/*++ BUILD Version: 0003 // Increment this if a change has global effects Copyright (c) 1989-2000 Microsoft Corporation Module Name: ntseapi.h Abstract: This module contains the Security APIs and any public data structures needed to call these APIs. This module should be included by including "nt.h". Author: Gary Kimura (GaryKi) 06-Mar-1989 Revision History: --*/ #ifndef _NTSEAPI_ #define _NTSEAPI_ #if _MSC_VER > 1000 #pragma once #endif #ifdef __cplusplus extern "C" { #endif //////////////////////////////////////////////////////////////////////// // // // Pointers to Opaque data types // // // //////////////////////////////////////////////////////////////////////// // // Some of these data types may have related data types defined elsewhere // in this file. // // begin_ntddk begin_wdm begin_nthal begin_ntifs // // Define an access token from a programmer's viewpoint. The structure is // completely opaque and the programer is only allowed to have pointers // to tokens. // typedef PVOID PACCESS_TOKEN; // winnt // // Pointer to a SECURITY_DESCRIPTOR opaque data type. // typedef PVOID PSECURITY_DESCRIPTOR; // winnt // // Define a pointer to the Security ID data type (an opaque data type) // typedef PVOID PSID; // winnt // end_ntddk end_wdm end_nthal end_ntifs // begin_winnt //////////////////////////////////////////////////////////////////////// // // // ACCESS MASK // // // //////////////////////////////////////////////////////////////////////// // // Define the access mask as a longword sized structure divided up as // follows: // // 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 // 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 // +---------------+---------------+-------------------------------+ // |G|G|G|G|Res'd|A| StandardRights| SpecificRights | // |R|W|E|A| |S| | | // +-+-------------+---------------+-------------------------------+ // // typedef struct _ACCESS_MASK { // USHORT SpecificRights; // UCHAR StandardRights; // UCHAR AccessSystemAcl : 1; // UCHAR Reserved : 3; // UCHAR GenericAll : 1; // UCHAR GenericExecute : 1; // UCHAR GenericWrite : 1; // UCHAR GenericRead : 1; // } ACCESS_MASK; // typedef ACCESS_MASK *PACCESS_MASK; // // but to make life simple for programmer's we'll allow them to specify // a desired access mask by simply OR'ing together mulitple single rights // and treat an access mask as a ULONG. For example // // DesiredAccess = DELETE | READ_CONTROL // // So we'll declare ACCESS_MASK as ULONG // // begin_ntddk begin_wdm begin_nthal begin_ntifs typedef ULONG ACCESS_MASK; typedef ACCESS_MASK *PACCESS_MASK; // end_winnt // end_ntddk end_wdm end_nthal end_ntifs // begin_winnt //////////////////////////////////////////////////////////////////////// // // // ACCESS TYPES // // // //////////////////////////////////////////////////////////////////////// // begin_ntddk begin_wdm begin_nthal begin_ntifs // // The following are masks for the predefined standard access types // #define DELETE (0x00010000L) #define READ_CONTROL (0x00020000L) #define WRITE_DAC (0x00040000L) #define WRITE_OWNER (0x00080000L) #define SYNCHRONIZE (0x00100000L) #define STANDARD_RIGHTS_REQUIRED (0x000F0000L) #define STANDARD_RIGHTS_READ (READ_CONTROL) #define STANDARD_RIGHTS_WRITE (READ_CONTROL) #define STANDARD_RIGHTS_EXECUTE (READ_CONTROL) #define STANDARD_RIGHTS_ALL (0x001F0000L) #define SPECIFIC_RIGHTS_ALL (0x0000FFFFL) // // AccessSystemAcl access type // #define ACCESS_SYSTEM_SECURITY (0x01000000L) // // MaximumAllowed access type // #define MAXIMUM_ALLOWED (0x02000000L) // // These are the generic rights. // #define GENERIC_READ (0x80000000L) #define GENERIC_WRITE (0x40000000L) #define GENERIC_EXECUTE (0x20000000L) #define GENERIC_ALL (0x10000000L) // // Define the generic mapping array. This is used to denote the // mapping of each generic access right to a specific access mask. // typedef struct _GENERIC_MAPPING { ACCESS_MASK GenericRead; ACCESS_MASK GenericWrite; ACCESS_MASK GenericExecute; ACCESS_MASK GenericAll; } GENERIC_MAPPING; typedef GENERIC_MAPPING *PGENERIC_MAPPING; // end_winnt end_ntddk end_wdm end_nthal end_ntifs // begin_ntddk begin_wdm begin_winnt begin_nthal begin_ntifs //////////////////////////////////////////////////////////////////////// // // // LUID_AND_ATTRIBUTES // // // //////////////////////////////////////////////////////////////////////// // // #include typedef struct _LUID_AND_ATTRIBUTES { LUID Luid; ULONG Attributes; } LUID_AND_ATTRIBUTES, * PLUID_AND_ATTRIBUTES; typedef LUID_AND_ATTRIBUTES LUID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY]; typedef LUID_AND_ATTRIBUTES_ARRAY *PLUID_AND_ATTRIBUTES_ARRAY; #include // end_winnt end_wdm end_ntddk end_nthal end_ntifs // begin_winnt //////////////////////////////////////////////////////////////////////// // // // Security Id (SID) // // // //////////////////////////////////////////////////////////////////////// // // // Pictorially the structure of an SID is as follows: // // 1 1 1 1 1 1 // 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 // +---------------------------------------------------------------+ // | SubAuthorityCount |Reserved1 (SBZ)| Revision | // +---------------------------------------------------------------+ // | IdentifierAuthority[0] | // +---------------------------------------------------------------+ // | IdentifierAuthority[1] | // +---------------------------------------------------------------+ // | IdentifierAuthority[2] | // +---------------------------------------------------------------+ // | | // +- - - - - - - - SubAuthority[] - - - - - - - - -+ // | | // +---------------------------------------------------------------+ // // // begin_ntifs #ifndef SID_IDENTIFIER_AUTHORITY_DEFINED #define SID_IDENTIFIER_AUTHORITY_DEFINED typedef struct _SID_IDENTIFIER_AUTHORITY { UCHAR Value[6]; } SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY; #endif #ifndef SID_DEFINED #define SID_DEFINED typedef struct _SID { UCHAR Revision; UCHAR SubAuthorityCount; SID_IDENTIFIER_AUTHORITY IdentifierAuthority; #ifdef MIDL_PASS [size_is(SubAuthorityCount)] ULONG SubAuthority[*]; #else // MIDL_PASS ULONG SubAuthority[ANYSIZE_ARRAY]; #endif // MIDL_PASS } SID, *PISID; #endif #define SID_REVISION (1) // Current revision level #define SID_MAX_SUB_AUTHORITIES (15) #define SID_RECOMMENDED_SUB_AUTHORITIES (1) // Will change to around 6 // in a future release. #ifndef MIDL_PASS #define SECURITY_MAX_SID_SIZE \ (sizeof(SID) - sizeof(ULONG) + (SID_MAX_SUB_AUTHORITIES * sizeof(ULONG))) #endif // MIDL_PASS typedef enum _SID_NAME_USE { SidTypeUser = 1, SidTypeGroup, SidTypeDomain, SidTypeAlias, SidTypeWellKnownGroup, SidTypeDeletedAccount, SidTypeInvalid, SidTypeUnknown, SidTypeComputer } SID_NAME_USE, *PSID_NAME_USE; typedef struct _SID_AND_ATTRIBUTES { PSID Sid; ULONG Attributes; } SID_AND_ATTRIBUTES, * PSID_AND_ATTRIBUTES; typedef SID_AND_ATTRIBUTES SID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY]; typedef SID_AND_ATTRIBUTES_ARRAY *PSID_AND_ATTRIBUTES_ARRAY; ///////////////////////////////////////////////////////////////////////////// // // // Universal well-known SIDs // // // // Null SID S-1-0-0 // // World S-1-1-0 // // Local S-1-2-0 // // Creator Owner ID S-1-3-0 // // Creator Group ID S-1-3-1 // // Creator Owner Server ID S-1-3-2 // // Creator Group Server ID S-1-3-3 // // // // (Non-unique IDs) S-1-4 // // // ///////////////////////////////////////////////////////////////////////////// #define SECURITY_NULL_SID_AUTHORITY {0,0,0,0,0,0} #define SECURITY_WORLD_SID_AUTHORITY {0,0,0,0,0,1} #define SECURITY_LOCAL_SID_AUTHORITY {0,0,0,0,0,2} #define SECURITY_CREATOR_SID_AUTHORITY {0,0,0,0,0,3} #define SECURITY_NON_UNIQUE_AUTHORITY {0,0,0,0,0,4} #define SECURITY_RESOURCE_MANAGER_AUTHORITY {0,0,0,0,0,9} #define SECURITY_NULL_RID (0x00000000L) #define SECURITY_WORLD_RID (0x00000000L) #define SECURITY_LOCAL_RID (0x00000000L) #define SECURITY_CREATOR_OWNER_RID (0x00000000L) #define SECURITY_CREATOR_GROUP_RID (0x00000001L) #define SECURITY_CREATOR_OWNER_SERVER_RID (0x00000002L) #define SECURITY_CREATOR_GROUP_SERVER_RID (0x00000003L) /////////////////////////////////////////////////////////////////////////////// // // // NT well-known SIDs // // // // NT Authority S-1-5 // // Dialup S-1-5-1 // // // // Network S-1-5-2 // // Batch S-1-5-3 // // Interactive S-1-5-4 // // (Logon IDs) S-1-5-5-X-Y // // Service S-1-5-6 // // AnonymousLogon S-1-5-7 (aka null logon session) // // Proxy S-1-5-8 // // Enterprise DC (EDC) S-1-5-9 (aka domain controller account) // // Self S-1-5-10 (self RID) // // Authenticated User S-1-5-11 (Authenticated user somewhere) // // Restricted Code S-1-5-12 (Running restricted code) // // Terminal Server S-1-5-13 (Running on Terminal Server) // // Remote Logon S-1-5-14 (Remote Interactive Logon) // // This Organization S-1-5-15 // // // // Local System S-1-5-18 // // Local Service S-1-5-19 // // Network Service S-1-5-20 // // // // (NT non-unique IDs) S-1-5-0x15-... (NT Domain Sids) // // // // (Built-in domain) S-1-5-0x20 // // // // (Security Package IDs) S-1-5-0x40 // // NTLM Authentication S-1-5-0x40-10 // // SChannel Authentication S-1-5-0x40-14 // // Digest Authentication S-1-5-0x40-21 // // // // Other Organization S-1-5-1000 (>=1000 can not be filtered) // // // // // // NOTE: the relative identifier values (RIDs) determine which security // // boundaries the SID is allowed to cross. Before adding new RIDs, // // a determination needs to be made regarding which range they should // // be added to in order to ensure proper "SID filtering" // // // /////////////////////////////////////////////////////////////////////////////// #define SECURITY_NT_AUTHORITY {0,0,0,0,0,5} // ntifs #define SECURITY_DIALUP_RID (0x00000001L) #define SECURITY_NETWORK_RID (0x00000002L) #define SECURITY_BATCH_RID (0x00000003L) #define SECURITY_INTERACTIVE_RID (0x00000004L) #define SECURITY_LOGON_IDS_RID (0x00000005L) #define SECURITY_LOGON_IDS_RID_COUNT (3L) #define SECURITY_SERVICE_RID (0x00000006L) #define SECURITY_ANONYMOUS_LOGON_RID (0x00000007L) #define SECURITY_PROXY_RID (0x00000008L) #define SECURITY_ENTERPRISE_CONTROLLERS_RID (0x00000009L) #define SECURITY_SERVER_LOGON_RID SECURITY_ENTERPRISE_CONTROLLERS_RID #define SECURITY_PRINCIPAL_SELF_RID (0x0000000AL) #define SECURITY_AUTHENTICATED_USER_RID (0x0000000BL) #define SECURITY_RESTRICTED_CODE_RID (0x0000000CL) #define SECURITY_TERMINAL_SERVER_RID (0x0000000DL) #define SECURITY_REMOTE_LOGON_RID (0x0000000EL) #define SECURITY_THIS_ORGANIZATION_RID (0x0000000FL) #define SECURITY_LOCAL_SYSTEM_RID (0x00000012L) #define SECURITY_LOCAL_SERVICE_RID (0x00000013L) #define SECURITY_NETWORK_SERVICE_RID (0x00000014L) #define SECURITY_NT_NON_UNIQUE (0x00000015L) #define SECURITY_NT_NON_UNIQUE_SUB_AUTH_COUNT (3L) #define SECURITY_BUILTIN_DOMAIN_RID (0x00000020L) #define SECURITY_PACKAGE_BASE_RID (0x00000040L) #define SECURITY_PACKAGE_RID_COUNT (2L) #define SECURITY_PACKAGE_NTLM_RID (0x0000000AL) #define SECURITY_PACKAGE_SCHANNEL_RID (0x0000000EL) #define SECURITY_PACKAGE_DIGEST_RID (0x00000015L) #define SECURITY_MAX_ALWAYS_FILTERED (0x000003E7L) #define SECURITY_MIN_NEVER_FILTERED (0x000003E8L) #define SECURITY_OTHER_ORGANIZATION_RID (0x000003E8L) ///////////////////////////////////////////////////////////////////////////// // // // well-known domain relative sub-authority values (RIDs)... // // // ///////////////////////////////////////////////////////////////////////////// // Well-known users ... #define FOREST_USER_RID_MAX (0x000001F3L) #define DOMAIN_USER_RID_ADMIN (0x000001F4L) #define DOMAIN_USER_RID_GUEST (0x000001F5L) #define DOMAIN_USER_RID_KRBTGT (0x000001F6L) #define DOMAIN_USER_RID_MAX (0x000003E7L) // well-known groups ... #define DOMAIN_GROUP_RID_ADMINS (0x00000200L) #define DOMAIN_GROUP_RID_USERS (0x00000201L) #define DOMAIN_GROUP_RID_GUESTS (0x00000202L) #define DOMAIN_GROUP_RID_COMPUTERS (0x00000203L) #define DOMAIN_GROUP_RID_CONTROLLERS (0x00000204L) #define DOMAIN_GROUP_RID_CERT_ADMINS (0x00000205L) #define DOMAIN_GROUP_RID_SCHEMA_ADMINS (0x00000206L) #define DOMAIN_GROUP_RID_ENTERPRISE_ADMINS (0x00000207L) #define DOMAIN_GROUP_RID_POLICY_ADMINS (0x00000208L) // well-known aliases ... #define DOMAIN_ALIAS_RID_ADMINS (0x00000220L) #define DOMAIN_ALIAS_RID_USERS (0x00000221L) #define DOMAIN_ALIAS_RID_GUESTS (0x00000222L) #define DOMAIN_ALIAS_RID_POWER_USERS (0x00000223L) #define DOMAIN_ALIAS_RID_ACCOUNT_OPS (0x00000224L) #define DOMAIN_ALIAS_RID_SYSTEM_OPS (0x00000225L) #define DOMAIN_ALIAS_RID_PRINT_OPS (0x00000226L) #define DOMAIN_ALIAS_RID_BACKUP_OPS (0x00000227L) #define DOMAIN_ALIAS_RID_REPLICATOR (0x00000228L) #define DOMAIN_ALIAS_RID_RAS_SERVERS (0x00000229L) #define DOMAIN_ALIAS_RID_PREW2KCOMPACCESS (0x0000022AL) #define DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS (0x0000022BL) #define DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS (0x0000022CL) #define DOMAIN_ALIAS_RID_INCOMING_FOREST_TRUST_BUILDERS (0x0000022DL) #define DOMAIN_ALIAS_RID_MONITORING_USERS (0x0000022EL) #define DOMAIN_ALIAS_RID_LOGGING_USERS (0x0000022FL) #define DOMAIN_ALIAS_RID_AUTHORIZATIONACCESS (0x00000230L) #define DOMAIN_ALIAS_RID_TS_LICENSE_SERVERS (0x00000231L) // end_winnt end_ntifs ///////////////////////////////////////////////////////////////////////////// // // // Foreign Security Authorities // // // // SiteServer Authority S-1-6 // // Internet Site Authority S-1-7 // // Exchange Authority S-1-8 // // Resource Manager Authority S-1-9 // // Passport Authority S-1-10 // // // ///////////////////////////////////////////////////////////////////////////// #define SECURITY_SITESERVER_AUTHORITY {0,0,0,0,0,6} #define SECURITY_INTERNETSITE_AUTHORITY {0,0,0,0,0,7} #define SECURITY_EXCHANGE_AUTHORITY {0,0,0,0,0,8} #define SECURITY_PASSPORT_AUTHORITY {0,0,0,0,0,10} // // Well known SID definitions for lookup. // // begin_winnt begin_ntddk begin_ntifs typedef enum { WinNullSid = 0, WinWorldSid = 1, WinLocalSid = 2, WinCreatorOwnerSid = 3, WinCreatorGroupSid = 4, WinCreatorOwnerServerSid = 5, WinCreatorGroupServerSid = 6, WinNtAuthoritySid = 7, WinDialupSid = 8, WinNetworkSid = 9, WinBatchSid = 10, WinInteractiveSid = 11, WinServiceSid = 12, WinAnonymousSid = 13, WinProxySid = 14, WinEnterpriseControllersSid = 15, WinSelfSid = 16, WinAuthenticatedUserSid = 17, WinRestrictedCodeSid = 18, WinTerminalServerSid = 19, WinRemoteLogonIdSid = 20, WinLogonIdsSid = 21, WinLocalSystemSid = 22, WinLocalServiceSid = 23, WinNetworkServiceSid = 24, WinBuiltinDomainSid = 25, WinBuiltinAdministratorsSid = 26, WinBuiltinUsersSid = 27, WinBuiltinGuestsSid = 28, WinBuiltinPowerUsersSid = 29, WinBuiltinAccountOperatorsSid = 30, WinBuiltinSystemOperatorsSid = 31, WinBuiltinPrintOperatorsSid = 32, WinBuiltinBackupOperatorsSid = 33, WinBuiltinReplicatorSid = 34, WinBuiltinPreWindows2000CompatibleAccessSid = 35, WinBuiltinRemoteDesktopUsersSid = 36, WinBuiltinNetworkConfigurationOperatorsSid = 37, WinAccountAdministratorSid = 38, WinAccountGuestSid = 39, WinAccountKrbtgtSid = 40, WinAccountDomainAdminsSid = 41, WinAccountDomainUsersSid = 42, WinAccountDomainGuestsSid = 43, WinAccountComputersSid = 44, WinAccountControllersSid = 45, WinAccountCertAdminsSid = 46, WinAccountSchemaAdminsSid = 47, WinAccountEnterpriseAdminsSid = 48, WinAccountPolicyAdminsSid = 49, WinAccountRasAndIasServersSid = 50, WinNTLMAuthenticationSid = 51, WinDigestAuthenticationSid = 52, WinSChannelAuthenticationSid = 53, WinThisOrganizationSid = 54, WinOtherOrganizationSid = 55, WinBuiltinIncomingForestTrustBuildersSid = 56, WinBuiltinPerfMonitoringUsersSid = 57, WinBuiltinPerfLoggingUsersSid = 58, WinBuiltinAuthorizationAccessSid = 59, WinBuiltinTerminalServerLicenseServersSid = 60, } WELL_KNOWN_SID_TYPE; // end_winnt end_ntddk end_ntifs // begin_winnt begin_ntifs // // Allocate the System Luid. The first 1000 LUIDs are reserved. // Use #999 here (0x3E7 = 999) // #define SYSTEM_LUID { 0x3E7, 0x0 } #define ANONYMOUS_LOGON_LUID { 0x3e6, 0x0 } #define LOCALSERVICE_LUID { 0x3e5, 0x0 } #define NETWORKSERVICE_LUID { 0x3e4, 0x0 } // end_ntifs //////////////////////////////////////////////////////////////////////// // // // User and Group related SID attributes // // // //////////////////////////////////////////////////////////////////////// // // Group attributes // #define SE_GROUP_MANDATORY (0x00000001L) #define SE_GROUP_ENABLED_BY_DEFAULT (0x00000002L) #define SE_GROUP_ENABLED (0x00000004L) #define SE_GROUP_OWNER (0x00000008L) #define SE_GROUP_USE_FOR_DENY_ONLY (0x00000010L) #define SE_GROUP_LOGON_ID (0xC0000000L) #define SE_GROUP_RESOURCE (0x20000000L) // // User attributes // // (None yet defined.) //////////////////////////////////////////////////////////////////////// // // // ACL and ACE // // // //////////////////////////////////////////////////////////////////////// // // Define an ACL and the ACE format. The structure of an ACL header // followed by one or more ACEs. Pictorally the structure of an ACL header // is as follows: // // 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 // 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 // +-------------------------------+---------------+---------------+ // | AclSize | Sbz1 | AclRevision | // +-------------------------------+---------------+---------------+ // | Sbz2 | AceCount | // +-------------------------------+-------------------------------+ // // The current AclRevision is defined to be ACL_REVISION. // // AclSize is the size, in bytes, allocated for the ACL. This includes // the ACL header, ACES, and remaining free space in the buffer. // // AceCount is the number of ACES in the ACL. // // begin_ntddk begin_wdm begin_ntifs // This is the *current* ACL revision #define ACL_REVISION (2) #define ACL_REVISION_DS (4) // This is the history of ACL revisions. Add a new one whenever // ACL_REVISION is updated #define ACL_REVISION1 (1) #define MIN_ACL_REVISION ACL_REVISION2 #define ACL_REVISION2 (2) #define ACL_REVISION3 (3) #define ACL_REVISION4 (4) #define MAX_ACL_REVISION ACL_REVISION4 typedef struct _ACL { UCHAR AclRevision; UCHAR Sbz1; USHORT AclSize; USHORT AceCount; USHORT Sbz2; } ACL; typedef ACL *PACL; // end_ntddk end_wdm // // The structure of an ACE is a common ace header followed by ace type // specific data. Pictorally the structure of the common ace header is // as follows: // // 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 // 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 // +---------------+-------+-------+---------------+---------------+ // | AceSize | AceFlags | AceType | // +---------------+-------+-------+---------------+---------------+ // // AceType denotes the type of the ace, there are some predefined ace // types // // AceSize is the size, in bytes, of ace. // // AceFlags are the Ace flags for audit and inheritance, defined shortly. typedef struct _ACE_HEADER { UCHAR AceType; UCHAR AceFlags; USHORT AceSize; } ACE_HEADER; typedef ACE_HEADER *PACE_HEADER; // // The following are the predefined ace types that go into the AceType // field of an Ace header. // #define ACCESS_MIN_MS_ACE_TYPE (0x0) #define ACCESS_ALLOWED_ACE_TYPE (0x0) #define ACCESS_DENIED_ACE_TYPE (0x1) #define SYSTEM_AUDIT_ACE_TYPE (0x2) #define SYSTEM_ALARM_ACE_TYPE (0x3) #define ACCESS_MAX_MS_V2_ACE_TYPE (0x3) #define ACCESS_ALLOWED_COMPOUND_ACE_TYPE (0x4) #define ACCESS_MAX_MS_V3_ACE_TYPE (0x4) #define ACCESS_MIN_MS_OBJECT_ACE_TYPE (0x5) #define ACCESS_ALLOWED_OBJECT_ACE_TYPE (0x5) #define ACCESS_DENIED_OBJECT_ACE_TYPE (0x6) #define SYSTEM_AUDIT_OBJECT_ACE_TYPE (0x7) #define SYSTEM_ALARM_OBJECT_ACE_TYPE (0x8) #define ACCESS_MAX_MS_OBJECT_ACE_TYPE (0x8) #define ACCESS_MAX_MS_V4_ACE_TYPE (0x8) #define ACCESS_MAX_MS_ACE_TYPE (0x8) #define ACCESS_ALLOWED_CALLBACK_ACE_TYPE (0x9) #define ACCESS_DENIED_CALLBACK_ACE_TYPE (0xA) #define ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE (0xB) #define ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE (0xC) #define SYSTEM_AUDIT_CALLBACK_ACE_TYPE (0xD) #define SYSTEM_ALARM_CALLBACK_ACE_TYPE (0xE) #define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE (0xF) #define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE (0x10) #define ACCESS_MAX_MS_V5_ACE_TYPE (0x10) // end_winnt // begin_winnt // // The following are the inherit flags that go into the AceFlags field // of an Ace header. // #define OBJECT_INHERIT_ACE (0x1) #define CONTAINER_INHERIT_ACE (0x2) #define NO_PROPAGATE_INHERIT_ACE (0x4) #define INHERIT_ONLY_ACE (0x8) #define INHERITED_ACE (0x10) #define VALID_INHERIT_FLAGS (0x1F) // The following are the currently defined ACE flags that go into the // AceFlags field of an ACE header. Each ACE type has its own set of // AceFlags. // // SUCCESSFUL_ACCESS_ACE_FLAG - used only with system audit and alarm ACE // types to indicate that a message is generated for successful accesses. // // FAILED_ACCESS_ACE_FLAG - used only with system audit and alarm ACE types // to indicate that a message is generated for failed accesses. // // // SYSTEM_AUDIT and SYSTEM_ALARM AceFlags // // These control the signaling of audit and alarms for success or failure. // #define SUCCESSFUL_ACCESS_ACE_FLAG (0x40) #define FAILED_ACCESS_ACE_FLAG (0x80) // // We'll define the structure of the predefined ACE types. Pictorally // the structure of the predefined ACE's is as follows: // // 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 // 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 // +---------------+-------+-------+---------------+---------------+ // | AceFlags | Resd |Inherit| AceSize | AceType | // +---------------+-------+-------+---------------+---------------+ // | Mask | // +---------------------------------------------------------------+ // | | // + + // | | // + Sid + // | | // + + // | | // +---------------------------------------------------------------+ // // Mask is the access mask associated with the ACE. This is either the // access allowed, access denied, audit, or alarm mask. // // Sid is the Sid associated with the ACE. // // The following are the four predefined ACE types. // Examine the AceType field in the Header to determine // which structure is appropriate to use for casting. typedef struct _ACCESS_ALLOWED_ACE { ACE_HEADER Header; ACCESS_MASK Mask; ULONG SidStart; } ACCESS_ALLOWED_ACE; typedef ACCESS_ALLOWED_ACE *PACCESS_ALLOWED_ACE; typedef struct _ACCESS_DENIED_ACE { ACE_HEADER Header; ACCESS_MASK Mask; ULONG SidStart; } ACCESS_DENIED_ACE; typedef ACCESS_DENIED_ACE *PACCESS_DENIED_ACE; typedef struct _SYSTEM_AUDIT_ACE { ACE_HEADER Header; ACCESS_MASK Mask; ULONG SidStart; } SYSTEM_AUDIT_ACE; typedef SYSTEM_AUDIT_ACE *PSYSTEM_AUDIT_ACE; typedef struct _SYSTEM_ALARM_ACE { ACE_HEADER Header; ACCESS_MASK Mask; ULONG SidStart; } SYSTEM_ALARM_ACE; typedef SYSTEM_ALARM_ACE *PSYSTEM_ALARM_ACE; // end_ntifs // end_winnt // // COMPOUND ACE // // 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 // 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 // +---------------+-------+-------+---------------+---------------+ // | AceFlags | Resd |Inherit| AceSize | AceType | // +---------------+-------+-------+---------------+---------------+ // | Mask | // +-------------------------------+-------------------------------+ // | Compound ACE Type | Reserved (SBZ) | // +-------------------------------+-------------------------------+ // | | // + + // | | // + Sid + // | | // + + // | | // +---------------------------------------------------------------+ // typedef struct _COMPOUND_ACCESS_ALLOWED_ACE { ACE_HEADER Header; ACCESS_MASK Mask; USHORT CompoundAceType; USHORT Reserved; ULONG SidStart; } COMPOUND_ACCESS_ALLOWED_ACE; typedef COMPOUND_ACCESS_ALLOWED_ACE *PCOMPOUND_ACCESS_ALLOWED_ACE; // // Currently defined Compound ACE types // #define COMPOUND_ACE_IMPERSONATION 1 // begin_winnt typedef struct _ACCESS_ALLOWED_OBJECT_ACE { ACE_HEADER Header; ACCESS_MASK Mask; ULONG Flags; GUID ObjectType; GUID InheritedObjectType; ULONG SidStart; } ACCESS_ALLOWED_OBJECT_ACE, *PACCESS_ALLOWED_OBJECT_ACE; typedef struct _ACCESS_DENIED_OBJECT_ACE { ACE_HEADER Header; ACCESS_MASK Mask; ULONG Flags; GUID ObjectType; GUID InheritedObjectType; ULONG SidStart; } ACCESS_DENIED_OBJECT_ACE, *PACCESS_DENIED_OBJECT_ACE; typedef struct _SYSTEM_AUDIT_OBJECT_ACE { ACE_HEADER Header; ACCESS_MASK Mask; ULONG Flags; GUID ObjectType; GUID InheritedObjectType; ULONG SidStart; } SYSTEM_AUDIT_OBJECT_ACE, *PSYSTEM_AUDIT_OBJECT_ACE; typedef struct _SYSTEM_ALARM_OBJECT_ACE { ACE_HEADER Header; ACCESS_MASK Mask; ULONG Flags; GUID ObjectType; GUID InheritedObjectType; ULONG SidStart; } SYSTEM_ALARM_OBJECT_ACE, *PSYSTEM_ALARM_OBJECT_ACE; // // Callback ace support in post Win2000. // Resource managers can put their own data after Sidstart + Length of the sid // typedef struct _ACCESS_ALLOWED_CALLBACK_ACE { ACE_HEADER Header; ACCESS_MASK Mask; ULONG SidStart; // Opaque resouce manager specific data } ACCESS_ALLOWED_CALLBACK_ACE, *PACCESS_ALLOWED_CALLBACK_ACE; typedef struct _ACCESS_DENIED_CALLBACK_ACE { ACE_HEADER Header; ACCESS_MASK Mask; ULONG SidStart; // Opaque resouce manager specific data } ACCESS_DENIED_CALLBACK_ACE, *PACCESS_DENIED_CALLBACK_ACE; typedef struct _SYSTEM_AUDIT_CALLBACK_ACE { ACE_HEADER Header; ACCESS_MASK Mask; ULONG SidStart; // Opaque resouce manager specific data } SYSTEM_AUDIT_CALLBACK_ACE, *PSYSTEM_AUDIT_CALLBACK_ACE; typedef struct _SYSTEM_ALARM_CALLBACK_ACE { ACE_HEADER Header; ACCESS_MASK Mask; ULONG SidStart; // Opaque resouce manager specific data } SYSTEM_ALARM_CALLBACK_ACE, *PSYSTEM_ALARM_CALLBACK_ACE; typedef struct _ACCESS_ALLOWED_CALLBACK_OBJECT_ACE { ACE_HEADER Header; ACCESS_MASK Mask; ULONG Flags; GUID ObjectType; GUID InheritedObjectType; ULONG SidStart; // Opaque resouce manager specific data } ACCESS_ALLOWED_CALLBACK_OBJECT_ACE, *PACCESS_ALLOWED_CALLBACK_OBJECT_ACE; typedef struct _ACCESS_DENIED_CALLBACK_OBJECT_ACE { ACE_HEADER Header; ACCESS_MASK Mask; ULONG Flags; GUID ObjectType; GUID InheritedObjectType; ULONG SidStart; // Opaque resouce manager specific data } ACCESS_DENIED_CALLBACK_OBJECT_ACE, *PACCESS_DENIED_CALLBACK_OBJECT_ACE; typedef struct _SYSTEM_AUDIT_CALLBACK_OBJECT_ACE { ACE_HEADER Header; ACCESS_MASK Mask; ULONG Flags; GUID ObjectType; GUID InheritedObjectType; ULONG SidStart; // Opaque resouce manager specific data } SYSTEM_AUDIT_CALLBACK_OBJECT_ACE, *PSYSTEM_AUDIT_CALLBACK_OBJECT_ACE; typedef struct _SYSTEM_ALARM_CALLBACK_OBJECT_ACE { ACE_HEADER Header; ACCESS_MASK Mask; ULONG Flags; GUID ObjectType; GUID InheritedObjectType; ULONG SidStart; // Opaque resouce manager specific data } SYSTEM_ALARM_CALLBACK_OBJECT_ACE, *PSYSTEM_ALARM_CALLBACK_OBJECT_ACE; // // Currently define Flags for "OBJECT" ACE types. // #define ACE_OBJECT_TYPE_PRESENT 0x1 #define ACE_INHERITED_OBJECT_TYPE_PRESENT 0x2 // // The following declarations are used for setting and querying information // about and ACL. First are the various information classes available to // the user. // typedef enum _ACL_INFORMATION_CLASS { AclRevisionInformation = 1, AclSizeInformation } ACL_INFORMATION_CLASS; // // This record is returned/sent if the user is requesting/setting the // AclRevisionInformation // typedef struct _ACL_REVISION_INFORMATION { ULONG AclRevision; } ACL_REVISION_INFORMATION; typedef ACL_REVISION_INFORMATION *PACL_REVISION_INFORMATION; // // This record is returned if the user is requesting AclSizeInformation // typedef struct _ACL_SIZE_INFORMATION { ULONG AceCount; ULONG AclBytesInUse; ULONG AclBytesFree; } ACL_SIZE_INFORMATION; typedef ACL_SIZE_INFORMATION *PACL_SIZE_INFORMATION; // end_winnt // begin_winnt //////////////////////////////////////////////////////////////////////// // // // SECURITY_DESCRIPTOR // // // //////////////////////////////////////////////////////////////////////// // // Define the Security Descriptor and related data types. // This is an opaque data structure. // // begin_wdm begin_ntddk begin_ntifs // // Current security descriptor revision value // #define SECURITY_DESCRIPTOR_REVISION (1) #define SECURITY_DESCRIPTOR_REVISION1 (1) // end_wdm end_ntddk #define SECURITY_DESCRIPTOR_MIN_LENGTH (sizeof(SECURITY_DESCRIPTOR)) typedef USHORT SECURITY_DESCRIPTOR_CONTROL, *PSECURITY_DESCRIPTOR_CONTROL; #define SE_OWNER_DEFAULTED (0x0001) #define SE_GROUP_DEFAULTED (0x0002) #define SE_DACL_PRESENT (0x0004) #define SE_DACL_DEFAULTED (0x0008) #define SE_SACL_PRESENT (0x0010) #define SE_SACL_DEFAULTED (0x0020) // end_winnt #define SE_DACL_UNTRUSTED (0x0040) #define SE_SERVER_SECURITY (0x0080) // begin_winnt #define SE_DACL_AUTO_INHERIT_REQ (0x0100) #define SE_SACL_AUTO_INHERIT_REQ (0x0200) #define SE_DACL_AUTO_INHERITED (0x0400) #define SE_SACL_AUTO_INHERITED (0x0800) #define SE_DACL_PROTECTED (0x1000) #define SE_SACL_PROTECTED (0x2000) #define SE_RM_CONTROL_VALID (0x4000) #define SE_SELF_RELATIVE (0x8000) // // Where: // // SE_OWNER_DEFAULTED - This boolean flag, when set, indicates that the // SID pointed to by the Owner field was provided by a // defaulting mechanism rather than explicitly provided by the // original provider of the security descriptor. This may // affect the treatment of the SID with respect to inheritence // of an owner. // // SE_GROUP_DEFAULTED - This boolean flag, when set, indicates that the // SID in the Group field was provided by a defaulting mechanism // rather than explicitly provided by the original provider of // the security descriptor. This may affect the treatment of // the SID with respect to inheritence of a primary group. // // SE_DACL_PRESENT - This boolean flag, when set, indicates that the // security descriptor contains a discretionary ACL. If this // flag is set and the Dacl field of the SECURITY_DESCRIPTOR is // null, then a null ACL is explicitly being specified. // // SE_DACL_DEFAULTED - This boolean flag, when set, indicates that the // ACL pointed to by the Dacl field was provided by a defaulting // mechanism rather than explicitly provided by the original // provider of the security descriptor. This may affect the // treatment of the ACL with respect to inheritence of an ACL. // This flag is ignored if the DaclPresent flag is not set. // // SE_SACL_PRESENT - This boolean flag, when set, indicates that the // security descriptor contains a system ACL pointed to by the // Sacl field. If this flag is set and the Sacl field of the // SECURITY_DESCRIPTOR is null, then an empty (but present) // ACL is being specified. // // SE_SACL_DEFAULTED - This boolean flag, when set, indicates that the // ACL pointed to by the Sacl field was provided by a defaulting // mechanism rather than explicitly provided by the original // provider of the security descriptor. This may affect the // treatment of the ACL with respect to inheritence of an ACL. // This flag is ignored if the SaclPresent flag is not set. // // end_winnt // SE_DACL_TRUSTED - This boolean flag, when set, indicates that the // ACL pointed to by the Dacl field was provided by a trusted source // and does not require any editing of compound ACEs. If this flag // is not set and a compound ACE is encountered, the system will // substitute known valid SIDs for the server SIDs in the ACEs. // // SE_SERVER_SECURITY - This boolean flag, when set, indicates that the // caller wishes the system to create a Server ACL based on the // input ACL, regardess of its source (explicit or defaulting. // This is done by replacing all of the GRANT ACEs with compound // ACEs granting the current server. This flag is only // meaningful if the subject is impersonating. // // begin_winnt // SE_SELF_RELATIVE - This boolean flag, when set, indicates that the // security descriptor is in self-relative form. In this form, // all fields of the security descriptor are contiguous in memory // and all pointer fields are expressed as offsets from the // beginning of the security descriptor. This form is useful // for treating security descriptors as opaque data structures // for transmission in communication protocol or for storage on // secondary media. // // // // Pictorially the structure of a security descriptor is as follows: // // 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 // 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 // +---------------------------------------------------------------+ // | Control |Reserved1 (SBZ)| Revision | // +---------------------------------------------------------------+ // | Owner | // +---------------------------------------------------------------+ // | Group | // +---------------------------------------------------------------+ // | Sacl | // +---------------------------------------------------------------+ // | Dacl | // +---------------------------------------------------------------+ // // In general, this data structure should be treated opaquely to ensure future // compatibility. // // typedef struct _SECURITY_DESCRIPTOR_RELATIVE { UCHAR Revision; UCHAR Sbz1; SECURITY_DESCRIPTOR_CONTROL Control; ULONG Owner; ULONG Group; ULONG Sacl; ULONG Dacl; } SECURITY_DESCRIPTOR_RELATIVE, *PISECURITY_DESCRIPTOR_RELATIVE; typedef struct _SECURITY_DESCRIPTOR { UCHAR Revision; UCHAR Sbz1; SECURITY_DESCRIPTOR_CONTROL Control; PSID Owner; PSID Group; PACL Sacl; PACL Dacl; } SECURITY_DESCRIPTOR, *PISECURITY_DESCRIPTOR; // end_ntifs // Where: // // Revision - Contains the revision level of the security // descriptor. This allows this structure to be passed between // systems or stored on disk even though it is expected to // change in the future. // // Control - A set of flags which qualify the meaning of the // security descriptor or individual fields of the security // descriptor. // // Owner - is a pointer to an SID representing an object's owner. // If this field is null, then no owner SID is present in the // security descriptor. If the security descriptor is in // self-relative form, then this field contains an offset to // the SID, rather than a pointer. // // Group - is a pointer to an SID representing an object's primary // group. If this field is null, then no primary group SID is // present in the security descriptor. If the security descriptor // is in self-relative form, then this field contains an offset to // the SID, rather than a pointer. // // Sacl - is a pointer to a system ACL. This field value is only // valid if the DaclPresent control flag is set. If the // SaclPresent flag is set and this field is null, then a null // ACL is specified. If the security descriptor is in // self-relative form, then this field contains an offset to // the ACL, rather than a pointer. // // Dacl - is a pointer to a discretionary ACL. This field value is // only valid if the DaclPresent control flag is set. If the // DaclPresent flag is set and this field is null, then a null // ACL (unconditionally granting access) is specified. If the // security descriptor is in self-relative form, then this field // contains an offset to the ACL, rather than a pointer. // // end_winnt // begin_winnt begin_ntifs //////////////////////////////////////////////////////////////////////// // // // Object Type list for AccessCheckByType // // // //////////////////////////////////////////////////////////////////////// typedef struct _OBJECT_TYPE_LIST { USHORT Level; USHORT Sbz; GUID *ObjectType; } OBJECT_TYPE_LIST, *POBJECT_TYPE_LIST; // // DS values for Level // #define ACCESS_OBJECT_GUID 0 #define ACCESS_PROPERTY_SET_GUID 1 #define ACCESS_PROPERTY_GUID 2 #define ACCESS_MAX_LEVEL 4 // // Parameters to NtAccessCheckByTypeAndAditAlarm // typedef enum _AUDIT_EVENT_TYPE { AuditEventObjectAccess, AuditEventDirectoryServiceAccess } AUDIT_EVENT_TYPE, *PAUDIT_EVENT_TYPE; #define AUDIT_ALLOW_NO_PRIVILEGE 0x1 // // DS values for Source and ObjectTypeName // #define ACCESS_DS_SOURCE_A "DS" #define ACCESS_DS_SOURCE_W L"DS" #define ACCESS_DS_OBJECT_TYPE_NAME_A "Directory Service Object" #define ACCESS_DS_OBJECT_TYPE_NAME_W L"Directory Service Object" //////////////////////////////////////////////////////////////////////// // // // Privilege Related Data Structures // // // //////////////////////////////////////////////////////////////////////// // begin_wdm begin_ntddk begin_nthal // // Privilege attributes // #define SE_PRIVILEGE_ENABLED_BY_DEFAULT (0x00000001L) #define SE_PRIVILEGE_ENABLED (0x00000002L) #define SE_PRIVILEGE_REMOVED (0X00000004L) #define SE_PRIVILEGE_USED_FOR_ACCESS (0x80000000L) // // Privilege Set Control flags // #define PRIVILEGE_SET_ALL_NECESSARY (1) // // Privilege Set - This is defined for a privilege set of one. // If more than one privilege is needed, then this structure // will need to be allocated with more space. // // Note: don't change this structure without fixing the INITIAL_PRIVILEGE_SET // structure (defined in se.h) // typedef struct _PRIVILEGE_SET { ULONG PrivilegeCount; ULONG Control; LUID_AND_ATTRIBUTES Privilege[ANYSIZE_ARRAY]; } PRIVILEGE_SET, * PPRIVILEGE_SET; // end_winnt end_wdm end_ntddk end_nthal end_ntifs // begin_winnt //////////////////////////////////////////////////////////////////////// // // // NT Defined Privileges // // // //////////////////////////////////////////////////////////////////////// // end_winnt // // ** ** ** ** ** ** ** ** ** ** NOTE ** ** ** ** ** ** ** ** ** ** ** ** ** // // Any additions or deletions to the following list // of privileges must have corresponding changes made // in the following files: // - ntos\se\seglobal.c // - ds\security\base\lsa\msprivs\msprivs.rc // - ds\security\base\lsa\server\dspolicy\dbpriv.c // // ** ** ** ** ** ** ** ** ** ** NOTE ** ** ** ** ** ** ** ** ** ** ** ** ** // // begin_winnt #define SE_CREATE_TOKEN_NAME TEXT("SeCreateTokenPrivilege") #define SE_ASSIGNPRIMARYTOKEN_NAME TEXT("SeAssignPrimaryTokenPrivilege") #define SE_LOCK_MEMORY_NAME TEXT("SeLockMemoryPrivilege") #define SE_INCREASE_QUOTA_NAME TEXT("SeIncreaseQuotaPrivilege") #define SE_UNSOLICITED_INPUT_NAME TEXT("SeUnsolicitedInputPrivilege") #define SE_MACHINE_ACCOUNT_NAME TEXT("SeMachineAccountPrivilege") #define SE_TCB_NAME TEXT("SeTcbPrivilege") #define SE_SECURITY_NAME TEXT("SeSecurityPrivilege") #define SE_TAKE_OWNERSHIP_NAME TEXT("SeTakeOwnershipPrivilege") #define SE_LOAD_DRIVER_NAME TEXT("SeLoadDriverPrivilege") #define SE_SYSTEM_PROFILE_NAME TEXT("SeSystemProfilePrivilege") #define SE_SYSTEMTIME_NAME TEXT("SeSystemtimePrivilege") #define SE_PROF_SINGLE_PROCESS_NAME TEXT("SeProfileSingleProcessPrivilege") #define SE_INC_BASE_PRIORITY_NAME TEXT("SeIncreaseBasePriorityPrivilege") #define SE_CREATE_PAGEFILE_NAME TEXT("SeCreatePagefilePrivilege") #define SE_CREATE_PERMANENT_NAME TEXT("SeCreatePermanentPrivilege") #define SE_BACKUP_NAME TEXT("SeBackupPrivilege") #define SE_RESTORE_NAME TEXT("SeRestorePrivilege") #define SE_SHUTDOWN_NAME TEXT("SeShutdownPrivilege") #define SE_DEBUG_NAME TEXT("SeDebugPrivilege") #define SE_AUDIT_NAME TEXT("SeAuditPrivilege") #define SE_SYSTEM_ENVIRONMENT_NAME TEXT("SeSystemEnvironmentPrivilege") #define SE_CHANGE_NOTIFY_NAME TEXT("SeChangeNotifyPrivilege") #define SE_REMOTE_SHUTDOWN_NAME TEXT("SeRemoteShutdownPrivilege") #define SE_UNDOCK_NAME TEXT("SeUndockPrivilege") #define SE_SYNC_AGENT_NAME TEXT("SeSyncAgentPrivilege") #define SE_ENABLE_DELEGATION_NAME TEXT("SeEnableDelegationPrivilege") #define SE_MANAGE_VOLUME_NAME TEXT("SeManageVolumePrivilege") #define SE_IMPERSONATE_NAME TEXT("SeImpersonatePrivilege") #define SE_CREATE_GLOBAL_NAME TEXT("SeCreateGlobalPrivilege") // end_winnt // begin_wdm begin_ntddk begin_ntifs // // These must be converted to LUIDs before use. // #define SE_MIN_WELL_KNOWN_PRIVILEGE (2L) #define SE_CREATE_TOKEN_PRIVILEGE (2L) #define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L) #define SE_LOCK_MEMORY_PRIVILEGE (4L) #define SE_INCREASE_QUOTA_PRIVILEGE (5L) // end_wdm // // Unsolicited Input is obsolete and unused. // #define SE_UNSOLICITED_INPUT_PRIVILEGE (6L) // begin_wdm #define SE_MACHINE_ACCOUNT_PRIVILEGE (6L) #define SE_TCB_PRIVILEGE (7L) #define SE_SECURITY_PRIVILEGE (8L) #define SE_TAKE_OWNERSHIP_PRIVILEGE (9L) #define SE_LOAD_DRIVER_PRIVILEGE (10L) #define SE_SYSTEM_PROFILE_PRIVILEGE (11L) #define SE_SYSTEMTIME_PRIVILEGE (12L) #define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L) #define SE_INC_BASE_PRIORITY_PRIVILEGE (14L) #define SE_CREATE_PAGEFILE_PRIVILEGE (15L) #define SE_CREATE_PERMANENT_PRIVILEGE (16L) #define SE_BACKUP_PRIVILEGE (17L) #define SE_RESTORE_PRIVILEGE (18L) #define SE_SHUTDOWN_PRIVILEGE (19L) #define SE_DEBUG_PRIVILEGE (20L) #define SE_AUDIT_PRIVILEGE (21L) #define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L) #define SE_CHANGE_NOTIFY_PRIVILEGE (23L) #define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L) #define SE_UNDOCK_PRIVILEGE (25L) #define SE_SYNC_AGENT_PRIVILEGE (26L) #define SE_ENABLE_DELEGATION_PRIVILEGE (27L) #define SE_MANAGE_VOLUME_PRIVILEGE (28L) #define SE_IMPERSONATE_PRIVILEGE (29L) #define SE_CREATE_GLOBAL_PRIVILEGE (30L) #define SE_MAX_WELL_KNOWN_PRIVILEGE (SE_CREATE_GLOBAL_PRIVILEGE) // end_wdm end_ntddk end_ntifs // begin_winnt //////////////////////////////////////////////////////////////////// // // // Security Quality Of Service // // // // // //////////////////////////////////////////////////////////////////// // begin_wdm begin_ntddk begin_nthal begin_ntifs // // Impersonation Level // // Impersonation level is represented by a pair of bits in Windows. // If a new impersonation level is added or lowest value is changed from // 0 to something else, fix the Windows CreateFile call. // typedef enum _SECURITY_IMPERSONATION_LEVEL { SecurityAnonymous, SecurityIdentification, SecurityImpersonation, SecurityDelegation } SECURITY_IMPERSONATION_LEVEL, * PSECURITY_IMPERSONATION_LEVEL; #define SECURITY_MAX_IMPERSONATION_LEVEL SecurityDelegation #define SECURITY_MIN_IMPERSONATION_LEVEL SecurityAnonymous #define DEFAULT_IMPERSONATION_LEVEL SecurityImpersonation #define VALID_IMPERSONATION_LEVEL(L) (((L) >= SECURITY_MIN_IMPERSONATION_LEVEL) && ((L) <= SECURITY_MAX_IMPERSONATION_LEVEL)) // end_nthal end_wdm end_ntddk end_ntifs end_winnt // // begin_winnt begin_ntifs //////////////////////////////////////////////////////////////////// // // // Token Object Definitions // // // // // //////////////////////////////////////////////////////////////////// // // Token Specific Access Rights. // #define TOKEN_ASSIGN_PRIMARY (0x0001) #define TOKEN_DUPLICATE (0x0002) #define TOKEN_IMPERSONATE (0x0004) #define TOKEN_QUERY (0x0008) #define TOKEN_QUERY_SOURCE (0x0010) #define TOKEN_ADJUST_PRIVILEGES (0x0020) #define TOKEN_ADJUST_GROUPS (0x0040) #define TOKEN_ADJUST_DEFAULT (0x0080) #define TOKEN_ADJUST_SESSIONID (0x0100) #define TOKEN_ALL_ACCESS_P (STANDARD_RIGHTS_REQUIRED |\ TOKEN_ASSIGN_PRIMARY |\ TOKEN_DUPLICATE |\ TOKEN_IMPERSONATE |\ TOKEN_QUERY |\ TOKEN_QUERY_SOURCE |\ TOKEN_ADJUST_PRIVILEGES |\ TOKEN_ADJUST_GROUPS |\ TOKEN_ADJUST_DEFAULT ) #if ((defined(_WIN32_WINNT) && (_WIN32_WINNT > 0x0400)) || (!defined(_WIN32_WINNT))) #define TOKEN_ALL_ACCESS (TOKEN_ALL_ACCESS_P |\ TOKEN_ADJUST_SESSIONID ) #else #define TOKEN_ALL_ACCESS (TOKEN_ALL_ACCESS_P) #endif #define TOKEN_READ (STANDARD_RIGHTS_READ |\ TOKEN_QUERY) #define TOKEN_WRITE (STANDARD_RIGHTS_WRITE |\ TOKEN_ADJUST_PRIVILEGES |\ TOKEN_ADJUST_GROUPS |\ TOKEN_ADJUST_DEFAULT) #define TOKEN_EXECUTE (STANDARD_RIGHTS_EXECUTE) // // // Token Types // typedef enum _TOKEN_TYPE { TokenPrimary = 1, TokenImpersonation } TOKEN_TYPE; typedef TOKEN_TYPE *PTOKEN_TYPE; // // Token Information Classes. // typedef enum _TOKEN_INFORMATION_CLASS { TokenUser = 1, TokenGroups, TokenPrivileges, TokenOwner, TokenPrimaryGroup, TokenDefaultDacl, TokenSource, TokenType, TokenImpersonationLevel, TokenStatistics, TokenRestrictedSids, TokenSessionId, TokenGroupsAndPrivileges, TokenSessionReference, TokenSandBoxInert, TokenAuditPolicy, TokenOrigin, MaxTokenInfoClass // MaxTokenInfoClass should always be the last enum } TOKEN_INFORMATION_CLASS, *PTOKEN_INFORMATION_CLASS; // // Token information class structures // typedef struct _TOKEN_USER { SID_AND_ATTRIBUTES User; } TOKEN_USER, *PTOKEN_USER; typedef struct _TOKEN_GROUPS { ULONG GroupCount; SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]; } TOKEN_GROUPS, *PTOKEN_GROUPS; typedef struct _TOKEN_PRIVILEGES { ULONG PrivilegeCount; LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY]; } TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES; typedef struct _TOKEN_OWNER { PSID Owner; } TOKEN_OWNER, *PTOKEN_OWNER; typedef struct _TOKEN_PRIMARY_GROUP { PSID PrimaryGroup; } TOKEN_PRIMARY_GROUP, *PTOKEN_PRIMARY_GROUP; typedef struct _TOKEN_DEFAULT_DACL { PACL DefaultDacl; } TOKEN_DEFAULT_DACL, *PTOKEN_DEFAULT_DACL; typedef struct _TOKEN_GROUPS_AND_PRIVILEGES { ULONG SidCount; ULONG SidLength; PSID_AND_ATTRIBUTES Sids; ULONG RestrictedSidCount; ULONG RestrictedSidLength; PSID_AND_ATTRIBUTES RestrictedSids; ULONG PrivilegeCount; ULONG PrivilegeLength; PLUID_AND_ATTRIBUTES Privileges; LUID AuthenticationId; } TOKEN_GROUPS_AND_PRIVILEGES, *PTOKEN_GROUPS_AND_PRIVILEGES; // // Valid bits for each TOKEN_AUDIT_POLICY policy mask field. // #define TOKEN_AUDIT_SUCCESS_INCLUDE 0x1 #define TOKEN_AUDIT_SUCCESS_EXCLUDE 0x2 #define TOKEN_AUDIT_FAILURE_INCLUDE 0x4 #define TOKEN_AUDIT_FAILURE_EXCLUDE 0x8 #define VALID_AUDIT_POLICY_BITS (TOKEN_AUDIT_SUCCESS_INCLUDE | \ TOKEN_AUDIT_SUCCESS_EXCLUDE | \ TOKEN_AUDIT_FAILURE_INCLUDE | \ TOKEN_AUDIT_FAILURE_EXCLUDE) #define VALID_TOKEN_AUDIT_POLICY_ELEMENT(P) ((((P).PolicyMask & ~VALID_AUDIT_POLICY_BITS) == 0) && \ ((P).Category <= AuditEventMaxType)) typedef struct _TOKEN_AUDIT_POLICY_ELEMENT { ULONG Category; ULONG PolicyMask; } TOKEN_AUDIT_POLICY_ELEMENT, *PTOKEN_AUDIT_POLICY_ELEMENT; typedef struct _TOKEN_AUDIT_POLICY { ULONG PolicyCount; TOKEN_AUDIT_POLICY_ELEMENT Policy[ANYSIZE_ARRAY]; } TOKEN_AUDIT_POLICY, *PTOKEN_AUDIT_POLICY; #define PER_USER_AUDITING_POLICY_SIZE(p) \ ( sizeof(TOKEN_AUDIT_POLICY) + (((p)->PolicyCount > ANYSIZE_ARRAY) ? (sizeof(TOKEN_AUDIT_POLICY_ELEMENT) * ((p)->PolicyCount - ANYSIZE_ARRAY)) : 0) ) #define PER_USER_AUDITING_POLICY_SIZE_BY_COUNT(C) \ ( sizeof(TOKEN_AUDIT_POLICY) + (((C) > ANYSIZE_ARRAY) ? (sizeof(TOKEN_AUDIT_POLICY_ELEMENT) * ((C) - ANYSIZE_ARRAY)) : 0) ) // end_winnt end_ntifs typedef enum _PROXY_CLASS { ProxyFull, ProxyService, ProxyTree, ProxyDirectory } PROXY_CLASS, * PPROXY_CLASS; typedef struct _SECURITY_TOKEN_PROXY_DATA { ULONG Length; PROXY_CLASS ProxyClass; UNICODE_STRING PathInfo; ACCESS_MASK ContainerMask; ACCESS_MASK ObjectMask; } SECURITY_TOKEN_PROXY_DATA, *PSECURITY_TOKEN_PROXY_DATA; typedef struct _SECURITY_TOKEN_AUDIT_DATA { ULONG Length; ACCESS_MASK GrantMask; ACCESS_MASK DenyMask; } SECURITY_TOKEN_AUDIT_DATA, *PSECURITY_TOKEN_AUDIT_DATA; // begin_ntifs begin_winnt #define TOKEN_SOURCE_LENGTH 8 typedef struct _TOKEN_SOURCE { CHAR SourceName[TOKEN_SOURCE_LENGTH]; LUID SourceIdentifier; } TOKEN_SOURCE, *PTOKEN_SOURCE; typedef struct _TOKEN_STATISTICS { LUID TokenId; LUID AuthenticationId; LARGE_INTEGER ExpirationTime; TOKEN_TYPE TokenType; SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; ULONG DynamicCharged; ULONG DynamicAvailable; ULONG GroupCount; ULONG PrivilegeCount; LUID ModifiedId; } TOKEN_STATISTICS, *PTOKEN_STATISTICS; typedef struct _TOKEN_CONTROL { LUID TokenId; LUID AuthenticationId; LUID ModifiedId; TOKEN_SOURCE TokenSource; } TOKEN_CONTROL, *PTOKEN_CONTROL; typedef struct _TOKEN_ORIGIN { LUID OriginatingLogonSession ; } TOKEN_ORIGIN, * PTOKEN_ORIGIN ; // end_winnt // end_ntifs // begin_wdm begin_ntddk begin_ntifs begin_winnt // // Security Tracking Mode // #define SECURITY_DYNAMIC_TRACKING (TRUE) #define SECURITY_STATIC_TRACKING (FALSE) typedef BOOLEAN SECURITY_CONTEXT_TRACKING_MODE, * PSECURITY_CONTEXT_TRACKING_MODE; // // Quality Of Service // typedef struct _SECURITY_QUALITY_OF_SERVICE { ULONG Length; SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; SECURITY_CONTEXT_TRACKING_MODE ContextTrackingMode; BOOLEAN EffectiveOnly; } SECURITY_QUALITY_OF_SERVICE, * PSECURITY_QUALITY_OF_SERVICE; // end_winnt end_wdm end_ntddk end_ntifs // // Advanced Quality of Service // typedef struct _SECURITY_ADVANCED_QUALITY_OF_SERVICE { ULONG Length; SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; SECURITY_CONTEXT_TRACKING_MODE ContextTrackingMode; BOOLEAN EffectiveOnly; PSECURITY_TOKEN_PROXY_DATA ProxyData; PSECURITY_TOKEN_AUDIT_DATA AuditData; } SECURITY_ADVANCED_QUALITY_OF_SERVICE, *PSECURITY_ADVANCED_QUALITY_OF_SERVICE; // begin_wdm begin_ntddk begin_ntifs begin_winnt // // Used to represent information related to a thread impersonation // typedef struct _SE_IMPERSONATION_STATE { PACCESS_TOKEN Token; BOOLEAN CopyOnOpen; BOOLEAN EffectiveOnly; SECURITY_IMPERSONATION_LEVEL Level; } SE_IMPERSONATION_STATE, *PSE_IMPERSONATION_STATE; // end_winnt end_wdm end_ntddk end_ntifs //////////////////////////////////////////////////////////////////////// // // // Flags for NtFilerToken // // // //////////////////////////////////////////////////////////////////////// #define DISABLE_MAX_PRIVILEGE 0x1 // winnt #define SANDBOX_INERT 0x2 // winnt //////////////////////////////////////////////////////////////////////// // // // General Security definitions // // // //////////////////////////////////////////////////////////////////////// // // Security information associated with objects. // Used for query operations. // // This will be extended in the future to include mandatory access control. // // begin_winnt begin_wdm begin_ntddk begin_nthal begin_ntifs typedef ULONG SECURITY_INFORMATION, *PSECURITY_INFORMATION; #define OWNER_SECURITY_INFORMATION (0x00000001L) #define GROUP_SECURITY_INFORMATION (0x00000002L) #define DACL_SECURITY_INFORMATION (0x00000004L) #define SACL_SECURITY_INFORMATION (0x00000008L) #define PROTECTED_DACL_SECURITY_INFORMATION (0x80000000L) #define PROTECTED_SACL_SECURITY_INFORMATION (0x40000000L) #define UNPROTECTED_DACL_SECURITY_INFORMATION (0x20000000L) #define UNPROTECTED_SACL_SECURITY_INFORMATION (0x10000000L) // end_winnt end_wdm end_ntddk end_nthal end_ntifs // // used for password manipulations // typedef struct _SECURITY_SEED_AND_LENGTH { UCHAR Length; UCHAR Seed; } SECURITY_SEED_AND_LENGTH, *PSECURITY_SEED_AND_LENGTH; //////////////////////////////////////////////////////////////////////// // // // Security System Service Defnitions // // // //////////////////////////////////////////////////////////////////////// // // Security check system services // NTSYSCALLAPI NTSTATUS NTAPI NtAccessCheck ( IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN HANDLE ClientToken, IN ACCESS_MASK DesiredAccess, IN PGENERIC_MAPPING GenericMapping, OUT PPRIVILEGE_SET PrivilegeSet, IN OUT PULONG PrivilegeSetLength, OUT PACCESS_MASK GrantedAccess, OUT PNTSTATUS AccessStatus ); NTSYSCALLAPI NTSTATUS NTAPI NtAccessCheckByType ( IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID PrincipalSelfSid, IN HANDLE ClientToken, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE_LIST ObjectTypeList, IN ULONG ObjectTypeListLength, IN PGENERIC_MAPPING GenericMapping, OUT PPRIVILEGE_SET PrivilegeSet, IN OUT PULONG PrivilegeSetLength, OUT PACCESS_MASK GrantedAccess, OUT PNTSTATUS AccessStatus ); NTSYSCALLAPI NTSTATUS NTAPI NtAccessCheckByTypeResultList ( IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID PrincipalSelfSid, IN HANDLE ClientToken, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE_LIST ObjectTypeList, IN ULONG ObjectTypeListLength, IN PGENERIC_MAPPING GenericMapping, OUT PPRIVILEGE_SET PrivilegeSet, IN OUT PULONG PrivilegeSetLength, OUT PACCESS_MASK GrantedAccess, OUT PNTSTATUS AccessStatus ); /////////////////////////////////////////////////////////////////////// // // // Token Object System Services // // // /////////////////////////////////////////////////////////////////////// NTSYSCALLAPI NTSTATUS NTAPI NtCreateToken( OUT PHANDLE TokenHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN TOKEN_TYPE TokenType, IN PLUID AuthenticationId, IN PLARGE_INTEGER ExpirationTime, IN PTOKEN_USER User, IN PTOKEN_GROUPS Groups, IN PTOKEN_PRIVILEGES Privileges, IN PTOKEN_OWNER Owner OPTIONAL, IN PTOKEN_PRIMARY_GROUP PrimaryGroup, IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL, IN PTOKEN_SOURCE TokenSource ); NTSYSCALLAPI NTSTATUS NTAPI NtCompareTokens( IN HANDLE FirstTokenHandle, IN HANDLE SecondTokenHandle, OUT PBOOLEAN Equal ); // begin_ntifs NTSYSCALLAPI NTSTATUS NTAPI NtOpenThreadToken( IN HANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN BOOLEAN OpenAsSelf, OUT PHANDLE TokenHandle ); NTSYSCALLAPI NTSTATUS NTAPI NtOpenThreadTokenEx( IN HANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN BOOLEAN OpenAsSelf, IN ULONG HandleAttributes, OUT PHANDLE TokenHandle ); NTSYSCALLAPI NTSTATUS NTAPI NtOpenProcessToken( IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, OUT PHANDLE TokenHandle ); NTSYSCALLAPI NTSTATUS NTAPI NtOpenProcessTokenEx( IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN ULONG HandleAttributes, OUT PHANDLE TokenHandle ); NTSYSAPI NTSTATUS NTAPI NtOpenJobObjectToken( IN HANDLE JobHandle, IN ACCESS_MASK DesiredAccess, OUT PHANDLE TokenHandle ); NTSYSCALLAPI NTSTATUS NTAPI NtDuplicateToken( IN HANDLE ExistingTokenHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN BOOLEAN EffectiveOnly, IN TOKEN_TYPE TokenType, OUT PHANDLE NewTokenHandle ); NTSYSCALLAPI NTSTATUS NTAPI NtFilterToken ( IN HANDLE ExistingTokenHandle, IN ULONG Flags, IN PTOKEN_GROUPS SidsToDisable OPTIONAL, IN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL, IN PTOKEN_GROUPS RestrictedSids OPTIONAL, OUT PHANDLE NewTokenHandle ); NTSYSCALLAPI NTSTATUS NTAPI NtImpersonateAnonymousToken( IN HANDLE ThreadHandle ); NTSYSCALLAPI NTSTATUS NTAPI NtQueryInformationToken ( IN HANDLE TokenHandle, IN TOKEN_INFORMATION_CLASS TokenInformationClass, OUT PVOID TokenInformation, IN ULONG TokenInformationLength, OUT PULONG ReturnLength ); NTSYSCALLAPI NTSTATUS NTAPI NtSetInformationToken ( IN HANDLE TokenHandle, IN TOKEN_INFORMATION_CLASS TokenInformationClass, IN PVOID TokenInformation, IN ULONG TokenInformationLength ); NTSYSCALLAPI NTSTATUS NTAPI NtAdjustPrivilegesToken ( IN HANDLE TokenHandle, IN BOOLEAN DisableAllPrivileges, IN PTOKEN_PRIVILEGES NewState OPTIONAL, IN ULONG BufferLength OPTIONAL, OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL, OUT PULONG ReturnLength ); NTSYSCALLAPI NTSTATUS NTAPI NtAdjustGroupsToken ( IN HANDLE TokenHandle, IN BOOLEAN ResetToDefault, IN PTOKEN_GROUPS NewState OPTIONAL, IN ULONG BufferLength OPTIONAL, OUT PTOKEN_GROUPS PreviousState OPTIONAL, OUT PULONG ReturnLength ); NTSYSCALLAPI NTSTATUS NTAPI NtPrivilegeCheck ( IN HANDLE ClientToken, IN OUT PPRIVILEGE_SET RequiredPrivileges, OUT PBOOLEAN Result ); NTSYSCALLAPI NTSTATUS NTAPI NtAccessCheckAndAuditAlarm ( IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN PUNICODE_STRING ObjectTypeName, IN PUNICODE_STRING ObjectName, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN ACCESS_MASK DesiredAccess, IN PGENERIC_MAPPING GenericMapping, IN BOOLEAN ObjectCreation, OUT PACCESS_MASK GrantedAccess, OUT PNTSTATUS AccessStatus, OUT PBOOLEAN GenerateOnClose ); NTSYSCALLAPI NTSTATUS NTAPI NtAccessCheckByTypeAndAuditAlarm ( IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN PUNICODE_STRING ObjectTypeName, IN PUNICODE_STRING ObjectName, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID PrincipalSelfSid, IN ACCESS_MASK DesiredAccess, IN AUDIT_EVENT_TYPE AuditType, IN ULONG Flags, IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, IN ULONG ObjectTypeListLength, IN PGENERIC_MAPPING GenericMapping, IN BOOLEAN ObjectCreation, OUT PACCESS_MASK GrantedAccess, OUT PNTSTATUS AccessStatus, OUT PBOOLEAN GenerateOnClose ); NTSYSCALLAPI NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarm ( IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN PUNICODE_STRING ObjectTypeName, IN PUNICODE_STRING ObjectName, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID PrincipalSelfSid, IN ACCESS_MASK DesiredAccess, IN AUDIT_EVENT_TYPE AuditType, IN ULONG Flags, IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, IN ULONG ObjectTypeListLength, IN PGENERIC_MAPPING GenericMapping, IN BOOLEAN ObjectCreation, OUT PACCESS_MASK GrantedAccess, OUT PNTSTATUS AccessStatus, OUT PBOOLEAN GenerateOnClose ); NTSYSCALLAPI NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarmByHandle ( IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN HANDLE ClientToken, IN PUNICODE_STRING ObjectTypeName, IN PUNICODE_STRING ObjectName, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID PrincipalSelfSid, IN ACCESS_MASK DesiredAccess, IN AUDIT_EVENT_TYPE AuditType, IN ULONG Flags, IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, IN ULONG ObjectTypeListLength, IN PGENERIC_MAPPING GenericMapping, IN BOOLEAN ObjectCreation, OUT PACCESS_MASK GrantedAccess, OUT PNTSTATUS AccessStatus, OUT PBOOLEAN GenerateOnClose ); NTSYSCALLAPI NTSTATUS NTAPI NtOpenObjectAuditAlarm ( IN PUNICODE_STRING SubsystemName, IN PVOID HandleId OPTIONAL, IN PUNICODE_STRING ObjectTypeName, IN PUNICODE_STRING ObjectName, IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, IN HANDLE ClientToken, IN ACCESS_MASK DesiredAccess, IN ACCESS_MASK GrantedAccess, IN PPRIVILEGE_SET Privileges OPTIONAL, IN BOOLEAN ObjectCreation, IN BOOLEAN AccessGranted, OUT PBOOLEAN GenerateOnClose ); NTSYSCALLAPI NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm ( IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN HANDLE ClientToken, IN ACCESS_MASK DesiredAccess, IN PPRIVILEGE_SET Privileges, IN BOOLEAN AccessGranted ); NTSYSCALLAPI NTSTATUS NTAPI NtCloseObjectAuditAlarm ( IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN BOOLEAN GenerateOnClose ); NTSYSCALLAPI NTSTATUS NTAPI NtDeleteObjectAuditAlarm ( IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN BOOLEAN GenerateOnClose ); NTSYSCALLAPI NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm ( IN PUNICODE_STRING SubsystemName, IN PUNICODE_STRING ServiceName, IN HANDLE ClientToken, IN PPRIVILEGE_SET Privileges, IN BOOLEAN AccessGranted ); // end_ntifs #ifdef __cplusplus } #endif #endif // _NTSEAPI_