID (0x00000000L) 514 #define SECURITY_LOCAL_RID (0x00000000L) 515 #define SECURITY_LOCAL_LOGON_RID (0x00000001L) 516 517 #define SECURITY_CREATOR_OWNER_RID (0x00000000L) 518 #define SECURITY_CREATOR_GROUP_RID (0x00000001L) 519 #define SECURITY_CREATOR_OWNER_SERVER_RID (0x00000002L) 520 #define SECURITY_CREATOR_GROUP_SERVER_RID (0x00000003L) 521 #define SECURITY_CREATOR_OWNER_RIGHTS_RID (0x00000004L) 522 523 /* NT well-known SIDs */ 524 525 /* S-1-5 */ 526 #define SECURITY_NT_AUTHORITY {0,0,0,0,0,5} 527 528 #define SECURITY_DIALUP_RID (0x00000001L) 529 #define SECURITY_NETWORK_RID (0x00000002L) 530 #define SECURITY_BATCH_RID (0x00000003L) 531 #define SECURITY_INTERACTIVE_RID (0x00000004L) 532 #define SECURITY_LOGON_IDS_RID (0x00000005L) 533 #define SECURITY_LOGON_IDS_RID_COUNT (3L) 534 #define SECURITY_SERVICE_RID (0x00000006L) 535 #define SECURITY_ANONYMOUS_LOGON_RID (0x00000007L) 536 #define SECURITY_PROXY_RID (0x00000008L) 537 #define SECURITY_ENTERPRISE_CONTROLLERS_RID (0x00000009L) 538 #define SECURITY_SERVER_LOGON_RID SECURITY_ENTERPRISE_CONTROLLERS_RID 539 #define SECURITY_PRINCIPAL_SELF_RID (0x0000000AL) 540 #define SECURITY_AUTHENTICATED_USER_RID (0x0000000BL) 541 #define SECURITY_RESTRICTED_CODE_RID (0x0000000CL) 542 #define SECURITY_TERMINAL_SERVER_RID (0x0000000DL) 543 #define SECURITY_REMOTE_LOGON_RID (0x0000000EL) 544 #define SECURITY_THIS_ORGANIZATION_RID (0x0000000FL) 545 #define SECURITY_IUSER_RID (0x00000011L) 546 #define SECURITY_LOCAL_SYSTEM_RID (0x00000012L) 547 #define SECURITY_LOCAL_SERVICE_RID (0x00000013L) 548 #define SECURITY_NETWORK_SERVICE_RID (0x00000014L) 549 #define SECURITY_NT_NON_UNIQUE (0x00000015L) 550 #define SECURITY_NT_NON_UNIQUE_SUB_AUTH_COUNT (3L) 551 #define SECURITY_ENTERPRISE_READONLY_CONTROLLERS_RID (0x00000016L) 552 553 #define SECURITY_BUILTIN_DOMAIN_RID (0x00000020L) 554 #define SECURITY_WRITE_RESTRICTED_CODE_RID (0x00000021L) 555 556 557 #define SECURITY_PACKAGE_BASE_RID (0x00000040L) 558 #define SECURITY_PACKAGE_RID_COUNT (2L) 559 #define SECURITY_PACKAGE_NTLM_RID (0x0000000AL) 560 #define SECURITY_PACKAGE_SCHANNEL_RID (0x0000000EL) 561 #define SECURITY_PACKAGE_DIGEST_RID (0x00000015L) 562 563 #define SECURITY_CRED_TYPE_BASE_RID (0x00000041L) 564 #define SECURITY_CRED_TYPE_RID_COUNT (2L) 565 #define SECURITY_CRED_TYPE_THIS_ORG_CERT_RID (0x00000001L) 566 567 #define SECURITY_MIN_BASE_RID (0x00000050L) 568 #define SECURITY_SERVICE_ID_BASE_RID (0x00000050L) 569 #define SECURITY_SERVICE_ID_RID_COUNT (6L) 570 #define SECURITY_RESERVED_ID_BASE_RID (0x00000051L) 571 #define SECURITY_APPPOOL_ID_BASE_RID (0x00000052L) 572 #define SECURITY_APPPOOL_ID_RID_COUNT (6L) 573 #define SECURITY_VIRTUALSERVER_ID_BASE_RID (0x00000053L) 574 #define SECURITY_VIRTUALSERVER_ID_RID_COUNT (6L) 575 #define SECURITY_USERMODEDRIVERHOST_ID_BASE_RID (0x00000054L) 576 #define SECURITY_USERMODEDRIVERHOST_ID_RID_COUNT (6L) 577 #define SECURITY_CLOUD_INFRASTRUCTURE_SERVICES_ID_BASE_RID (0x00000055L) 578 #define SECURITY_CLOUD_INFRASTRUCTURE_SERVICES_ID_RID_COUNT (6L) 579 #define SECURITY_WMIHOST_ID_BASE_RID (0x00000056L) 580 #define SECURITY_WMIHOST_ID_RID_COUNT (6L) 581 #define SECURITY_TASK_ID_BASE_RID (0x00000057L) 582 #define SECURITY_NFS_ID_BASE_RID (0x00000058L) 583 #define SECURITY_COM_ID_BASE_RID (0x00000059L) 584 #define SECURITY_VIRTUALACCOUNT_ID_RID_COUNT (6L) 585 586 #define SECURITY_MAX_BASE_RID (0x0000006FL) 587 588 #define SECURITY_MAX_ALWAYS_FILTERED (0x000003E7L) 589 #define SECURITY_MIN_NEVER_FILTERED (0x000003E8L) 590 591 #define SECURITY_OTHER_ORGANIZATION_RID (0x000003E8L) 592 593 #define SECURITY_WINDOWSMOBILE_ID_BASE_RID (0x00000070L) 594 595 /* Well-known domain relative sub-authority values (RIDs) */ 596 597 #define DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS (0x000001F2L) 598 599 #define FOREST_USER_RID_MAX (0x000001F3L) 600 601 /* Well-known users */ 602 603 #define DOMAIN_USER_RID_ADMIN (0x000001F4L) 604 #define DOMAIN_USER_RID_GUEST (0x000001F5L) 605 #define DOMAIN_USER_RID_KRBTGT (0x000001F6L) 606 607 #define DOMAIN_USER_RID_MAX (0x000003E7L) 608 609 /* Well-known groups */ 610 611 #define DOMAIN_GROUP_RID_ADMINS (0x00000200L) 612 #define DOMAIN_GROUP_RID_USERS (0x00000201L) 613 #define DOMAIN_GROUP_RID_GUESTS (0x00000202L) 614 #define DOMAIN_GROUP_RID_COMPUTERS (0x00000203L) 615 #define DOMAIN_GROUP_RID_CONTROLLERS (0x00000204L) 616 #define DOMAIN_GROUP_RID_CERT_ADMINS (0x00000205L) 617 #define DOMAIN_GROUP_RID_SCHEMA_ADMINS (0x00000206L) 618 #define DOMAIN_GROUP_RID_ENTERPRISE_ADMINS (0x00000207L) 619 #define DOMAIN_GROUP_RID_POLICY_ADMINS (0x00000208L) 620 #define DOMAIN_GROUP_RID_READONLY_CONTROLLERS (0x00000209L) 621 622 /* Well-known aliases */ 623 624 #define DOMAIN_ALIAS_RID_ADMINS (0x00000220L) 625 #define DOMAIN_ALIAS_RID_USERS (0x00000221L) 626 #define DOMAIN_ALIAS_RID_GUESTS (0x00000222L) 627 #define DOMAIN_ALIAS_RID_POWER_USERS (0x00000223L) 628 629 #define DOMAIN_ALIAS_RID_ACCOUNT_OPS (0x00000224L) 630 #define DOMAIN_ALIAS_RID_SYSTEM_OPS (0x00000225L) 631 #define DOMAIN_ALIAS_RID_PRINT_OPS (0x00000226L) 632 #define DOMAIN_ALIAS_RID_BACKUP_OPS (0x00000227L) 633 634 #define DOMAIN_ALIAS_RID_REPLICATOR (0x00000228L) 635 #define DOMAIN_ALIAS_RID_RAS_SERVERS (0x00000229L) 636 #define DOMAIN_ALIAS_RID_PREW2KCOMPACCESS (0x0000022AL) 637 #define DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS (0x0000022BL) 638 #define DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS (0x0000022CL) 639 #define DOMAIN_ALIAS_RID_INCOMING_FOREST_TRUST_BUILDERS (0x0000022DL) 640 641 #define DOMAIN_ALIAS_RID_MONITORING_USERS (0x0000022EL) 642 #define DOMAIN_ALIAS_RID_LOGGING_USERS (0x0000022FL) 643 #define DOMAIN_ALIAS_RID_AUTHORIZATIONACCESS (0x00000230L) 644 #define DOMAIN_ALIAS_RID_TS_LICENSE_SERVERS (0x00000231L) 645 #define DOMAIN_ALIAS_RID_DCOM_USERS (0x00000232L) 646 647 #define DOMAIN_ALIAS_RID_IUSERS (0x00000238L) 648 #define DOMAIN_ALIAS_RID_CRYPTO_OPERATORS (0x00000239L) 649 #define DOMAIN_ALIAS_RID_CACHEABLE_PRINCIPALS_GROUP (0x0000023BL) 650 #define DOMAIN_ALIAS_RID_NON_CACHEABLE_PRINCIPALS_GROUP (0x0000023CL) 651 #define DOMAIN_ALIAS_RID_EVENT_LOG_READERS_GROUP (0x0000023DL) 652 #define DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP (0x0000023EL) 653 654 #define SECURITY_MANDATORY_LABEL_AUTHORITY {0,0,0,0,0,16} 655 #define SECURITY_MANDATORY_UNTRUSTED_RID (0x00000000L) 656 #define SECURITY_MANDATORY_LOW_RID (0x00001000L) 657 #define SECURITY_MANDATORY_MEDIUM_RID (0x00002000L) 658 #define SECURITY_MANDATORY_HIGH_RID (0x00003000L) 659 #define SECURITY_MANDATORY_SYSTEM_RID (0x00004000L) 660 #define SECURITY_MANDATORY_PROTECTED_PROCESS_RID (0x00005000L) 661 662 /* SECURITY_MANDATORY_MAXIMUM_USER_RID is the highest RID that 663 can be set by a usermode caller.*/ 664 665 #define SECURITY_MANDATORY_MAXIMUM_USER_RID SECURITY_MANDATORY_SYSTEM_RID 666 667 #define MANDATORY_LEVEL_TO_MANDATORY_RID(IL) (IL * 0x1000) 668 669 /* Allocate the System Luid. The first 1000 LUIDs are reserved. 670 Use #999 here (0x3e7 = 999) */ 671 672 #define SYSTEM_LUID {0x3e7, 0x0} 673 #define ANONYMOUS_LOGON_LUID {0x3e6, 0x0} 674 #define LOCALSERVICE_LUID {0x3e5, 0x0} 675 #define NETWORKSERVICE_LUID {0x3e4, 0x0} 676 #define IUSER_LUID {0x3e3, 0x0} 677 678 typedef struct _ACE_HEADER { 679 $UCHAR AceType; 680 $UCHAR AceFlags; 681 $USHORT AceSize; 682 } ACE_HEADER, *PACE_HEADER; 683 684 #define ACCESS_MIN_MS_ACE_TYPE (0x0) 685 #define ACCESS_ALLOWED_ACE_TYPE (0x0) 686 #define ACCESS_DENIED_ACE_TYPE (0x1) 687 #define SYSTEM_AUDIT_ACE_TYPE (0x2) 688 #define SYSTEM_ALARM_ACE_TYPE (0x3) 689 #define ACCESS_MAX_MS_V2_ACE_TYPE (0x3) 690 #define ACCESS_ALLOWED_COMPOUND_ACE_TYPE (0x4) 691 #define ACCESS_MAX_MS_V3_ACE_TYPE (0x4) 692 #define ACCESS_MIN_MS_OBJECT_ACE_TYPE (0x5) 693 #define ACCESS_ALLOWED_OBJECT_ACE_TYPE (0x5) 694 #define ACCESS_DENIED_OBJECT_ACE_TYPE (0x6) 695 #define SYSTEM_AUDIT_OBJECT_ACE_TYPE (0x7) 696 #define SYSTEM_ALARM_OBJECT_ACE_TYPE (0x8) 697 #define ACCESS_MAX_MS_OBJECT_ACE_TYPE (0x8) 698 #define ACCESS_MAX_MS_V4_ACE_TYPE (0x8) 699 #define ACCESS_MAX_MS_ACE_TYPE (0x8) 700 #define ACCESS_ALLOWED_CALLBACK_ACE_TYPE (0x9) 701 #define ACCESS_DENIED_CALLBACK_ACE_TYPE (0xA) 702 #define ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE (0xB) 703 #define ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE (0xC) 704 #define SYSTEM_AUDIT_CALLBACK_ACE_TYPE (0xD) 705 #define SYSTEM_ALARM_CALLBACK_ACE_TYPE (0xE) 706 #define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE (0xF) 707 #define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE (0x10) 708 #define ACCESS_MAX_MS_V5_ACE_TYPE (0x11) 709 #define SYSTEM_MANDATORY_LABEL_ACE_TYPE (0x11) 710 711 /* The following are the inherit flags that go into the AceFlags field 712 of an Ace header. */ 713 714 #define OBJECT_INHERIT_ACE (0x1) 715 #define CONTAINER_INHERIT_ACE (0x2) 716 #define NO_PROPAGATE_INHERIT_ACE (0x4) 717 #define INHERIT_ONLY_ACE (0x8) 718 #define INHERITED_ACE (0x10) 719 #define VALID_INHERIT_FLAGS (0x1F) 720 721 #define SUCCESSFUL_ACCESS_ACE_FLAG (0x40) 722 #define FAILED_ACCESS_ACE_FLAG (0x80) 723 724 typedef struct _ACCESS_ALLOWED_ACE { 725 ACE_HEADER Header; 726 ACCESS_MASK Mask; 727 $ULONG SidStart; 728 } ACCESS_ALLOWED_ACE, *PACCESS_ALLOWED_ACE; 729 730 typedef struct _ACCESS_DENIED_ACE { 731 ACE_HEADER Header; 732 ACCESS_MASK Mask; 733 $ULONG SidStart; 734 } ACCESS_DENIED_ACE, *PACCESS_DENIED_ACE; 735 736 typedef struct _SYSTEM_AUDIT_ACE { 737 ACE_HEADER Header; 738 ACCESS_MASK Mask; 739 $ULONG SidStart; 740 } SYSTEM_AUDIT_ACE, *PSYSTEM_AUDIT_ACE; 741 742 typedef struct _SYSTEM_ALARM_ACE { 743 ACE_HEADER Header; 744 ACCESS_MASK Mask; 745 $ULONG SidStart; 746 } SYSTEM_ALARM_ACE, *PSYSTEM_ALARM_ACE; 747 748 typedef struct _SYSTEM_MANDATORY_LABEL_ACE { 749 ACE_HEADER Header; 750 ACCESS_MASK Mask; 751 $ULONG SidStart; 752 } SYSTEM_MANDATORY_LABEL_ACE, *PSYSTEM_MANDATORY_LABEL_ACE; 753 754 #define SYSTEM_MANDATORY_LABEL_NO_WRITE_UP 0x1 755 #define SYSTEM_MANDATORY_LABEL_NO_READ_UP 0x2 756 #define SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP 0x4 757 #define SYSTEM_MANDATORY_LABEL_VALID_MASK (SYSTEM_MANDATORY_LABEL_NO_WRITE_UP | \ 758 SYSTEM_MANDATORY_LABEL_NO_READ_UP | \ 759 SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP) 760 761 #define SECURITY_DESCRIPTOR_MIN_LENGTH (sizeof(SECURITY_DESCRIPTOR)) 762 763 typedef $USHORT SECURITY_DESCRIPTOR_CONTROL, *PSECURITY_DESCRIPTOR_CONTROL; 764 765 #define SE_OWNER_DEFAULTED 0x0001 766 #define SE_GROUP_DEFAULTED 0x0002 767 #define SE_DACL_PRESENT 0x0004 768 #define SE_DACL_DEFAULTED 0x0008 769 #define SE_SACL_PRESENT 0x0010 770 #define SE_SACL_DEFAULTED 0x0020 771 #define SE_DACL_UNTRUSTED 0x0040 772 #define SE_SERVER_SECURITY 0x0080 773 #define SE_DACL_AUTO_INHERIT_REQ 0x0100 774 #define SE_SACL_AUTO_INHERIT_REQ 0x0200 775 #define SE_DACL_AUTO_INHERITED 0x0400 776 #define SE_SACL_AUTO_INHERITED 0x0800 777 #define SE_DACL_PROTECTED 0x1000 778 #define SE_SACL_PROTECTED 0x2000 779 #define SE_RM_CONTROL_VALID 0x4000 780 #define SE_SELF_RELATIVE 0x8000 781 782 typedef struct _SECURITY_DESCRIPTOR_RELATIVE { 783 $UCHAR Revision; 784 $UCHAR Sbz1; 785 SECURITY_DESCRIPTOR_CONTROL Control; 786 $ULONG Owner; 787 $ULONG Group; 788 $ULONG Sacl; 789 $ULONG Dacl; 790 } SECURITY_DESCRIPTOR_RELATIVE, *PISECURITY_DESCRIPTOR_RELATIVE; 791 792 typedef struct _SECURITY_DESCRIPTOR { 793 $UCHAR Revision; 794 $UCHAR Sbz1; 795 SECURITY_DESCRIPTOR_CONTROL Control; 796 PSID Owner; 797 PSID Group; 798 PACL Sacl; 799 PACL Dacl; 800 } SECURITY_DESCRIPTOR, *PISECURITY_DESCRIPTOR; 801 802 typedef struct _OBJECT_TYPE_LIST { 803 $USHORT Level; 804 $USHORT Sbz; 805 GUID *ObjectType; 806 } OBJECT_TYPE_LIST, *POBJECT_TYPE_LIST; 807 808 #define ACCESS_OBJECT_GUID 0 809 #define ACCESS_PROPERTY_SET_GUID 1 810 #define ACCESS_PROPERTY_GUID 2 811 #define ACCESS_MAX_LEVEL 4 812 813 typedef enum _AUDIT_EVENT_TYPE { 814 AuditEventObjectAccess, 815 AuditEventDirectoryServiceAccess 816 } AUDIT_EVENT_TYPE, *PAUDIT_EVENT_TYPE; 817 818 #define AUDIT_ALLOW_NO_PRIVILEGE 0x1 819 820 #define ACCESS_DS_SOURCE_A "DS" 821 #define ACCESS_DS_SOURCE_W L"DS" 822 #define ACCESS_DS_OBJECT_TYPE_NAME_A "Directory Service Object" 823 #define ACCESS_DS_OBJECT_TYPE_NAME_W L"Directory Service Object" 824 825 #define ACCESS_REASON_TYPE_MASK 0xffff0000 826 #define ACCESS_REASON_DATA_MASK 0x0000ffff 827 828 typedef enum _ACCESS_REASON_TYPE { 829 AccessReasonNone = 0x00000000, 830 AccessReasonAllowedAce = 0x00010000, 831 AccessReasonDeniedAce = 0x00020000, 832 AccessReasonAllowedParentAce = 0x00030000, 833 AccessReasonDeniedParentAce = 0x00040000, 834 AccessReasonMissingPrivilege = 0x00100000, 835 AccessReasonFromPrivilege = 0x00200000, 836 AccessReasonIntegrityLevel = 0x00300000, 837 AccessReasonOwnership = 0x00400000, 838 AccessReasonNullDacl = 0x00500000, 839 AccessReasonEmptyDacl = 0x00600000, 840 AccessReasonNoSD = 0x00700000, 841 AccessReasonNoGrant = 0x00800000 842 } ACCESS_REASON_TYPE; 843 844 typedef $ULONG ACCESS_REASON; 845 846 typedef struct _ACCESS_REASONS { 847 ACCESS_REASON Data[32]; 848 } ACCESS_REASONS, *PACCESS_REASONS; 849 850 #define SE_SECURITY_DESCRIPTOR_FLAG_NO_OWNER_ACE 0x00000001 851 #define SE_SECURITY_DESCRIPTOR_FLAG_NO_LABEL_ACE 0x00000002 852 #define SE_SECURITY_DESCRIPTOR_VALID_FLAGS 0x00000003 853 854 typedef struct _SE_SECURITY_DESCRIPTOR { 855 $ULONG Size; 856 $ULONG Flags; 857 PSECURITY_DESCRIPTOR SecurityDescriptor; 858 } SE_SECURITY_DESCRIPTOR, *PSE_SECURITY_DESCRIPTOR; 859 860 typedef struct _SE_ACCESS_REQUEST { 861 $ULONG Size; 862 PSE_SECURITY_DESCRIPTOR SeSecurityDescriptor; 863 ACCESS_MASK DesiredAccess; 864 ACCESS_MASK PreviouslyGrantedAccess; 865 PSID PrincipalSelfSid; 866 PGENERIC_MAPPING GenericMapping; 867 $ULONG ObjectTypeListCount; 868 POBJECT_TYPE_LIST ObjectTypeList; 869 } SE_ACCESS_REQUEST, *PSE_ACCESS_REQUEST; 870 871 #define TOKEN_ASSIGN_PRIMARY (0x0001) 872 #define TOKEN_DUPLICATE (0x0002) 873 #define TOKEN_IMPERSONATE (0x0004) 874 #define TOKEN_QUERY (0x0008) 875 #define TOKEN_QUERY_SOURCE (0x0010) 876 #define TOKEN_ADJUST_PRIVILEGES (0x0020) 877 #define TOKEN_ADJUST_GROUPS (0x0040) 878 #define TOKEN_ADJUST_DEFAULT (0x0080) 879 #define TOKEN_ADJUST_SESSIONID (0x0100) 880 881 #define TOKEN_ALL_ACCESS_P (STANDARD_RIGHTS_REQUIRED |\ 882 TOKEN_ASSIGN_PRIMARY |\ 883 TOKEN_DUPLICATE |\ 884 TOKEN_IMPERSONATE |\ 885 TOKEN_QUERY |\ 886 TOKEN_QUERY_SOURCE |\ 887 TOKEN_ADJUST_PRIVILEGES |\ 888 TOKEN_ADJUST_GROUPS |\ 889 TOKEN_ADJUST_DEFAULT) 890 891 #if ((defined(_WIN32_WINNT) && (_WIN32_WINNT > 0x0400)) || (!defined(_WIN32_WINNT))) 892 #define TOKEN_ALL_ACCESS (TOKEN_ALL_ACCESS_P | TOKEN_ADJUST_SESSIONID) 893 #else 894 #define TOKEN_ALL_ACCESS (TOKEN_ALL_ACCESS_P) 895 #endif 896 897 #define TOKEN_READ (STANDARD_RIGHTS_READ | TOKEN_QUERY) 898 899 #define TOKEN_WRITE (STANDARD_RIGHTS_WRITE |\ 900 TOKEN_ADJUST_PRIVILEGES |\ 901 TOKEN_ADJUST_GROUPS |\ 902 TOKEN_ADJUST_DEFAULT) 903 904 #define TOKEN_EXECUTE (STANDARD_RIGHTS_EXECUTE) 905 906 typedef enum _TOKEN_TYPE { 907 TokenPrimary = 1, 908 TokenImpersonation 909 } TOKEN_TYPE, *PTOKEN_TYPE; 910 911 typedef enum _TOKEN_INFORMATION_CLASS { 912 TokenUser = 1, 913 TokenGroups, 914 TokenPrivileges, 915 TokenOwner, 916 TokenPrimaryGroup, 917 TokenDefaultDacl, 918 TokenSource, 919 TokenType, 920 TokenImpersonationLevel, 921 TokenStatistics, 922 TokenRestrictedSids, 923 TokenSessionId, 924 TokenGroupsAndPrivileges, 925 TokenSessionReference, 926 TokenSandBoxInert, 927 TokenAuditPolicy, 928 TokenOrigin, 929 TokenElevationType, 930 TokenLinkedToken, 931 TokenElevation, 932 TokenHasRestrictions, 933 TokenAccessInformation, 934 TokenVirtualizationAllowed, 935 TokenVirtualizationEnabled, 936 TokenIntegrityLevel, 937 TokenUIAccess, 938 TokenMandatoryPolicy, 939 TokenLogonSid, 940 TokenIsAppContainer, 941 TokenCapabilities, 942 TokenAppContainerSid, 943 TokenAppContainerNumber, 944 TokenUserClaimAttributes, 945 TokenDeviceClaimAttributes, 946 TokenRestrictedUserClaimAttributes, 947 TokenRestrictedDeviceClaimAttributes, 948 TokenDeviceGroups, 949 TokenRestrictedDeviceGroups, 950 TokenSecurityAttributes, 951 TokenIsRestricted, 952 MaxTokenInfoClass 953 } TOKEN_INFORMATION_CLASS, *PTOKEN_INFORMATION_CLASS; 954 955 typedef struct _TOKEN_USER { 956 SID_AND_ATTRIBUTES User; 957 } TOKEN_USER, *PTOKEN_USER; 958 959 typedef struct _TOKEN_GROUPS { 960 $ULONG GroupCount; 961 #ifdef MIDL_PASS 962 [size_is(GroupCount)] SID_AND_ATTRIBUTES Groups[*]; 963 #else 964 SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]; 965 #endif 966 } TOKEN_GROUPS, *PTOKEN_GROUPS, *LPTOKEN_GROUPS; 967 968 typedef struct _TOKEN_PRIVILEGES { 969 $ULONG PrivilegeCount; 970 LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY]; 971 } TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES, *LPTOKEN_PRIVILEGES; 972 973 typedef struct _TOKEN_OWNER { 974 PSID Owner; 975 } TOKEN_OWNER, *PTOKEN_OWNER; 976 977 typedef struct _TOKEN_PRIMARY_GROUP { 978 PSID PrimaryGroup; 979 } TOKEN_PRIMARY_GROUP, *PTOKEN_PRIMARY_GROUP; 980 981 typedef struct _TOKEN_DEFAULT_DACL { 982 PACL DefaultDacl; 983 } TOKEN_DEFAULT_DACL, *PTOKEN_DEFAULT_DACL; 984 985 typedef struct _TOKEN_GROUPS_AND_PRIVILEGES { 986 $ULONG SidCount; 987 $ULONG SidLength; 988 PSID_AND_ATTRIBUTES Sids; 989 $ULONG RestrictedSidCount; 990 $ULONG RestrictedSidLength; 991 PSID_AND_ATTRIBUTES RestrictedSids; 992 $ULONG PrivilegeCount; 993 $ULONG PrivilegeLength; 994 PLUID_AND_ATTRIBUTES Privileges; 995 LUID AuthenticationId; 996 } TOKEN_GROUPS_AND_PRIVILEGES, *PTOKEN_GROUPS_AND_PRIVILEGES; 997 998 typedef struct _TOKEN_LINKED_TOKEN { 999 HANDLE LinkedToken; 1000 } TOKEN_LINKED_TOKEN, *PTOKEN_LINKED_TOKEN; 1001 1002 typedef struct _TOKEN_ELEVATION { 1003 $ULONG TokenIsElevated; 1004 } TOKEN_ELEVATION, *PTOKEN_ELEVATION; 1005 1006 typedef struct _TOKEN_MANDATORY_LABEL { 1007 SID_AND_ATTRIBUTES Label; 1008 } TOKEN_MANDATORY_LABEL, *PTOKEN_MANDATORY_LABEL; 1009 1010 #define TOKEN_MANDATORY_POLICY_OFF 0x0 1011 #define TOKEN_MANDATORY_POLICY_NO_WRITE_UP 0x1 1012 #define TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN 0x2 1013 1014 #define TOKEN_MANDATORY_POLICY_VALID_MASK (TOKEN_MANDATORY_POLICY_NO_WRITE_UP | \ 1015 TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN) 1016 1017 #define POLICY_AUDIT_SUBCATEGORY_COUNT (56) 1018 1019 typedef struct _TOKEN_AUDIT_POLICY { 1020 $UCHAR PerUserPolicy[((POLICY_AUDIT_SUBCATEGORY_COUNT) >> 1) + 1]; 1021 } TOKEN_AUDIT_POLICY, *PTOKEN_AUDIT_POLICY; 1022 1023 #define TOKEN_SOURCE_LENGTH 8 1024 1025 typedef struct _TOKEN_SOURCE { 1026 CHAR SourceName[TOKEN_SOURCE_LENGTH]; 1027 LUID SourceIdentifier; 1028 } TOKEN_SOURCE, *PTOKEN_SOURCE; 1029 1030 #include <pshpack4.h> 1031 typedef struct _TOKEN_STATISTICS { 1032 LUID TokenId; 1033 LUID AuthenticationId; 1034 LARGE_INTEGER ExpirationTime; 1035 TOKEN_TYPE TokenType; 1036 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; 1037 $ULONG DynamicCharged; 1038 $ULONG DynamicAvailable; 1039 $ULONG GroupCount; 1040 $ULONG PrivilegeCount; 1041 LUID ModifiedId; 1042 } TOKEN_STATISTICS, *PTOKEN_STATISTICS; 1043 #include <poppack.h> 1044 1045 typedef struct _TOKEN_CONTROL { 1046 LUID TokenId; 1047 LUID AuthenticationId; 1048 LUID ModifiedId; 1049 TOKEN_SOURCE TokenSource; 1050 } TOKEN_CONTROL, *PTOKEN_CONTROL; 1051 1052 typedef struct _TOKEN_ORIGIN { 1053 LUID OriginatingLogonSession; 1054 } TOKEN_ORIGIN, *PTOKEN_ORIGIN; 1055 1056 typedef enum _MANDATORY_LEVEL { 1057 MandatoryLevelUntrusted = 0, 1058 MandatoryLevelLow, 1059 MandatoryLevelMedium, 1060 MandatoryLevelHigh, 1061 MandatoryLevelSystem, 1062 MandatoryLevelSecureProcess, 1063 MandatoryLevelCount 1064 } MANDATORY_LEVEL, *PMANDATORY_LEVEL; 1065 1066 $endif(_NTIFS_ || _WINNT_) 1067 $if(_NTIFS_) 1068 1069 typedef struct _SE_ACCESS_REPLY { 1070 $ULONG Size; 1071 $ULONG ResultListCount; 1072 PACCESS_MASK GrantedAccess; 1073 PNTSTATUS AccessStatus; 1074 PACCESS_REASONS AccessReason; 1075 PPRIVILEGE_SET* Privileges; 1076 } SE_ACCESS_REPLY, *PSE_ACCESS_REPLY; 1077 1078 typedef enum _SE_AUDIT_OPERATION { 1079 AuditPrivilegeObject, 1080 AuditPrivilegeService, 1081 AuditAccessCheck, 1082 AuditOpenObject, 1083 AuditOpenObjectWithTransaction, 1084 AuditCloseObject, 1085 AuditDeleteObject, 1086 AuditOpenObjectForDelete, 1087 AuditOpenObjectForDeleteWithTransaction, 1088 AuditCloseNonObject, 1089 AuditOpenNonObject, 1090 AuditObjectReference, 1091 AuditHandleCreation, 1092 } SE_AUDIT_OPERATION, *PSE_AUDIT_OPERATION; 1093 1094 typedef struct _SE_AUDIT_INFO { 1095 ULONG Size; 1096 AUDIT_EVENT_TYPE AuditType; 1097 SE_AUDIT_OPERATION AuditOperation; 1098 ULONG AuditFlags; 1099 UNICODE_STRING SubsystemName; 1100 UNICODE_STRING ObjectTypeName; 1101 UNICODE_STRING ObjectName; 1102 PVOID HandleId; 1103 GUID* TransactionId; 1104 LUID* OperationId; 1105 BOOLEAN ObjectCreation; 1106 BOOLEAN GenerateOnClose; 1107 } SE_AUDIT_INFO, *PSE_AUDIT_INFO; 1108 1109 typedef struct _TOKEN_MANDATORY_POLICY { 1110 $ULONG Policy; 1111 } TOKEN_MANDATORY_POLICY, *PTOKEN_MANDATORY_POLICY; 1112 1113 typedef struct _TOKEN_ACCESS_INFORMATION { 1114 PSID_AND_ATTRIBUTES_HASH SidHash; 1115 PSID_AND_ATTRIBUTES_HASH RestrictedSidHash; 1116 PTOKEN_PRIVILEGES Privileges; 1117 LUID AuthenticationId; 1118 TOKEN_TYPE TokenType; 1119 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; 1120 TOKEN_MANDATORY_POLICY MandatoryPolicy; 1121 $ULONG Flags; 1122 } TOKEN_ACCESS_INFORMATION, *PTOKEN_ACCESS_INFORMATION; 1123 1124 #define TOKEN_HAS_TRAVERSE_PRIVILEGE 0x0001 1125 #define TOKEN_HAS_BACKUP_PRIVILEGE 0x0002 1126 #define TOKEN_HAS_RESTORE_PRIVILEGE 0x0004 1127 #define TOKEN_WRITE_RESTRICTED 0x0008 1128 #define TOKEN_IS_RESTRICTED 0x0010 1129 #define TOKEN_SESSION_NOT_REFERENCED 0x0020 1130 #define TOKEN_SANDBOX_INERT 0x0040 1131 #define TOKEN_HAS_IMPERSONATE_PRIVILEGE 0x0080 1132 #define SE_BACKUP_PRIVILEGES_CHECKED 0x0100 1133 #define TOKEN_VIRTUALIZE_ALLOWED 0x0200 1134 #define TOKEN_VIRTUALIZE_ENABLED 0x0400 1135 #define TOKEN_IS_FILTERED 0x0800 1136 #define TOKEN_UIACCESS 0x1000 1137 #define TOKEN_NOT_LOW 0x2000 1138 1139 typedef struct _SE_EXPORTS { 1140 LUID SeCreateTokenPrivilege; 1141 LUID SeAssignPrimaryTokenPrivilege; 1142 LUID SeLockMemoryPrivilege; 1143 LUID SeIncreaseQuotaPrivilege; 1144 LUID SeUnsolicitedInputPrivilege; 1145 LUID SeTcbPrivilege; 1146 LUID SeSecurityPrivilege; 1147 LUID SeTakeOwnershipPrivilege; 1148 LUID SeLoadDriverPrivilege; 1149 LUID SeCreatePagefilePrivilege; 1150 LUID SeIncreaseBasePriorityPrivilege; 1151 LUID SeSystemProfilePrivilege; 1152 LUID SeSystemtimePrivilege; 1153 LUID SeProfileSingleProcessPrivilege; 1154 LUID SeCreatePermanentPrivilege; 1155 LUID SeBackupPrivilege; 1156 LUID SeRestorePrivilege; 1157 LUID SeShutdownPrivilege; 1158 LUID SeDebugPrivilege; 1159 LUID SeAuditPrivilege; 1160 LUID SeSystemEnvironmentPrivilege; 1161 LUID SeChangeNotifyPrivilege; 1162 LUID SeRemoteShutdownPrivilege; 1163 PSID SeNullSid; 1164 PSID SeWorldSid; 1165 PSID SeLocalSid; 1166 PSID SeCreatorOwnerSid; 1167 PSID SeCreatorGroupSid; 1168 PSID SeNtAuthoritySid; 1169 PSID SeDialupSid; 1170 PSID SeNetworkSid; 1171 PSID SeBatchSid; 1172 PSID SeInteractiveSid; 1173 PSID SeLocalSystemSid; 1174 PSID SeAliasAdminsSid; 1175 PSID SeAliasUsersSid; 1176 PSID SeAliasGuestsSid; 1177 PSID SeAliasPowerUsersSid; 1178 PSID SeAliasAccountOpsSid; 1179 PSID SeAliasSystemOpsSid; 1180 PSID SeAliasPrintOpsSid; 1181 PSID SeAliasBackupOpsSid; 1182 PSID SeAuthenticatedUsersSid; 1183 PSID SeRestrictedSid; 1184 PSID SeAnonymousLogonSid; 1185 LUID SeUndockPrivilege; 1186 LUID SeSyncAgentPrivilege; 1187 LUID SeEnableDelegationPrivilege; 1188 PSID SeLocalServiceSid; 1189 PSID SeNetworkServiceSid; 1190 LUID SeManageVolumePrivilege; 1191 LUID SeImpersonatePrivilege; 1192 LUID SeCreateGlobalPrivilege; 1193 LUID SeTrustedCredManAccessPrivilege; 1194 LUID SeRelabelPrivilege; 1195 LUID SeIncreaseWorkingSetPrivilege; 1196 LUID SeTimeZonePrivilege; 1197 LUID SeCreateSymbolicLinkPrivilege; 1198 PSID SeIUserSid; 1199 PSID SeUntrustedMandatorySid; 1200 PSID SeLowMandatorySid; 1201 PSID SeMediumMandatorySid; 1202 PSID SeHighMandatorySid; 1203 PSID SeSystemMandatorySid; 1204 PSID SeOwnerRightsSid; 1205 } SE_EXPORTS, *PSE_EXPORTS; 1206 1207 typedef NTSTATUS 1208 (NTAPI *PSE_LOGON_SESSION_TERMINATED_ROUTINE)( 1209 IN PLUID LogonId); 1210 1211 typedef struct _SECURITY_CLIENT_CONTEXT { 1212 SECURITY_QUALITY_OF_SERVICE SecurityQos; 1213 PACCESS_TOKEN ClientToken; 1214 BOOLEAN DirectlyAccessClientToken; 1215 BOOLEAN DirectAccessEffectiveOnly; 1216 BOOLEAN ServerIsRemote; 1217 TOKEN_CONTROL ClientTokenControl; 1218 } SECURITY_CLIENT_CONTEXT, *PSECURITY_CLIENT_CONTEXT; 1219 1220 $endif (_NTIFS_) 1221