From 9594022ce141965e672ce975bf4d71a5f0e46730 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Herm=C3=A8s=20B=C3=A9lusca-Ma=C3=AFto?=
 <hermes.belusca-maito@reactos.org>
Date: Mon, 25 Jun 2018 18:49:07 +0200
Subject: [PATCH] [NTOS:SE] Add a documentation note about
 SeTokenIsWriteRestricted() and SeTokenIsAdmin(), and update the one for
 NtDuplicateToken(). [XDK] Move TOKEN_HAS_ADMIN_GROUP where appropriate.

---
 ntoskrnl/se/token.c              | 12 +++++++++---
 sdk/include/xdk/ntifs.template.h |  2 --
 sdk/include/xdk/setypes.h        |  1 +
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/ntoskrnl/se/token.c b/ntoskrnl/se/token.c
index 75ab43d21e6..9523fbf8aa7 100644
--- a/ntoskrnl/se/token.c
+++ b/ntoskrnl/se/token.c
@@ -1549,7 +1549,9 @@ SeTokenIsAdmin(IN PACCESS_TOKEN Token)
 {
     PAGED_CODE();
 
-    return (((PTOKEN)Token)->TokenFlags & TOKEN_WRITE_RESTRICTED) != 0;
+    // NOTE: Win7+ instead really checks the list of groups in the token
+    // (since TOKEN_HAS_ADMIN_GROUP == TOKEN_WRITE_RESTRICTED ...)
+    return (((PTOKEN)Token)->TokenFlags & TOKEN_HAS_ADMIN_GROUP) != 0;
 }
 
 /*
@@ -1566,6 +1568,8 @@ SeTokenIsRestricted(IN PACCESS_TOKEN Token)
 
 /*
  * @implemented
+ * @note First introduced in NT 5.1 SP2 x86 (5.1.2600.2622), absent in NT 5.2,
+ *       then finally re-introduced in Vista+.
  */
 BOOLEAN
 NTAPI
@@ -1573,7 +1577,9 @@ SeTokenIsWriteRestricted(IN PACCESS_TOKEN Token)
 {
     PAGED_CODE();
 
-    return (((PTOKEN)Token)->TokenFlags & TOKEN_HAS_RESTORE_PRIVILEGE) != 0;
+    // NOTE: NT 5.1 SP2 x86 checks the SE_BACKUP_PRIVILEGES_CHECKED flag
+    // while Vista+ checks the TOKEN_WRITE_RESTRICTED flag as one expects.
+    return (((PTOKEN)Token)->TokenFlags & SE_BACKUP_PRIVILEGES_CHECKED) != 0;
 }
 
 /* SYSTEM CALLS ***************************************************************/
@@ -2552,7 +2558,7 @@ Cleanup:
  * is correct either. -Gunnar
  * This is true. EffectiveOnly overrides SQOS.EffectiveOnly. - IAI
  * NOTE for readers: http://hex.pp.ua/nt/NtDuplicateToken.php is therefore
- * wrong in that regard.
+ * wrong in that regard, while MSDN documentation is correct.
  */
 NTSTATUS NTAPI
 NtDuplicateToken(IN HANDLE ExistingTokenHandle,
diff --git a/sdk/include/xdk/ntifs.template.h b/sdk/include/xdk/ntifs.template.h
index 642193fe367..7ad62ca88df 100644
--- a/sdk/include/xdk/ntifs.template.h
+++ b/sdk/include/xdk/ntifs.template.h
@@ -1360,8 +1360,6 @@ typedef struct _QUERY_PATH_RESPONSE {
 
 /* end winnt.h */
 
-#define TOKEN_HAS_ADMIN_GROUP           0x08
-
 #if (VER_PRODUCTBUILD >= 1381)
 #define FSCTL_GET_HFS_INFORMATION       CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 31, METHOD_BUFFERED, FILE_ANY_ACCESS)
 #endif /* (VER_PRODUCTBUILD >= 1381) */
diff --git a/sdk/include/xdk/setypes.h b/sdk/include/xdk/setypes.h
index 5dbf75edf0a..699e71bd7de 100644
--- a/sdk/include/xdk/setypes.h
+++ b/sdk/include/xdk/setypes.h
@@ -1125,6 +1125,7 @@ typedef struct _TOKEN_ACCESS_INFORMATION {
 #define TOKEN_HAS_BACKUP_PRIVILEGE      0x0002
 #define TOKEN_HAS_RESTORE_PRIVILEGE     0x0004
 #define TOKEN_WRITE_RESTRICTED          0x0008
+#define TOKEN_HAS_ADMIN_GROUP           TOKEN_WRITE_RESTRICTED
 #define TOKEN_IS_RESTRICTED             0x0010
 #define TOKEN_SESSION_NOT_REFERENCED    0x0020
 #define TOKEN_SANDBOX_INERT             0x0040
-- 
2.17.1