1 /******************************************************************************
2 * Security Manager Types *
3 ******************************************************************************/
7 typedef PVOID PSECURITY_DESCRIPTOR
;
8 typedef ULONG SECURITY_INFORMATION
, *PSECURITY_INFORMATION
;
9 typedef ULONG ACCESS_MASK
, *PACCESS_MASK
;
12 $
if (_WDMDDK_
|| _WINNT_
)
14 typedef PVOID PACCESS_TOKEN
;
17 $
endif (_WDMDDK_
|| _WINNT_
)
20 #define DELETE 0x00010000L
21 #define READ_CONTROL 0x00020000L
22 #define WRITE_DAC 0x00040000L
23 #define WRITE_OWNER 0x00080000L
24 #define SYNCHRONIZE 0x00100000L
25 #define STANDARD_RIGHTS_REQUIRED 0x000F0000L
26 #define STANDARD_RIGHTS_READ READ_CONTROL
27 #define STANDARD_RIGHTS_WRITE READ_CONTROL
28 #define STANDARD_RIGHTS_EXECUTE READ_CONTROL
29 #define STANDARD_RIGHTS_ALL 0x001F0000L
30 #define SPECIFIC_RIGHTS_ALL 0x0000FFFFL
31 #define ACCESS_SYSTEM_SECURITY 0x01000000L
32 #define MAXIMUM_ALLOWED 0x02000000L
33 #define GENERIC_READ 0x80000000L
34 #define GENERIC_WRITE 0x40000000L
35 #define GENERIC_EXECUTE 0x20000000L
36 #define GENERIC_ALL 0x10000000L
38 typedef struct _GENERIC_MAPPING
{
39 ACCESS_MASK GenericRead
;
40 ACCESS_MASK GenericWrite
;
41 ACCESS_MASK GenericExecute
;
42 ACCESS_MASK GenericAll
;
43 } GENERIC_MAPPING
, *PGENERIC_MAPPING
;
45 #define ACL_REVISION 2
46 #define ACL_REVISION_DS 4
48 #define ACL_REVISION1 1
49 #define ACL_REVISION2 2
50 #define ACL_REVISION3 3
51 #define ACL_REVISION4 4
52 #define MIN_ACL_REVISION ACL_REVISION2
53 #define MAX_ACL_REVISION ACL_REVISION4
63 /* Current security descriptor revision value */
64 #define SECURITY_DESCRIPTOR_REVISION (1)
65 #define SECURITY_DESCRIPTOR_REVISION1 (1)
67 /* Privilege attributes */
68 #define SE_PRIVILEGE_ENABLED_BY_DEFAULT (0x00000001L)
69 #define SE_PRIVILEGE_ENABLED (0x00000002L)
70 #define SE_PRIVILEGE_REMOVED (0X00000004L)
71 #define SE_PRIVILEGE_USED_FOR_ACCESS (0x80000000L)
73 #define SE_PRIVILEGE_VALID_ATTRIBUTES (SE_PRIVILEGE_ENABLED_BY_DEFAULT | \
74 SE_PRIVILEGE_ENABLED | \
75 SE_PRIVILEGE_REMOVED | \
76 SE_PRIVILEGE_USED_FOR_ACCESS)
79 typedef struct _LUID_AND_ATTRIBUTES
{
82 } LUID_AND_ATTRIBUTES
, *PLUID_AND_ATTRIBUTES
;
85 typedef LUID_AND_ATTRIBUTES LUID_AND_ATTRIBUTES_ARRAY
[ANYSIZE_ARRAY
];
86 typedef LUID_AND_ATTRIBUTES_ARRAY
*PLUID_AND_ATTRIBUTES_ARRAY
;
89 #define PRIVILEGE_SET_ALL_NECESSARY (1)
91 typedef struct _PRIVILEGE_SET
{
94 LUID_AND_ATTRIBUTES Privilege
[ANYSIZE_ARRAY
];
95 } PRIVILEGE_SET
,*PPRIVILEGE_SET
;
98 $
if(_WDMDDK_
|| _WINNT_
)
100 typedef enum _SECURITY_IMPERSONATION_LEVEL
{
102 SecurityIdentification
,
103 SecurityImpersonation
,
105 } SECURITY_IMPERSONATION_LEVEL
, * PSECURITY_IMPERSONATION_LEVEL
;
107 $
endif (_WDMDDK_
|| _WINNT_
)
110 #define SECURITY_MAX_IMPERSONATION_LEVEL SecurityDelegation
111 #define SECURITY_MIN_IMPERSONATION_LEVEL SecurityAnonymous
112 #define DEFAULT_IMPERSONATION_LEVEL SecurityImpersonation
113 #define VALID_IMPERSONATION_LEVEL(Level) (((Level) >= SECURITY_MIN_IMPERSONATION_LEVEL) && ((Level) <= SECURITY_MAX_IMPERSONATION_LEVEL))
115 #define SECURITY_DYNAMIC_TRACKING (TRUE)
116 #define SECURITY_STATIC_TRACKING (FALSE)
119 $
if (_WDMDDK_
|| _WINNT_
)
121 typedef BOOLEAN SECURITY_CONTEXT_TRACKING_MODE
, *PSECURITY_CONTEXT_TRACKING_MODE
;
123 typedef struct _SECURITY_QUALITY_OF_SERVICE
{
125 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
;
126 SECURITY_CONTEXT_TRACKING_MODE ContextTrackingMode
;
127 BOOLEAN EffectiveOnly
;
128 } SECURITY_QUALITY_OF_SERVICE
, *PSECURITY_QUALITY_OF_SERVICE
;
130 typedef struct _SE_IMPERSONATION_STATE
{
133 BOOLEAN EffectiveOnly
;
134 SECURITY_IMPERSONATION_LEVEL Level
;
135 } SE_IMPERSONATION_STATE
, *PSE_IMPERSONATION_STATE
;
137 $
endif (_WDMDDK_
|| _WINNT_
)
140 #define OWNER_SECURITY_INFORMATION (0x00000001L)
141 #define GROUP_SECURITY_INFORMATION (0x00000002L)
142 #define DACL_SECURITY_INFORMATION (0x00000004L)
143 #define SACL_SECURITY_INFORMATION (0x00000008L)
144 #define LABEL_SECURITY_INFORMATION (0x00000010L)
146 #define PROTECTED_DACL_SECURITY_INFORMATION (0x80000000L)
147 #define PROTECTED_SACL_SECURITY_INFORMATION (0x40000000L)
148 #define UNPROTECTED_DACL_SECURITY_INFORMATION (0x20000000L)
149 #define UNPROTECTED_SACL_SECURITY_INFORMATION (0x10000000L)
151 typedef enum _SECURITY_OPERATION_CODE
{
152 SetSecurityDescriptor
,
153 QuerySecurityDescriptor
,
154 DeleteSecurityDescriptor
,
155 AssignSecurityDescriptor
156 } SECURITY_OPERATION_CODE
, *PSECURITY_OPERATION_CODE
;
158 #define INITIAL_PRIVILEGE_COUNT 3
160 typedef struct _INITIAL_PRIVILEGE_SET
{
161 ULONG PrivilegeCount
;
163 LUID_AND_ATTRIBUTES Privilege
[INITIAL_PRIVILEGE_COUNT
];
164 } INITIAL_PRIVILEGE_SET
, * PINITIAL_PRIVILEGE_SET
;
166 #define SE_MIN_WELL_KNOWN_PRIVILEGE 2
167 #define SE_CREATE_TOKEN_PRIVILEGE 2
168 #define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE 3
169 #define SE_LOCK_MEMORY_PRIVILEGE 4
170 #define SE_INCREASE_QUOTA_PRIVILEGE 5
171 #define SE_MACHINE_ACCOUNT_PRIVILEGE 6
172 #define SE_TCB_PRIVILEGE 7
173 #define SE_SECURITY_PRIVILEGE 8
174 #define SE_TAKE_OWNERSHIP_PRIVILEGE 9
175 #define SE_LOAD_DRIVER_PRIVILEGE 10
176 #define SE_SYSTEM_PROFILE_PRIVILEGE 11
177 #define SE_SYSTEMTIME_PRIVILEGE 12
178 #define SE_PROF_SINGLE_PROCESS_PRIVILEGE 13
179 #define SE_INC_BASE_PRIORITY_PRIVILEGE 14
180 #define SE_CREATE_PAGEFILE_PRIVILEGE 15
181 #define SE_CREATE_PERMANENT_PRIVILEGE 16
182 #define SE_BACKUP_PRIVILEGE 17
183 #define SE_RESTORE_PRIVILEGE 18
184 #define SE_SHUTDOWN_PRIVILEGE 19
185 #define SE_DEBUG_PRIVILEGE 20
186 #define SE_AUDIT_PRIVILEGE 21
187 #define SE_SYSTEM_ENVIRONMENT_PRIVILEGE 22
188 #define SE_CHANGE_NOTIFY_PRIVILEGE 23
189 #define SE_REMOTE_SHUTDOWN_PRIVILEGE 24
190 #define SE_UNDOCK_PRIVILEGE 25
191 #define SE_SYNC_AGENT_PRIVILEGE 26
192 #define SE_ENABLE_DELEGATION_PRIVILEGE 27
193 #define SE_MANAGE_VOLUME_PRIVILEGE 28
194 #define SE_IMPERSONATE_PRIVILEGE 29
195 #define SE_CREATE_GLOBAL_PRIVILEGE 30
196 #define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE 31
197 #define SE_RELABEL_PRIVILEGE 32
198 #define SE_INC_WORKING_SET_PRIVILEGE 33
199 #define SE_TIME_ZONE_PRIVILEGE 34
200 #define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE 35
201 #define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_SYMBOLIC_LINK_PRIVILEGE
203 typedef struct _SECURITY_SUBJECT_CONTEXT
{
204 PACCESS_TOKEN ClientToken
;
205 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
;
206 PACCESS_TOKEN PrimaryToken
;
207 PVOID ProcessAuditId
;
208 } SECURITY_SUBJECT_CONTEXT
, *PSECURITY_SUBJECT_CONTEXT
;
210 typedef struct _ACCESS_STATE
{
212 BOOLEAN SecurityEvaluated
;
213 BOOLEAN GenerateAudit
;
214 BOOLEAN GenerateOnClose
;
215 BOOLEAN PrivilegesAllocated
;
217 ACCESS_MASK RemainingDesiredAccess
;
218 ACCESS_MASK PreviouslyGrantedAccess
;
219 ACCESS_MASK OriginalDesiredAccess
;
220 SECURITY_SUBJECT_CONTEXT SubjectSecurityContext
;
221 PSECURITY_DESCRIPTOR SecurityDescriptor
;
224 INITIAL_PRIVILEGE_SET InitialPrivilegeSet
;
225 PRIVILEGE_SET PrivilegeSet
;
227 BOOLEAN AuditPrivileges
;
228 UNICODE_STRING ObjectName
;
229 UNICODE_STRING ObjectTypeName
;
230 } ACCESS_STATE
, *PACCESS_STATE
;
233 (NTAPI
*PNTFS_DEREF_EXPORTED_SECURITY_DESCRIPTOR
)(
235 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor
);
239 #ifndef _NTLSA_AUDIT_
240 #define _NTLSA_AUDIT_
242 #define SE_MAX_AUDIT_PARAMETERS 32
243 #define SE_MAX_GENERIC_AUDIT_PARAMETERS 28
245 #define SE_ADT_OBJECT_ONLY 0x1
247 #define SE_ADT_PARAMETERS_SELF_RELATIVE 0x00000001
248 #define SE_ADT_PARAMETERS_SEND_TO_LSA 0x00000002
249 #define SE_ADT_PARAMETER_EXTENSIBLE_AUDIT 0x00000004
250 #define SE_ADT_PARAMETER_GENERIC_AUDIT 0x00000008
251 #define SE_ADT_PARAMETER_WRITE_SYNCHRONOUS 0x00000010
253 #define LSAP_SE_ADT_PARAMETER_ARRAY_TRUE_SIZE(Parameters) \
254 ( sizeof(SE_ADT_PARAMETER_ARRAY) - sizeof(SE_ADT_PARAMETER_ARRAY_ENTRY) * \
255 (SE_MAX_AUDIT_PARAMETERS - Parameters->ParameterCount) )
257 typedef enum _SE_ADT_PARAMETER_TYPE
{
258 SeAdtParmTypeNone
= 0,
260 SeAdtParmTypeFileSpec
,
263 SeAdtParmTypeLogonId
,
264 SeAdtParmTypeNoLogonId
,
265 SeAdtParmTypeAccessMask
,
267 SeAdtParmTypeObjectTypes
,
268 SeAdtParmTypeHexUlong
,
273 SeAdtParmTypeHexInt64
,
274 SeAdtParmTypeStringList
,
275 SeAdtParmTypeSidList
,
276 SeAdtParmTypeDuration
,
277 SeAdtParmTypeUserAccountControl
,
279 SeAdtParmTypeMessage
,
280 SeAdtParmTypeDateTime
,
281 SeAdtParmTypeSockAddr
,
283 SeAdtParmTypeLogonHours
,
284 SeAdtParmTypeLogonIdNoSid
,
285 SeAdtParmTypeUlongNoConv
,
286 SeAdtParmTypeSockAddrNoPort
,
287 SeAdtParmTypeAccessReason
288 } SE_ADT_PARAMETER_TYPE
, *PSE_ADT_PARAMETER_TYPE
;
290 typedef struct _SE_ADT_OBJECT_TYPE
{
294 ACCESS_MASK AccessMask
;
295 } SE_ADT_OBJECT_TYPE
, *PSE_ADT_OBJECT_TYPE
;
297 typedef struct _SE_ADT_PARAMETER_ARRAY_ENTRY
{
298 SE_ADT_PARAMETER_TYPE Type
;
302 } SE_ADT_PARAMETER_ARRAY_ENTRY
, *PSE_ADT_PARAMETER_ARRAY_ENTRY
;
304 typedef struct _SE_ADT_ACCESS_REASON
{
305 ACCESS_MASK AccessMask
;
306 ULONG AccessReasons
[32];
307 ULONG ObjectTypeIndex
;
309 PSECURITY_DESCRIPTOR SecurityDescriptor
;
310 } SE_ADT_ACCESS_REASON
, *PSE_ADT_ACCESS_REASON
;
312 typedef struct _SE_ADT_PARAMETER_ARRAY
{
315 ULONG ParameterCount
;
317 USHORT FlatSubCategoryId
;
320 SE_ADT_PARAMETER_ARRAY_ENTRY Parameters
[ SE_MAX_AUDIT_PARAMETERS
];
321 } SE_ADT_PARAMETER_ARRAY
, *PSE_ADT_PARAMETER_ARRAY
;
323 #endif /* !_NTLSA_AUDIT_ */
324 #endif /* !_NTLSA_IFS_ */
327 #define SE_UNSOLICITED_INPUT_PRIVILEGE 6
329 typedef enum _WELL_KNOWN_SID_TYPE
{
333 WinCreatorOwnerSid
= 3,
334 WinCreatorGroupSid
= 4,
335 WinCreatorOwnerServerSid
= 5,
336 WinCreatorGroupServerSid
= 6,
337 WinNtAuthoritySid
= 7,
341 WinInteractiveSid
= 11,
343 WinAnonymousSid
= 13,
345 WinEnterpriseControllersSid
= 15,
347 WinAuthenticatedUserSid
= 17,
348 WinRestrictedCodeSid
= 18,
349 WinTerminalServerSid
= 19,
350 WinRemoteLogonIdSid
= 20,
352 WinLocalSystemSid
= 22,
353 WinLocalServiceSid
= 23,
354 WinNetworkServiceSid
= 24,
355 WinBuiltinDomainSid
= 25,
356 WinBuiltinAdministratorsSid
= 26,
357 WinBuiltinUsersSid
= 27,
358 WinBuiltinGuestsSid
= 28,
359 WinBuiltinPowerUsersSid
= 29,
360 WinBuiltinAccountOperatorsSid
= 30,
361 WinBuiltinSystemOperatorsSid
= 31,
362 WinBuiltinPrintOperatorsSid
= 32,
363 WinBuiltinBackupOperatorsSid
= 33,
364 WinBuiltinReplicatorSid
= 34,
365 WinBuiltinPreWindows2000CompatibleAccessSid
= 35,
366 WinBuiltinRemoteDesktopUsersSid
= 36,
367 WinBuiltinNetworkConfigurationOperatorsSid
= 37,
368 WinAccountAdministratorSid
= 38,
369 WinAccountGuestSid
= 39,
370 WinAccountKrbtgtSid
= 40,
371 WinAccountDomainAdminsSid
= 41,
372 WinAccountDomainUsersSid
= 42,
373 WinAccountDomainGuestsSid
= 43,
374 WinAccountComputersSid
= 44,
375 WinAccountControllersSid
= 45,
376 WinAccountCertAdminsSid
= 46,
377 WinAccountSchemaAdminsSid
= 47,
378 WinAccountEnterpriseAdminsSid
= 48,
379 WinAccountPolicyAdminsSid
= 49,
380 WinAccountRasAndIasServersSid
= 50,
381 WinNTLMAuthenticationSid
= 51,
382 WinDigestAuthenticationSid
= 52,
383 WinSChannelAuthenticationSid
= 53,
384 WinThisOrganizationSid
= 54,
385 WinOtherOrganizationSid
= 55,
386 WinBuiltinIncomingForestTrustBuildersSid
= 56,
387 WinBuiltinPerfMonitoringUsersSid
= 57,
388 WinBuiltinPerfLoggingUsersSid
= 58,
389 WinBuiltinAuthorizationAccessSid
= 59,
390 WinBuiltinTerminalServerLicenseServersSid
= 60,
391 WinBuiltinDCOMUsersSid
= 61,
392 WinBuiltinIUsersSid
= 62,
394 WinBuiltinCryptoOperatorsSid
= 64,
395 WinUntrustedLabelSid
= 65,
397 WinMediumLabelSid
= 67,
398 WinHighLabelSid
= 68,
399 WinSystemLabelSid
= 69,
400 WinWriteRestrictedCodeSid
= 70,
401 WinCreatorOwnerRightsSid
= 71,
402 WinCacheablePrincipalsGroupSid
= 72,
403 WinNonCacheablePrincipalsGroupSid
= 73,
404 WinEnterpriseReadonlyControllersSid
= 74,
405 WinAccountReadonlyControllersSid
= 75,
406 WinBuiltinEventLogReadersGroup
= 76,
407 WinNewEnterpriseReadonlyControllersSid
= 77,
408 WinBuiltinCertSvcDComAccessGroup
= 78,
409 WinMediumPlusLabelSid
= 79,
410 WinLocalLogonSid
= 80,
411 WinConsoleLogonSid
= 81,
412 WinThisOrganizationCertificateSid
= 82,
413 } WELL_KNOWN_SID_TYPE
;
415 $
if (_NTIFS_
|| _WINNT_
)
417 #ifndef SID_IDENTIFIER_AUTHORITY_DEFINED
418 #define SID_IDENTIFIER_AUTHORITY_DEFINED
419 typedef struct _SID_IDENTIFIER_AUTHORITY
{
421 } SID_IDENTIFIER_AUTHORITY
,*PSID_IDENTIFIER_AUTHORITY
,*LPSID_IDENTIFIER_AUTHORITY
;
426 typedef struct _SID
{
428 $UCHAR SubAuthorityCount
;
429 SID_IDENTIFIER_AUTHORITY IdentifierAuthority
;
431 [size_is(SubAuthorityCount
)] $ULONG SubAuthority
[*];
433 $ULONG SubAuthority
[ANYSIZE_ARRAY
];
438 $
endif (_NTIFS_
|| _WINNT_
)
441 #define SID_REVISION 1
442 #define SID_MAX_SUB_AUTHORITIES 15
443 #define SID_RECOMMENDED_SUB_AUTHORITIES 1
446 #define SECURITY_MAX_SID_SIZE (sizeof(SID) - sizeof(ULONG) + (SID_MAX_SUB_AUTHORITIES * sizeof(ULONG)))
449 typedef enum _SID_NAME_USE
{
454 SidTypeWellKnownGroup
,
455 SidTypeDeletedAccount
,
460 } SID_NAME_USE
, *PSID_NAME_USE
;
462 typedef struct _SID_AND_ATTRIBUTES
{
469 } SID_AND_ATTRIBUTES
, *PSID_AND_ATTRIBUTES
;
470 typedef SID_AND_ATTRIBUTES SID_AND_ATTRIBUTES_ARRAY
[ANYSIZE_ARRAY
];
471 typedef SID_AND_ATTRIBUTES_ARRAY
*PSID_AND_ATTRIBUTES_ARRAY
;
473 #define SID_HASH_SIZE 32
474 typedef ULONG_PTR SID_HASH_ENTRY
, *PSID_HASH_ENTRY
;
476 typedef struct _SID_AND_ATTRIBUTES_HASH
{
478 PSID_AND_ATTRIBUTES SidAttr
;
479 SID_HASH_ENTRY Hash
[SID_HASH_SIZE
];
480 } SID_AND_ATTRIBUTES_HASH
, *PSID_AND_ATTRIBUTES_HASH
;
482 /* Universal well-known SIDs */
484 #define SECURITY_NULL_SID_AUTHORITY {0,0,0,0,0,0}
485 #define SECURITY_WORLD_SID_AUTHORITY {0,0,0,0,0,1}
486 #define SECURITY_LOCAL_SID_AUTHORITY {0,0,0,0,0,2}
487 #define SECURITY_CREATOR_SID_AUTHORITY {0,0,0,0,0,3}
488 #define SECURITY_NON_UNIQUE_AUTHORITY {0,0,0,0,0,4}
489 #define SECURITY_RESOURCE_MANAGER_AUTHORITY {0,0,0,0,0,9}
491 #define SECURITY_NULL_RID (0x00000000L)
492 #define SECURITY_WORLD_RID (0x00000000L)
493 #define SECURITY_LOCAL_RID (0x00000000L)
494 #define SECURITY_LOCAL_LOGON_RID (0x00000001L)
496 #define SECURITY_CREATOR_OWNER_RID (0x00000000L)
497 #define SECURITY_CREATOR_GROUP_RID (0x00000001L)
498 #define SECURITY_CREATOR_OWNER_SERVER_RID (0x00000002L)
499 #define SECURITY_CREATOR_GROUP_SERVER_RID (0x00000003L)
500 #define SECURITY_CREATOR_OWNER_RIGHTS_RID (0x00000004L)
502 /* NT well-known SIDs */
504 #define SECURITY_NT_AUTHORITY {0,0,0,0,0,5}
506 #define SECURITY_DIALUP_RID (0x00000001L)
507 #define SECURITY_NETWORK_RID (0x00000002L)
508 #define SECURITY_BATCH_RID (0x00000003L)
509 #define SECURITY_INTERACTIVE_RID (0x00000004L)
510 #define SECURITY_LOGON_IDS_RID (0x00000005L)
511 #define SECURITY_LOGON_IDS_RID_COUNT (3L)
512 #define SECURITY_SERVICE_RID (0x00000006L)
513 #define SECURITY_ANONYMOUS_LOGON_RID (0x00000007L)
514 #define SECURITY_PROXY_RID (0x00000008L)
515 #define SECURITY_ENTERPRISE_CONTROLLERS_RID (0x00000009L)
516 #define SECURITY_SERVER_LOGON_RID SECURITY_ENTERPRISE_CONTROLLERS_RID
517 #define SECURITY_PRINCIPAL_SELF_RID (0x0000000AL)
518 #define SECURITY_AUTHENTICATED_USER_RID (0x0000000BL)
519 #define SECURITY_RESTRICTED_CODE_RID (0x0000000CL)
520 #define SECURITY_TERMINAL_SERVER_RID (0x0000000DL)
521 #define SECURITY_REMOTE_LOGON_RID (0x0000000EL)
522 #define SECURITY_THIS_ORGANIZATION_RID (0x0000000FL)
523 #define SECURITY_IUSER_RID (0x00000011L)
524 #define SECURITY_LOCAL_SYSTEM_RID (0x00000012L)
525 #define SECURITY_LOCAL_SERVICE_RID (0x00000013L)
526 #define SECURITY_NETWORK_SERVICE_RID (0x00000014L)
527 #define SECURITY_NT_NON_UNIQUE (0x00000015L)
528 #define SECURITY_NT_NON_UNIQUE_SUB_AUTH_COUNT (3L)
529 #define SECURITY_ENTERPRISE_READONLY_CONTROLLERS_RID (0x00000016L)
531 #define SECURITY_BUILTIN_DOMAIN_RID (0x00000020L)
532 #define SECURITY_WRITE_RESTRICTED_CODE_RID (0x00000021L)
535 #define SECURITY_PACKAGE_BASE_RID (0x00000040L)
536 #define SECURITY_PACKAGE_RID_COUNT (2L)
537 #define SECURITY_PACKAGE_NTLM_RID (0x0000000AL)
538 #define SECURITY_PACKAGE_SCHANNEL_RID (0x0000000EL)
539 #define SECURITY_PACKAGE_DIGEST_RID (0x00000015L)
541 #define SECURITY_CRED_TYPE_BASE_RID (0x00000041L)
542 #define SECURITY_CRED_TYPE_RID_COUNT (2L)
543 #define SECURITY_CRED_TYPE_THIS_ORG_CERT_RID (0x00000001L)
545 #define SECURITY_MIN_BASE_RID (0x00000050L)
546 #define SECURITY_SERVICE_ID_BASE_RID (0x00000050L)
547 #define SECURITY_SERVICE_ID_RID_COUNT (6L)
548 #define SECURITY_RESERVED_ID_BASE_RID (0x00000051L)
549 #define SECURITY_APPPOOL_ID_BASE_RID (0x00000052L)
550 #define SECURITY_APPPOOL_ID_RID_COUNT (6L)
551 #define SECURITY_VIRTUALSERVER_ID_BASE_RID (0x00000053L)
552 #define SECURITY_VIRTUALSERVER_ID_RID_COUNT (6L)
553 #define SECURITY_USERMODEDRIVERHOST_ID_BASE_RID (0x00000054L)
554 #define SECURITY_USERMODEDRIVERHOST_ID_RID_COUNT (6L)
555 #define SECURITY_CLOUD_INFRASTRUCTURE_SERVICES_ID_BASE_RID (0x00000055L)
556 #define SECURITY_CLOUD_INFRASTRUCTURE_SERVICES_ID_RID_COUNT (6L)
557 #define SECURITY_WMIHOST_ID_BASE_RID (0x00000056L)
558 #define SECURITY_WMIHOST_ID_RID_COUNT (6L)
559 #define SECURITY_TASK_ID_BASE_RID (0x00000057L)
560 #define SECURITY_NFS_ID_BASE_RID (0x00000058L)
561 #define SECURITY_COM_ID_BASE_RID (0x00000059L)
562 #define SECURITY_VIRTUALACCOUNT_ID_RID_COUNT (6L)
564 #define SECURITY_MAX_BASE_RID (0x0000006FL)
566 #define SECURITY_MAX_ALWAYS_FILTERED (0x000003E7L)
567 #define SECURITY_MIN_NEVER_FILTERED (0x000003E8L)
569 #define SECURITY_OTHER_ORGANIZATION_RID (0x000003E8L)
571 #define SECURITY_WINDOWSMOBILE_ID_BASE_RID (0x00000070L)
573 /* Well-known domain relative sub-authority values (RIDs) */
575 #define DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS (0x000001F2L)
577 #define FOREST_USER_RID_MAX (0x000001F3L)
579 /* Well-known users */
581 #define DOMAIN_USER_RID_ADMIN (0x000001F4L)
582 #define DOMAIN_USER_RID_GUEST (0x000001F5L)
583 #define DOMAIN_USER_RID_KRBTGT (0x000001F6L)
585 #define DOMAIN_USER_RID_MAX (0x000003E7L)
587 /* Well-known groups */
589 #define DOMAIN_GROUP_RID_ADMINS (0x00000200L)
590 #define DOMAIN_GROUP_RID_USERS (0x00000201L)
591 #define DOMAIN_GROUP_RID_GUESTS (0x00000202L)
592 #define DOMAIN_GROUP_RID_COMPUTERS (0x00000203L)
593 #define DOMAIN_GROUP_RID_CONTROLLERS (0x00000204L)
594 #define DOMAIN_GROUP_RID_CERT_ADMINS (0x00000205L)
595 #define DOMAIN_GROUP_RID_SCHEMA_ADMINS (0x00000206L)
596 #define DOMAIN_GROUP_RID_ENTERPRISE_ADMINS (0x00000207L)
597 #define DOMAIN_GROUP_RID_POLICY_ADMINS (0x00000208L)
598 #define DOMAIN_GROUP_RID_READONLY_CONTROLLERS (0x00000209L)
600 /* Well-known aliases */
602 #define DOMAIN_ALIAS_RID_ADMINS (0x00000220L)
603 #define DOMAIN_ALIAS_RID_USERS (0x00000221L)
604 #define DOMAIN_ALIAS_RID_GUESTS (0x00000222L)
605 #define DOMAIN_ALIAS_RID_POWER_USERS (0x00000223L)
607 #define DOMAIN_ALIAS_RID_ACCOUNT_OPS (0x00000224L)
608 #define DOMAIN_ALIAS_RID_SYSTEM_OPS (0x00000225L)
609 #define DOMAIN_ALIAS_RID_PRINT_OPS (0x00000226L)
610 #define DOMAIN_ALIAS_RID_BACKUP_OPS (0x00000227L)
612 #define DOMAIN_ALIAS_RID_REPLICATOR (0x00000228L)
613 #define DOMAIN_ALIAS_RID_RAS_SERVERS (0x00000229L)
614 #define DOMAIN_ALIAS_RID_PREW2KCOMPACCESS (0x0000022AL)
615 #define DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS (0x0000022BL)
616 #define DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS (0x0000022CL)
617 #define DOMAIN_ALIAS_RID_INCOMING_FOREST_TRUST_BUILDERS (0x0000022DL)
619 #define DOMAIN_ALIAS_RID_MONITORING_USERS (0x0000022EL)
620 #define DOMAIN_ALIAS_RID_LOGGING_USERS (0x0000022FL)
621 #define DOMAIN_ALIAS_RID_AUTHORIZATIONACCESS (0x00000230L)
622 #define DOMAIN_ALIAS_RID_TS_LICENSE_SERVERS (0x00000231L)
623 #define DOMAIN_ALIAS_RID_DCOM_USERS (0x00000232L)
624 #define DOMAIN_ALIAS_RID_IUSERS (0x00000238L)
625 #define DOMAIN_ALIAS_RID_CRYPTO_OPERATORS (0x00000239L)
626 #define DOMAIN_ALIAS_RID_CACHEABLE_PRINCIPALS_GROUP (0x0000023BL)
627 #define DOMAIN_ALIAS_RID_NON_CACHEABLE_PRINCIPALS_GROUP (0x0000023CL)
628 #define DOMAIN_ALIAS_RID_EVENT_LOG_READERS_GROUP (0x0000023DL)
629 #define DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP (0x0000023EL)
631 #define SECURITY_MANDATORY_LABEL_AUTHORITY {0,0,0,0,0,16}
632 #define SECURITY_MANDATORY_UNTRUSTED_RID (0x00000000L)
633 #define SECURITY_MANDATORY_LOW_RID (0x00001000L)
634 #define SECURITY_MANDATORY_MEDIUM_RID (0x00002000L)
635 #define SECURITY_MANDATORY_HIGH_RID (0x00003000L)
636 #define SECURITY_MANDATORY_SYSTEM_RID (0x00004000L)
637 #define SECURITY_MANDATORY_PROTECTED_PROCESS_RID (0x00005000L)
639 /* SECURITY_MANDATORY_MAXIMUM_USER_RID is the highest RID that
640 can be set by a usermode caller.*/
642 #define SECURITY_MANDATORY_MAXIMUM_USER_RID SECURITY_MANDATORY_SYSTEM_RID
644 #define MANDATORY_LEVEL_TO_MANDATORY_RID(IL) (IL * 0x1000)
646 /* Allocate the System Luid. The first 1000 LUIDs are reserved.
647 Use #999 here (0x3e7 = 999) */
649 #define SYSTEM_LUID {0x3e7, 0x0}
650 #define ANONYMOUS_LOGON_LUID {0x3e6, 0x0}
651 #define LOCALSERVICE_LUID {0x3e5, 0x0}
652 #define NETWORKSERVICE_LUID {0x3e4, 0x0}
653 #define IUSER_LUID {0x3e3, 0x0}
655 typedef struct _ACE_HEADER
{
659 } ACE_HEADER
, *PACE_HEADER
;
661 /* also in winnt.h */
662 #define ACCESS_MIN_MS_ACE_TYPE (0x0)
663 #define ACCESS_ALLOWED_ACE_TYPE (0x0)
664 #define ACCESS_DENIED_ACE_TYPE (0x1)
665 #define SYSTEM_AUDIT_ACE_TYPE (0x2)
666 #define SYSTEM_ALARM_ACE_TYPE (0x3)
667 #define ACCESS_MAX_MS_V2_ACE_TYPE (0x3)
668 #define ACCESS_ALLOWED_COMPOUND_ACE_TYPE (0x4)
669 #define ACCESS_MAX_MS_V3_ACE_TYPE (0x4)
670 #define ACCESS_MIN_MS_OBJECT_ACE_TYPE (0x5)
671 #define ACCESS_ALLOWED_OBJECT_ACE_TYPE (0x5)
672 #define ACCESS_DENIED_OBJECT_ACE_TYPE (0x6)
673 #define SYSTEM_AUDIT_OBJECT_ACE_TYPE (0x7)
674 #define SYSTEM_ALARM_OBJECT_ACE_TYPE (0x8)
675 #define ACCESS_MAX_MS_OBJECT_ACE_TYPE (0x8)
676 #define ACCESS_MAX_MS_V4_ACE_TYPE (0x8)
677 #define ACCESS_MAX_MS_ACE_TYPE (0x8)
678 #define ACCESS_ALLOWED_CALLBACK_ACE_TYPE (0x9)
679 #define ACCESS_DENIED_CALLBACK_ACE_TYPE (0xA)
680 #define ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE (0xB)
681 #define ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE (0xC)
682 #define SYSTEM_AUDIT_CALLBACK_ACE_TYPE (0xD)
683 #define SYSTEM_ALARM_CALLBACK_ACE_TYPE (0xE)
684 #define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE (0xF)
685 #define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE (0x10)
686 #define ACCESS_MAX_MS_V5_ACE_TYPE (0x11)
687 #define SYSTEM_MANDATORY_LABEL_ACE_TYPE (0x11)
689 /* The following are the inherit flags that go into the AceFlags field
692 #define OBJECT_INHERIT_ACE (0x1)
693 #define CONTAINER_INHERIT_ACE (0x2)
694 #define NO_PROPAGATE_INHERIT_ACE (0x4)
695 #define INHERIT_ONLY_ACE (0x8)
696 #define INHERITED_ACE (0x10)
697 #define VALID_INHERIT_FLAGS (0x1F)
699 #define SUCCESSFUL_ACCESS_ACE_FLAG (0x40)
700 #define FAILED_ACCESS_ACE_FLAG (0x80)
702 typedef struct _ACCESS_ALLOWED_ACE
{
706 } ACCESS_ALLOWED_ACE
, *PACCESS_ALLOWED_ACE
;
708 typedef struct _ACCESS_DENIED_ACE
{
712 } ACCESS_DENIED_ACE
, *PACCESS_DENIED_ACE
;
714 typedef struct _SYSTEM_AUDIT_ACE
{
718 } SYSTEM_AUDIT_ACE
, *PSYSTEM_AUDIT_ACE
;
720 typedef struct _SYSTEM_ALARM_ACE
{
724 } SYSTEM_ALARM_ACE
, *PSYSTEM_ALARM_ACE
;
726 typedef struct _SYSTEM_MANDATORY_LABEL_ACE
{
730 } SYSTEM_MANDATORY_LABEL_ACE
, *PSYSTEM_MANDATORY_LABEL_ACE
;
732 #define SYSTEM_MANDATORY_LABEL_NO_WRITE_UP 0x1
733 #define SYSTEM_MANDATORY_LABEL_NO_READ_UP 0x2
734 #define SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP 0x4
735 #define SYSTEM_MANDATORY_LABEL_VALID_MASK (SYSTEM_MANDATORY_LABEL_NO_WRITE_UP | \
736 SYSTEM_MANDATORY_LABEL_NO_READ_UP | \
737 SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP)
739 #define SECURITY_DESCRIPTOR_MIN_LENGTH (sizeof(SECURITY_DESCRIPTOR))
741 typedef USHORT SECURITY_DESCRIPTOR_CONTROL
,*PSECURITY_DESCRIPTOR_CONTROL
;
743 #define SE_OWNER_DEFAULTED 0x0001
744 #define SE_GROUP_DEFAULTED 0x0002
745 #define SE_DACL_PRESENT 0x0004
746 #define SE_DACL_DEFAULTED 0x0008
747 #define SE_SACL_PRESENT 0x0010
748 #define SE_SACL_DEFAULTED 0x0020
749 #define SE_DACL_UNTRUSTED 0x0040
750 #define SE_SERVER_SECURITY 0x0080
751 #define SE_DACL_AUTO_INHERIT_REQ 0x0100
752 #define SE_SACL_AUTO_INHERIT_REQ 0x0200
753 #define SE_DACL_AUTO_INHERITED 0x0400
754 #define SE_SACL_AUTO_INHERITED 0x0800
755 #define SE_DACL_PROTECTED 0x1000
756 #define SE_SACL_PROTECTED 0x2000
757 #define SE_RM_CONTROL_VALID 0x4000
758 #define SE_SELF_RELATIVE 0x8000
760 typedef struct _SECURITY_DESCRIPTOR_RELATIVE
{
763 SECURITY_DESCRIPTOR_CONTROL Control
;
768 } SECURITY_DESCRIPTOR_RELATIVE
, *PISECURITY_DESCRIPTOR_RELATIVE
;
770 typedef struct _SECURITY_DESCRIPTOR
{
773 SECURITY_DESCRIPTOR_CONTROL Control
;
778 } SECURITY_DESCRIPTOR
, *PISECURITY_DESCRIPTOR
;
780 typedef struct _OBJECT_TYPE_LIST
{
784 } OBJECT_TYPE_LIST
, *POBJECT_TYPE_LIST
;
786 #define ACCESS_OBJECT_GUID 0
787 #define ACCESS_PROPERTY_SET_GUID 1
788 #define ACCESS_PROPERTY_GUID 2
789 #define ACCESS_MAX_LEVEL 4
791 typedef enum _AUDIT_EVENT_TYPE
{
792 AuditEventObjectAccess
,
793 AuditEventDirectoryServiceAccess
794 } AUDIT_EVENT_TYPE
, *PAUDIT_EVENT_TYPE
;
796 #define AUDIT_ALLOW_NO_PRIVILEGE 0x1
798 #define ACCESS_DS_SOURCE_A "DS"
799 #define ACCESS_DS_SOURCE_W L"DS"
800 #define ACCESS_DS_OBJECT_TYPE_NAME_A "Directory Service Object"
801 #define ACCESS_DS_OBJECT_TYPE_NAME_W L"Directory Service Object"
803 #define ACCESS_REASON_TYPE_MASK 0xffff0000
804 #define ACCESS_REASON_DATA_MASK 0x0000ffff
806 typedef enum _ACCESS_REASON_TYPE
{
807 AccessReasonNone
= 0x00000000,
808 AccessReasonAllowedAce
= 0x00010000,
809 AccessReasonDeniedAce
= 0x00020000,
810 AccessReasonAllowedParentAce
= 0x00030000,
811 AccessReasonDeniedParentAce
= 0x00040000,
812 AccessReasonMissingPrivilege
= 0x00100000,
813 AccessReasonFromPrivilege
= 0x00200000,
814 AccessReasonIntegrityLevel
= 0x00300000,
815 AccessReasonOwnership
= 0x00400000,
816 AccessReasonNullDacl
= 0x00500000,
817 AccessReasonEmptyDacl
= 0x00600000,
818 AccessReasonNoSD
= 0x00700000,
819 AccessReasonNoGrant
= 0x00800000
820 } ACCESS_REASON_TYPE
;
822 typedef ULONG ACCESS_REASON
;
824 typedef struct _ACCESS_REASONS
{
825 ACCESS_REASON Data
[32];
826 } ACCESS_REASONS
, *PACCESS_REASONS
;
828 #define SE_SECURITY_DESCRIPTOR_FLAG_NO_OWNER_ACE 0x00000001
829 #define SE_SECURITY_DESCRIPTOR_FLAG_NO_LABEL_ACE 0x00000002
830 #define SE_SECURITY_DESCRIPTOR_VALID_FLAGS 0x00000003
832 typedef struct _SE_SECURITY_DESCRIPTOR
{
835 PSECURITY_DESCRIPTOR SecurityDescriptor
;
836 } SE_SECURITY_DESCRIPTOR
, *PSE_SECURITY_DESCRIPTOR
;
838 typedef struct _SE_ACCESS_REQUEST
{
840 PSE_SECURITY_DESCRIPTOR SeSecurityDescriptor
;
841 ACCESS_MASK DesiredAccess
;
842 ACCESS_MASK PreviouslyGrantedAccess
;
843 PSID PrincipalSelfSid
;
844 PGENERIC_MAPPING GenericMapping
;
845 ULONG ObjectTypeListCount
;
846 POBJECT_TYPE_LIST ObjectTypeList
;
847 } SE_ACCESS_REQUEST
, *PSE_ACCESS_REQUEST
;
849 typedef struct _SE_ACCESS_REPLY
{
851 ULONG ResultListCount
;
852 PACCESS_MASK GrantedAccess
;
853 PNTSTATUS AccessStatus
;
854 PACCESS_REASONS AccessReason
;
855 PPRIVILEGE_SET
* Privileges
;
856 } SE_ACCESS_REPLY
, *PSE_ACCESS_REPLY
;
858 typedef enum _SE_AUDIT_OPERATION
{
859 AuditPrivilegeObject
,
860 AuditPrivilegeService
,
863 AuditOpenObjectWithTransaction
,
866 AuditOpenObjectForDelete
,
867 AuditOpenObjectForDeleteWithTransaction
,
870 AuditObjectReference
,
872 } SE_AUDIT_OPERATION
, *PSE_AUDIT_OPERATION
;
874 typedef struct _SE_AUDIT_INFO
{
876 AUDIT_EVENT_TYPE AuditType
;
877 SE_AUDIT_OPERATION AuditOperation
;
879 UNICODE_STRING SubsystemName
;
880 UNICODE_STRING ObjectTypeName
;
881 UNICODE_STRING ObjectName
;
885 BOOLEAN ObjectCreation
;
886 BOOLEAN GenerateOnClose
;
887 } SE_AUDIT_INFO
, *PSE_AUDIT_INFO
;
889 #define TOKEN_ASSIGN_PRIMARY (0x0001)
890 #define TOKEN_DUPLICATE (0x0002)
891 #define TOKEN_IMPERSONATE (0x0004)
892 #define TOKEN_QUERY (0x0008)
893 #define TOKEN_QUERY_SOURCE (0x0010)
894 #define TOKEN_ADJUST_PRIVILEGES (0x0020)
895 #define TOKEN_ADJUST_GROUPS (0x0040)
896 #define TOKEN_ADJUST_DEFAULT (0x0080)
897 #define TOKEN_ADJUST_SESSIONID (0x0100)
899 #define TOKEN_ALL_ACCESS_P (STANDARD_RIGHTS_REQUIRED |\
900 TOKEN_ASSIGN_PRIMARY |\
904 TOKEN_QUERY_SOURCE |\
905 TOKEN_ADJUST_PRIVILEGES |\
906 TOKEN_ADJUST_GROUPS |\
907 TOKEN_ADJUST_DEFAULT )
909 #if ((defined(_WIN32_WINNT) && (_WIN32_WINNT > 0x0400)) || (!defined(_WIN32_WINNT)))
910 #define TOKEN_ALL_ACCESS (TOKEN_ALL_ACCESS_P |\
911 TOKEN_ADJUST_SESSIONID )
913 #define TOKEN_ALL_ACCESS (TOKEN_ALL_ACCESS_P)
916 #define TOKEN_READ (STANDARD_RIGHTS_READ |\
919 #define TOKEN_WRITE (STANDARD_RIGHTS_WRITE |\
920 TOKEN_ADJUST_PRIVILEGES |\
921 TOKEN_ADJUST_GROUPS |\
922 TOKEN_ADJUST_DEFAULT)
924 #define TOKEN_EXECUTE (STANDARD_RIGHTS_EXECUTE)
926 typedef enum _TOKEN_TYPE
{
929 } TOKEN_TYPE
,*PTOKEN_TYPE
;
931 typedef enum _TOKEN_INFORMATION_CLASS
{
940 TokenImpersonationLevel
,
944 TokenGroupsAndPrivileges
,
945 TokenSessionReference
,
952 TokenHasRestrictions
,
953 TokenAccessInformation
,
954 TokenVirtualizationAllowed
,
955 TokenVirtualizationEnabled
,
958 TokenMandatoryPolicy
,
961 } TOKEN_INFORMATION_CLASS
, *PTOKEN_INFORMATION_CLASS
;
963 typedef struct _TOKEN_USER
{
964 SID_AND_ATTRIBUTES User
;
965 } TOKEN_USER
, *PTOKEN_USER
;
967 typedef struct _TOKEN_GROUPS
{
970 [size_is(GroupCount
)] SID_AND_ATTRIBUTES Groups
[*];
972 SID_AND_ATTRIBUTES Groups
[ANYSIZE_ARRAY
];
974 } TOKEN_GROUPS
,*PTOKEN_GROUPS
,*LPTOKEN_GROUPS
;
976 typedef struct _TOKEN_PRIVILEGES
{
977 ULONG PrivilegeCount
;
978 LUID_AND_ATTRIBUTES Privileges
[ANYSIZE_ARRAY
];
979 } TOKEN_PRIVILEGES
,*PTOKEN_PRIVILEGES
,*LPTOKEN_PRIVILEGES
;
981 typedef struct _TOKEN_OWNER
{
983 } TOKEN_OWNER
,*PTOKEN_OWNER
;
985 typedef struct _TOKEN_PRIMARY_GROUP
{
987 } TOKEN_PRIMARY_GROUP
,*PTOKEN_PRIMARY_GROUP
;
989 typedef struct _TOKEN_DEFAULT_DACL
{
991 } TOKEN_DEFAULT_DACL
,*PTOKEN_DEFAULT_DACL
;
993 typedef struct _TOKEN_GROUPS_AND_PRIVILEGES
{
996 PSID_AND_ATTRIBUTES Sids
;
997 ULONG RestrictedSidCount
;
998 ULONG RestrictedSidLength
;
999 PSID_AND_ATTRIBUTES RestrictedSids
;
1000 ULONG PrivilegeCount
;
1001 ULONG PrivilegeLength
;
1002 PLUID_AND_ATTRIBUTES Privileges
;
1003 LUID AuthenticationId
;
1004 } TOKEN_GROUPS_AND_PRIVILEGES
, *PTOKEN_GROUPS_AND_PRIVILEGES
;
1006 typedef struct _TOKEN_LINKED_TOKEN
{
1008 } TOKEN_LINKED_TOKEN
, *PTOKEN_LINKED_TOKEN
;
1010 typedef struct _TOKEN_ELEVATION
{
1011 ULONG TokenIsElevated
;
1012 } TOKEN_ELEVATION
, *PTOKEN_ELEVATION
;
1014 typedef struct _TOKEN_MANDATORY_LABEL
{
1015 SID_AND_ATTRIBUTES Label
;
1016 } TOKEN_MANDATORY_LABEL
, *PTOKEN_MANDATORY_LABEL
;
1018 #define TOKEN_MANDATORY_POLICY_OFF 0x0
1019 #define TOKEN_MANDATORY_POLICY_NO_WRITE_UP 0x1
1020 #define TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN 0x2
1022 #define TOKEN_MANDATORY_POLICY_VALID_MASK (TOKEN_MANDATORY_POLICY_NO_WRITE_UP | \
1023 TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN)
1025 typedef struct _TOKEN_MANDATORY_POLICY
{
1027 } TOKEN_MANDATORY_POLICY
, *PTOKEN_MANDATORY_POLICY
;
1029 typedef struct _TOKEN_ACCESS_INFORMATION
{
1030 PSID_AND_ATTRIBUTES_HASH SidHash
;
1031 PSID_AND_ATTRIBUTES_HASH RestrictedSidHash
;
1032 PTOKEN_PRIVILEGES Privileges
;
1033 LUID AuthenticationId
;
1034 TOKEN_TYPE TokenType
;
1035 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
;
1036 TOKEN_MANDATORY_POLICY MandatoryPolicy
;
1038 } TOKEN_ACCESS_INFORMATION
, *PTOKEN_ACCESS_INFORMATION
;
1040 #define POLICY_AUDIT_SUBCATEGORY_COUNT (53)
1042 typedef struct _TOKEN_AUDIT_POLICY
{
1043 UCHAR PerUserPolicy
[((POLICY_AUDIT_SUBCATEGORY_COUNT
) >> 1) + 1];
1044 } TOKEN_AUDIT_POLICY
, *PTOKEN_AUDIT_POLICY
;
1046 #define TOKEN_SOURCE_LENGTH 8
1048 typedef struct _TOKEN_SOURCE
{
1049 CHAR SourceName
[TOKEN_SOURCE_LENGTH
];
1050 LUID SourceIdentifier
;
1051 } TOKEN_SOURCE
,*PTOKEN_SOURCE
;
1053 typedef struct _TOKEN_STATISTICS
{
1055 LUID AuthenticationId
;
1056 LARGE_INTEGER ExpirationTime
;
1057 TOKEN_TYPE TokenType
;
1058 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
;
1059 ULONG DynamicCharged
;
1060 ULONG DynamicAvailable
;
1062 ULONG PrivilegeCount
;
1064 } TOKEN_STATISTICS
, *PTOKEN_STATISTICS
;
1066 typedef struct _TOKEN_CONTROL
{
1068 LUID AuthenticationId
;
1070 TOKEN_SOURCE TokenSource
;
1071 } TOKEN_CONTROL
,*PTOKEN_CONTROL
;
1073 typedef struct _TOKEN_ORIGIN
{
1074 LUID OriginatingLogonSession
;
1075 } TOKEN_ORIGIN
, *PTOKEN_ORIGIN
;
1077 typedef enum _MANDATORY_LEVEL
{
1078 MandatoryLevelUntrusted
= 0,
1080 MandatoryLevelMedium
,
1082 MandatoryLevelSystem
,
1083 MandatoryLevelSecureProcess
,
1085 } MANDATORY_LEVEL
, *PMANDATORY_LEVEL
;
1087 #define TOKEN_HAS_TRAVERSE_PRIVILEGE 0x0001
1088 #define TOKEN_HAS_BACKUP_PRIVILEGE 0x0002
1089 #define TOKEN_HAS_RESTORE_PRIVILEGE 0x0004
1090 #define TOKEN_WRITE_RESTRICTED 0x0008
1091 #define TOKEN_IS_RESTRICTED 0x0010
1092 #define TOKEN_SESSION_NOT_REFERENCED 0x0020
1093 #define TOKEN_SANDBOX_INERT 0x0040
1094 #define TOKEN_HAS_IMPERSONATE_PRIVILEGE 0x0080
1095 #define SE_BACKUP_PRIVILEGES_CHECKED 0x0100
1096 #define TOKEN_VIRTUALIZE_ALLOWED 0x0200
1097 #define TOKEN_VIRTUALIZE_ENABLED 0x0400
1098 #define TOKEN_IS_FILTERED 0x0800
1099 #define TOKEN_UIACCESS 0x1000
1100 #define TOKEN_NOT_LOW 0x2000
1102 typedef struct _SE_EXPORTS
{
1103 LUID SeCreateTokenPrivilege
;
1104 LUID SeAssignPrimaryTokenPrivilege
;
1105 LUID SeLockMemoryPrivilege
;
1106 LUID SeIncreaseQuotaPrivilege
;
1107 LUID SeUnsolicitedInputPrivilege
;
1108 LUID SeTcbPrivilege
;
1109 LUID SeSecurityPrivilege
;
1110 LUID SeTakeOwnershipPrivilege
;
1111 LUID SeLoadDriverPrivilege
;
1112 LUID SeCreatePagefilePrivilege
;
1113 LUID SeIncreaseBasePriorityPrivilege
;
1114 LUID SeSystemProfilePrivilege
;
1115 LUID SeSystemtimePrivilege
;
1116 LUID SeProfileSingleProcessPrivilege
;
1117 LUID SeCreatePermanentPrivilege
;
1118 LUID SeBackupPrivilege
;
1119 LUID SeRestorePrivilege
;
1120 LUID SeShutdownPrivilege
;
1121 LUID SeDebugPrivilege
;
1122 LUID SeAuditPrivilege
;
1123 LUID SeSystemEnvironmentPrivilege
;
1124 LUID SeChangeNotifyPrivilege
;
1125 LUID SeRemoteShutdownPrivilege
;
1129 PSID SeCreatorOwnerSid
;
1130 PSID SeCreatorGroupSid
;
1131 PSID SeNtAuthoritySid
;
1135 PSID SeInteractiveSid
;
1136 PSID SeLocalSystemSid
;
1137 PSID SeAliasAdminsSid
;
1138 PSID SeAliasUsersSid
;
1139 PSID SeAliasGuestsSid
;
1140 PSID SeAliasPowerUsersSid
;
1141 PSID SeAliasAccountOpsSid
;
1142 PSID SeAliasSystemOpsSid
;
1143 PSID SeAliasPrintOpsSid
;
1144 PSID SeAliasBackupOpsSid
;
1145 PSID SeAuthenticatedUsersSid
;
1146 PSID SeRestrictedSid
;
1147 PSID SeAnonymousLogonSid
;
1148 LUID SeUndockPrivilege
;
1149 LUID SeSyncAgentPrivilege
;
1150 LUID SeEnableDelegationPrivilege
;
1151 PSID SeLocalServiceSid
;
1152 PSID SeNetworkServiceSid
;
1153 LUID SeManageVolumePrivilege
;
1154 LUID SeImpersonatePrivilege
;
1155 LUID SeCreateGlobalPrivilege
;
1156 LUID SeTrustedCredManAccessPrivilege
;
1157 LUID SeRelabelPrivilege
;
1158 LUID SeIncreaseWorkingSetPrivilege
;
1159 LUID SeTimeZonePrivilege
;
1160 LUID SeCreateSymbolicLinkPrivilege
;
1162 PSID SeUntrustedMandatorySid
;
1163 PSID SeLowMandatorySid
;
1164 PSID SeMediumMandatorySid
;
1165 PSID SeHighMandatorySid
;
1166 PSID SeSystemMandatorySid
;
1167 PSID SeOwnerRightsSid
;
1168 } SE_EXPORTS
, *PSE_EXPORTS
;
1171 (NTAPI
*PSE_LOGON_SESSION_TERMINATED_ROUTINE
)(
1174 typedef struct _SECURITY_CLIENT_CONTEXT
{
1175 SECURITY_QUALITY_OF_SERVICE SecurityQos
;
1176 PACCESS_TOKEN ClientToken
;
1177 BOOLEAN DirectlyAccessClientToken
;
1178 BOOLEAN DirectAccessEffectiveOnly
;
1179 BOOLEAN ServerIsRemote
;
1180 TOKEN_CONTROL ClientTokenControl
;
1181 } SECURITY_CLIENT_CONTEXT
, *PSECURITY_CLIENT_CONTEXT
;