windows-server-2003/public/internal/ds/inc/winsaferp.h

#ifdef __cplusplus
extern "C" {
#endif
#define SAFER_SCOPEID_REGISTRY 3
#define SAFER_LEVEL_DELETE 2
#define SAFER_LEVEL_CREATE 4

//
// Private registry key locations.
//

#define SAFER_HKLM_REGBASE L"Software\\Policies\\Microsoft\\Windows\\Safer"
#define SAFER_HKCU_REGBASE L"Software\\Policies\\Microsoft\\Windows\\Safer"

//
// default winsafer executable file types as a multisz string 
//

#define  SAFER_DEFAULT_EXECUTABLE_FILE_TYPES L"ADE\0ADP\0BAS\0BAT\0CHM\0\
CMD\0COM\0CPL\0CRT\0EXE\0HLP\0HTA\0INF\0INS\0ISP\0LNK\0MDB\0MDE\0MSC\0\
MSI\0MSP\0MST\0OCX\0PCD\0PIF\0REG\0SCR\0SHS\0URL\0VB\0WSC\0"


//
// name of the objects sub-branch.
//

#define SAFER_OBJECTS_REGSUBKEY L"LevelObjects"

//
// names of the values under each of the object sub-branches.
//

#define SAFER_OBJFRIENDLYNAME_REGVALUEW L"FriendlyName"
#define SAFER_OBJDESCRIPTION_REGVALUEW  L"Description"
#define SAFER_OBJDISALLOW_REGVALUE      L"DisallowExecution"

//
// name of the code identifiers sub-branch
//

#define SAFER_CODEIDS_REGSUBKEY L"CodeIdentifiers"

//
// name of the value under the top level code identifier branch.
//

#define SAFER_DEFAULTOBJ_REGVALUE         L"DefaultLevel"
#define SAFER_TRANSPARENTENABLED_REGVALUE L"TransparentEnabled"
#define SAFER_HONORUSER_REGVALUE          L"HonorUserIdentities"
#define SAFER_EXETYPES_REGVALUE           L"ExecutableTypes"
#define SAFER_POLICY_SCOPE                L"PolicyScope"
#define SAFER_LOGFILE_NAME                L"LogFileName"
#define SAFER_HIDDEN_LEVELS               L"Levels"
#define SAFER_AUTHENTICODE_REGVALUE       L"AuthenticodeEnabled"

//
// names of the various subkeys under the code identifier sub-branches
//

#define SAFER_PATHS_REGSUBKEY     L"Paths"
#define SAFER_HASHMD5_REGSUBKEY   L"Hashes"
#define SAFER_SOURCEURL_REGSUBKEY L"UrlZones"

//
// names of the various values under each code identifiery sub-branch.
//

#define SAFER_IDS_LASTMODIFIED_REGVALUE L"LastModified"
#define SAFER_IDS_DESCRIPTION_REGVALUE  L"Description"
#define SAFER_IDS_ITEMSIZE_REGVALUE     L"ItemSize"
#define SAFER_IDS_ITEMDATA_REGVALUE     L"ItemData"
#define SAFER_IDS_SAFERFLAGS_REGVALUE   L"SaferFlags"
#define SAFER_IDS_FRIENDLYNAME_REGVALUE L"FriendlyName"
#define SAFER_IDS_HASHALG_REGVALUE      L"HashAlg"
#define SAFER_VALUE_NAME_DEFAULT_LEVEL  L"DefaultLevel"
#define SAFER_VALUE_NAME_HASH_SIZE      L"HashSize"

//
// registry values
//

#define SAFER_IDS_LEVEL_DESCRIPTION_FULLY_TRUSTED   L"DescriptionFullyTrusted"
#define SAFER_IDS_LEVEL_DESCRIPTION_NORMAL_USER     L"DescriptionNormalUser"
#define SAFER_IDS_LEVEL_DESCRIPTION_CONSTRAINED     L"DescriptionConstrained"
#define SAFER_IDS_LEVEL_DESCRIPTION_UNTRUSTED       L"DescriptionUntrusted"
#define SAFER_IDS_LEVEL_DESCRIPTION_DISALLOWED      L"DescriptionDisallowed"

//
// defines for OOB rules
//
//#define SAFER_DEFAULT_OLK_RULE_PATH L"%USERPROFILE%\\Local Settings\\Temporary Internet Files\\OLK\\"

#define SAFER_LEVEL_ZERO    L"0"
#define SAFER_REGKEY_SEPERATOR    L"\\"
#define SAFER_DEFAULT_RULE_GUID L"{dda3f824-d8cb-441b-834d-be2efd2c1a33}"



#define SAFERP_WINDOWS_GUID {0x191cd7fa, 0xf240, 0x4a17, 0x89, 0x86, 0x94, 0xd4, 0x80, 0xa6, 0xc8, 0xca}

#define SAFERP_WINDOWS_EXE_GUID {0x7272edfb, 0xaf9f, 0x4ddf, 0xb6, 0x5b, 0xe4, 0x28, 0x2f, 0x2d, 0xee, 0xfc}

#define SAFERP_SYSTEM_EXE_GUID {0x8868b733, 0x4b3a, 0x48f8, 0x91, 0x36, 0xaa, 0x6d, 0x05, 0xd4, 0xfc, 0x83}

#define SAFERP_PROGRAMFILES_GUID {0xd2c34ab2, 0x529a, 0x46b2, 0xb2, 0x93, 0xfc, 0x85, 0x3f, 0xce, 0x72, 0xea}


#define SAFER_GUID_RESULT_TRUSTED_CERT       \
      { 0xc59e7b5a,                         \
        0xaf71,                             \
        0x4595,                             \
        {0xb8, 0xdb, 0x46, 0xb4, 0x91, 0xe8, 0x90, 0x07} }

#define SAFER_GUID_RESULT_DEFAULT_LEVEL      \
      { 0x11015445,                         \
        0xd282,                             \
        0x4f86,                             \
        {0x96, 0xa2, 0x9e, 0x48, 0x5f, 0x59, 0x33, 0x02} }



// 
// The following is a private function that is exported
// for WinVerifyTrust to call to determine if a given hash has a
// WinSafer policy associated with it.
//

BOOL WINAPI
SaferiSearchMatchingHashRules(
    IN  ALG_ID HashAlgorithm       OPTIONAL,
    IN  PBYTE  pHashBytes,
    IN  DWORD  dwHashSize,
    IN  DWORD  dwOriginalImageSize OPTIONAL,
    OUT PDWORD pdwFoundLevel,
    OUT PDWORD pdwSaferFlags
    );

//
// The following is a private function exported to allow the current
// registry scope to be altered.  This has the effect of changing
// how AUTHZSCOPEID_REGISTRY is interepreted.
//

WINADVAPI
BOOL WINAPI
SaferiChangeRegistryScope(
    IN HKEY  hKeyCustomRoot OPTIONAL,
    IN DWORD dwKeyOptions
    );

//
// The following is a private function provided to try to empiracally
// determine if the two access token have been restricted with comparable
// WinSafer authorization Levels.  When TRUE is returned, the pdwResult
// output parameter will receive any of the following values:
//      -1 = Client's access token is more authorized than Server's.
//       0 = Client's access token is comparable level to Server's.
//       1 = Server's access token is more authorized than Clients's.
//

WINADVAPI
BOOL WINAPI
SaferiCompareTokenLevels (
    IN  HANDLE ClientAccessToken,
    IN  HANDLE ServerAccessToken,
    OUT PDWORD pdwResult
    );


//
// The following is a private function exported to allow population if defaults in 
// the registry.
//
BOOL WINAPI
SaferiPopulateDefaultsInRegistry(
        IN HKEY     hKeyBase,
        OUT BOOL *pbSetDefaults
        );


#ifdef __cplusplus
}
#endif