14#define DESKTOP_ALL (DESKTOP_READOBJECTS | DESKTOP_CREATEWINDOW | \
15 DESKTOP_CREATEMENU | DESKTOP_HOOKCONTROL | DESKTOP_JOURNALRECORD | \
16 DESKTOP_JOURNALPLAYBACK | DESKTOP_ENUMERATE | DESKTOP_WRITEOBJECTS | \
17 DESKTOP_SWITCHDESKTOP | STANDARD_RIGHTS_REQUIRED)
19#define DESKTOP_ADMINS_LIMITED (DESKTOP_WRITEOBJECTS | DESKTOP_READOBJECTS | \
20 DESKTOP_CREATEWINDOW | DESKTOP_CREATEMENU | DESKTOP_ENUMERATE)
22#define DESKTOP_INTERACTIVE_LIMITED (STANDARD_RIGHTS_READ | DESKTOP_ENUMERATE | \
23 DESKTOP_READOBJECTS | DESKTOP_CREATEWINDOW)
25#define DESKTOP_WINLOGON_ADMINS_LIMITED (STANDARD_RIGHTS_REQUIRED | DESKTOP_ENUMERATE)
27#define WINSTA_ALL (WINSTA_ENUMDESKTOPS | WINSTA_READATTRIBUTES | \
28 WINSTA_ACCESSCLIPBOARD | WINSTA_CREATEDESKTOP | \
29 WINSTA_WRITEATTRIBUTES | WINSTA_ACCESSGLOBALATOMS | \
30 WINSTA_EXITWINDOWS | WINSTA_ENUMERATE | WINSTA_READSCREEN | \
31 STANDARD_RIGHTS_REQUIRED)
33#define WINSTA_ADMINS_LIMITED (WINSTA_READATTRIBUTES | WINSTA_ENUMERATE)
35#define GENERIC_ACCESS (GENERIC_READ | GENERIC_WRITE | \
36 GENERIC_EXECUTE | GENERIC_ALL)
68 DWORD DescriptorLength = 0;
73 ERR(
"ConvertToSelfRelative(): Unexpected error code (error code %lu -- must be ERROR_INSUFFICIENT_BUFFER)\n",
GetLastError());
81 if (RelativeSd ==
NULL)
83 ERR(
"ConvertToSelfRelative(): Failed to allocate buffer for relative SD!\n");
90 ERR(
"ConvertToSelfRelative(): Failed to convert the security descriptor to a self relative format (error code %lu)\n",
GetLastError());
129 ERR(
"CreateWinstaSecurity(): Failed to create the Winlogon SID (error code %lu)\n",
GetLastError());
141 ERR(
"CreateWinstaSecurity(): Failed to create the admins SID (error code %lu)\n",
GetLastError());
152 ERR(
"CreateWinstaSecurity(): Failed to create the network service SID (error code %lu)\n",
GetLastError());
208 ERR(
"CreateWinstaSecurity(): Failed to allocate memory buffer for DACL!\n");
215 ERR(
"CreateWinstaSecurity(): Failed to initialize DACL (error code %lu)\n",
GetLastError());
226 ERR(
"CreateWinstaSecurity(): Failed to set ACE for Winlogon (error code %lu)\n",
GetLastError());
237 ERR(
"CreateWinstaSecurity(): Failed to set ACE for Winlogon (error code %lu)\n",
GetLastError());
248 ERR(
"CreateWinstaSecurity(): Failed to set ACE for admins (error code %lu)\n",
GetLastError());
259 ERR(
"CreateWinstaSecurity(): Failed to set ACE for admins (error code %lu)\n",
GetLastError());
270 ERR(
"CreateWinstaSecurity(): Failed to set ACE for network service (error code %lu)\n",
GetLastError());
281 ERR(
"CreateWinstaSecurity(): Failed to set ACE for network service (error code %lu)\n",
GetLastError());
288 ERR(
"CreateWinstaSecurity(): Failed to initialize absolute security descriptor (error code %lu)\n",
GetLastError());
295 ERR(
"CreateWinstaSecurity(): Failed to set up DACL to absolute security descriptor (error code %lu)\n",
GetLastError());
301 if (RelativeSd ==
NULL)
303 ERR(
"CreateWinstaSecurity(): Failed to convert security descriptor to self relative format!\n");
308 *WinstaSd = RelativeSd;
312 if (WinlogonSid !=
NULL)
317 if (AdminsSid !=
NULL)
336 if (RelativeSd !=
NULL)
376 ERR(
"CreateApplicationDesktopSecurity(): Failed to create the Winlogon SID (error code %lu)\n",
GetLastError());
388 ERR(
"CreateApplicationDesktopSecurity(): Failed to create the admins SID (error code %lu)\n",
GetLastError());
399 ERR(
"CreateApplicationDesktopSecurity(): Failed to create the network service SID (error code %lu)\n",
GetLastError());
420 ERR(
"CreateApplicationDesktopSecurity(): Failed to allocate memory buffer for DACL!\n");
427 ERR(
"CreateApplicationDesktopSecurity(): Failed to initialize DACL (error code %lu)\n",
GetLastError());
438 ERR(
"CreateApplicationDesktopSecurity(): Failed to set ACE for Winlogon (error code %lu)\n",
GetLastError());
449 ERR(
"CreateApplicationDesktopSecurity(): Failed to set ACE for admins (error code %lu)\n",
GetLastError());
460 ERR(
"CreateApplicationDesktopSecurity(): Failed to set ACE for network services (error code %lu)\n",
GetLastError());
467 ERR(
"CreateApplicationDesktopSecurity(): Failed to initialize absolute security descriptor (error code %lu)\n",
GetLastError());
474 ERR(
"CreateApplicationDesktopSecurity(): Failed to set up DACL to absolute security descriptor (error code %lu)\n",
GetLastError());
480 if (RelativeSd ==
NULL)
482 ERR(
"CreateApplicationDesktopSecurity(): Failed to convert security descriptor to self relative format!\n");
487 *ApplicationDesktopSd = RelativeSd;
491 if (WinlogonSid !=
NULL)
496 if (AdminsSid !=
NULL)
515 if (RelativeSd !=
NULL)
558 ERR(
"CreateWinlogonDesktopSecurity(): Failed to create the Winlogon SID (error code %lu)\n",
GetLastError());
570 ERR(
"CreateWinlogonDesktopSecurity(): Failed to create the admins SID (error code %lu)\n",
GetLastError());
590 ERR(
"CreateWinlogonDesktopSecurity(): Failed to allocate memory buffer for DACL!\n");
597 ERR(
"CreateWinlogonDesktopSecurity(): Failed to initialize DACL (error code %lu)\n",
GetLastError());
608 ERR(
"CreateWinlogonDesktopSecurity(): Failed to set ACE for Winlogon (error code %lu)\n",
GetLastError());
619 ERR(
"CreateWinlogonDesktopSecurity(): Failed to set ACE for admins (error code %lu)\n",
GetLastError());
626 ERR(
"CreateWinlogonDesktopSecurity(): Failed to initialize absolute security descriptor (error code %lu)\n",
GetLastError());
633 ERR(
"CreateWinlogonDesktopSecurity(): Failed to set up DACL to absolute security descriptor (error code %lu)\n",
GetLastError());
639 if (RelativeSd ==
NULL)
641 ERR(
"CreateWinlogonDesktopSecurity(): Failed to convert security descriptor to self relative format!\n");
646 *WinlogonDesktopSd = RelativeSd;
650 if (WinlogonSid !=
NULL)
655 if (AdminsSid !=
NULL)
667 if (RelativeSd !=
NULL)
707 ERR(
"CreateScreenSaverSecurity(): Failed to create the Winlogon SID (error code %lu)\n",
GetLastError());
719 ERR(
"CreateScreenSaverSecurity(): Failed to create the admins SID (error code %lu)\n",
GetLastError());
730 ERR(
"CreateScreenSaverSecurity(): Failed to create the interactive SID (error code %lu)\n",
GetLastError());
753 ERR(
"CreateScreenSaverSecurity(): Failed to allocate memory buffer for DACL!\n");
760 ERR(
"CreateScreenSaverSecurity(): Failed to initialize DACL (error code %lu)\n",
GetLastError());
771 ERR(
"CreateScreenSaverSecurity(): Failed to set ACE for Winlogon (error code %lu)\n",
GetLastError());
782 ERR(
"CreateScreenSaverSecurity(): Failed to set ACE for admins (error code %lu)\n",
GetLastError());
793 ERR(
"CreateScreenSaverSecurity(): Failed to set ACE for interactive SID (error code %lu)\n",
GetLastError());
800 ERR(
"CreateScreenSaverSecurity(): Failed to initialize absolute security descriptor (error code %lu)\n",
GetLastError());
807 ERR(
"CreateScreenSaverSecurity(): Failed to set up DACL to absolute security descriptor (error code %lu)\n",
GetLastError());
813 if (RelativeSd ==
NULL)
815 ERR(
"CreateScreenSaverSecurity(): Failed to convert security descriptor to self relative format!\n");
820 *ScreenSaverDesktopSd = RelativeSd;
824 if (WinlogonSid !=
NULL)
829 if (AdminsSid !=
NULL)
846 if (RelativeSd !=
NULL)
893 ERR(
"AllowWinstaAccessToUser(): Failed to create the Winlogon SID (error code %lu)\n",
GetLastError());
905 ERR(
"AllowWinstaAccessToUser(): Failed to create the admins SID (error code %lu)\n",
GetLastError());
916 ERR(
"AllowWinstaAccessToUser(): Failed to create the interactive SID (error code %lu)\n",
GetLastError());
927 ERR(
"AllowWinstaAccessToUser(): Failed to create the network service SID (error code %lu)\n",
GetLastError());
957 ERR(
"AllowWinstaAccessToUser(): Failed to allocate memory buffer for DACL!\n");
964 ERR(
"AllowWinstaAccessToUser(): Failed to initialize DACL (error code %lu)\n",
GetLastError());
975 ERR(
"AllowWinstaAccessToUser(): Failed to set ACE for Winlogon (error code %lu)\n",
GetLastError());
986 ERR(
"AllowWinstaAccessToUser(): Failed to set ACE for Winlogon (error code %lu)\n",
GetLastError());
997 ERR(
"AllowWinstaAccessToUser(): Failed to set ACE for admins (error code %lu)\n",
GetLastError());
1008 ERR(
"AllowWinstaAccessToUser(): Failed to set ACE for admins (error code %lu)\n",
GetLastError());
1019 ERR(
"AllowWinstaAccessToUser(): Failed to set ACE for interactive SID (error code %lu)\n",
GetLastError());
1030 ERR(
"AllowWinstaAccessToUser(): Failed to set ACE for interactive SID (error code %lu)\n",
GetLastError());
1041 ERR(
"AllowWinstaAccessToUser(): Failed to set ACE for logon user SID (error code %lu)\n",
GetLastError());
1052 ERR(
"AllowWinstaAccessToUser(): Failed to set ACE for logon user SID (error code %lu)\n",
GetLastError());
1063 ERR(
"AllowWinstaAccessToUser(): Failed to set ACE for logon network service SID (error code %lu)\n",
GetLastError());
1074 ERR(
"AllowWinstaAccessToUser(): Failed to set ACE for network service SID (error code %lu)\n",
GetLastError());
1081 ERR(
"AllowWinstaAccessToUser(): Failed to initialize absolute security descriptor (error code %lu)\n",
GetLastError());
1088 ERR(
"AllowWinstaAccessToUser(): Failed to set up DACL to absolute security descriptor (error code %lu)\n",
GetLastError());
1094 if (RelativeSd ==
NULL)
1096 ERR(
"AllowWinstaAccessToUser(): Failed to convert security descriptor to self relative format!\n");
1104 ERR(
"AllowWinstaAccessToUser(): Failed to set window station security descriptor (error code %lu)\n",
GetLastError());
1111 if (WinlogonSid !=
NULL)
1116 if (AdminsSid !=
NULL)
1138 if (RelativeSd !=
NULL)
1181 0, 0, 0, 0, 0, 0, 0,
1184 ERR(
"AllowDesktopAccessToUser(): Failed to create the Winlogon SID (error code %lu)\n",
GetLastError());
1196 ERR(
"AllowDesktopAccessToUser(): Failed to create the admins SID (error code %lu)\n",
GetLastError());
1204 0, 0, 0, 0, 0, 0, 0,
1207 ERR(
"AllowDesktopAccessToUser(): Failed to create the interactive SID (error code %lu)\n",
GetLastError());
1215 0, 0, 0, 0, 0, 0, 0,
1218 ERR(
"AllowDesktopAccessToUser(): Failed to create the network service SID (error code %lu)\n",
GetLastError());
1243 ERR(
"AllowDesktopAccessToUser(): Failed to allocate memory buffer for DACL!\n");
1250 ERR(
"AllowDesktopAccessToUser(): Failed to initialize DACL (error code %lu)\n",
GetLastError());
1261 ERR(
"AllowDesktopAccessToUser(): Failed to set ACE for Winlogon (error code %lu)\n",
GetLastError());
1272 ERR(
"AllowDesktopAccessToUser(): Failed to set ACE for admins (error code %lu)\n",
GetLastError());
1283 ERR(
"AllowDesktopAccessToUser(): Failed to set ACE for interactive SID (error code %lu)\n",
GetLastError());
1294 ERR(
"AllowDesktopAccessToUser(): Failed to set ACE for logon user SID (error code %lu)\n",
GetLastError());
1305 ERR(
"AllowDesktopAccessToUser(): Failed to set ACE for network service SID (error code %lu)\n",
GetLastError());
1312 ERR(
"AllowDesktopAccessToUser(): Failed to initialize absolute security descriptor (error code %lu)\n",
GetLastError());
1319 ERR(
"AllowDesktopAccessToUser(): Failed to set up DACL to absolute security descriptor (error code %lu)\n",
GetLastError());
1325 if (RelativeSd ==
NULL)
1327 ERR(
"AllowDesktopAccessToUser(): Failed to convert security descriptor to self relative format!\n");
1335 ERR(
"AllowDesktopAccessToUser(): Failed to set desktop security descriptor (error code %lu)\n",
GetLastError());
1342 if (WinlogonSid !=
NULL)
1347 if (AdminsSid !=
NULL)
1369 if (RelativeSd !=
NULL)
1408 ERR(
"AllowAccessOnSession(): Unexpected error code returned, must be ERROR_INSUFFICIENT_BUFFER (error code %lu)\n",
GetLastError());
1413 if (TokenGroup ==
NULL)
1415 ERR(
"AllowAccessOnSession(): Failed to allocate memory buffer for token group!\n");
1427 ERR(
"AllowAccessOnSession(): Failed to retrieve the token group information (error code %lu)\n",
GetLastError());
1445 ERR(
"AllowAccessOnSession(): Failed to allow winsta access to the logon user!\n");
1452 ERR(
"AllowAccessOnSession(): Failed to allow application desktop access to the logon user!\n");
1465 ERR(
"AllowAccessOnSession(): Failed to assign the window station to the logon user!\n");
1472 if (TokenGroup !=
NULL)
#define DESKTOP_WINLOGON_ADMINS_LIMITED
#define DESKTOP_ADMINS_LIMITED
BOOL AllowWinstaAccessToUser(_In_ HWINSTA WinSta, _In_ PSID LogonSid)
Assigns access to the specific logon user to the default window station. Such access is given to the ...
BOOL CreateApplicationDesktopSecurity(_Out_ PSECURITY_DESCRIPTOR *ApplicationDesktopSd)
Creates a security descriptor for the default application desktop upon its creation.
PSECURITY_DESCRIPTOR ConvertToSelfRelative(_In_ PSECURITY_DESCRIPTOR AbsoluteSd)
Converts an absolute security descriptor to a self-relative format.
#define WINSTA_ADMINS_LIMITED
BOOL CreateWinstaSecurity(_Out_ PSECURITY_DESCRIPTOR *WinstaSd)
Creates a security descriptor for the default window station upon its creation.
static SID_IDENTIFIER_AUTHORITY NtAuthority
BOOL AllowDesktopAccessToUser(_In_ HDESK Desktop, _In_ PSID LogonSid)
Assigns access to the specific logon user to the default desktop. Such access is given to the user wh...
BOOL CreateWinlogonDesktopSecurity(_Out_ PSECURITY_DESCRIPTOR *WinlogonDesktopSd)
Creates a security descriptor for the default Winlogon desktop. This descriptor serves as a security ...
BOOL AllowAccessOnSession(_In_ PWLSESSION Session)
Assigns both window station and desktop access to the specific session currently active on the system...
#define DESKTOP_INTERACTIVE_LIMITED
BOOL CreateScreenSaverSecurity(_Out_ PSECURITY_DESCRIPTOR *ScreenSaverDesktopSd)
Creates a security descriptor for the screen saver desktop.
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
#define ERROR_INSUFFICIENT_BUFFER
BOOL WINAPI GetTokenInformation(HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, LPVOID TokenInformation, DWORD TokenInformationLength, PDWORD ReturnLength)
BOOL WINAPI AllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority, BYTE nSubAuthorityCount, DWORD nSubAuthority0, DWORD nSubAuthority1, DWORD nSubAuthority2, DWORD nSubAuthority3, DWORD nSubAuthority4, DWORD nSubAuthority5, DWORD nSubAuthority6, DWORD nSubAuthority7, PSID *pSid)
BOOL WINAPI InitializeAcl(PACL pAcl, DWORD nAclLength, DWORD dwAclRevision)
BOOL WINAPI InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor, DWORD dwRevision)
BOOL WINAPI AddAccessAllowedAceEx(PACL pAcl, DWORD dwAceRevision, DWORD AceFlags, DWORD AccessMask, PSID pSid)
DWORD WINAPI GetLengthSid(PSID pSid)
PVOID WINAPI FreeSid(PSID pSid)
_Must_inspect_result_ _In_ PFILE_OBJECT _In_ SECURITY_INFORMATION SecurityInformation
DWORD SECURITY_INFORMATION
struct _ACCESS_ALLOWED_ACE ACCESS_ALLOWED_ACE
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
#define SE_GROUP_LOGON_ID
BOOL WINAPI SetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, BOOL bDaclPresent, PACL pDacl, BOOL bDaclDefaulted)
BOOL WINAPI MakeSelfRelativeSD(PSECURITY_DESCRIPTOR pAbsoluteSecurityDescriptor, PSECURITY_DESCRIPTOR pSelfRelativeSecurityDescriptor, LPDWORD lpdwBufferLength)
SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]
_In_ WDFCOLLECTION _In_ ULONG Index
DWORD WINAPI GetLastError(void)
BOOL WINAPI SetWindowStationUser(IN HWINSTA hWindowStation, IN PLUID pluid, IN PSID psid OPTIONAL, IN DWORD size)
BOOL WINAPI SetUserObjectSecurity(_In_ HANDLE, _In_ PSECURITY_INFORMATION, _In_ PSECURITY_DESCRIPTOR)
#define CONTAINER_INHERIT_ACE
#define SECURITY_BUILTIN_DOMAIN_RID
#define DACL_SECURITY_INFORMATION
#define SECURITY_INTERACTIVE_RID
#define SECURITY_LOCAL_SYSTEM_RID
#define SECURITY_NT_AUTHORITY
#define OBJECT_INHERIT_ACE
#define NO_PROPAGATE_INHERIT_ACE
#define SECURITY_DESCRIPTOR_REVISION
#define SECURITY_NETWORK_SERVICE_RID
#define DOMAIN_ALIAS_RID_ADMINS