Handling NTFS Permissions Part -1 (handling kernel object permissions) [ All Languages » VB »  Security] Total Hit ( 7984) Rate this article:     Poor     Excellent   Submit Your Question/Comment about this article Rating Click here to download the attached file

The Win32 Application Programming Interface (API) provides two sets of APIs for working with security descriptors and access control lists (ACLs): low-level and high-level. This series of articles provide a complete set of Microsoft Visual Basic code samples that use low-level access control APIs to create, as well as modify, an existing discretionary ACL (DACL) on a kernel object, user object, shared resource (such as a shared folder or shared printer), registry key, or printer. In this article we will learn how to use Visual Basic to handle kernel object security using APIs Other articles in this series are Handling NTFS Permissions Part-2 (handling user object permissions) Handling NTFS Permissions Part-3 (handling shared resource permissions) Handling NTFS Permissions Part-4 (handling registry key permissions) Handling NTFS Permissions Part-5 (handling printer permissions) This example uses the following generic structure to represent the permissions for a user or group account Click here to copy the following block Public Type AccountPerm   AccountName As String   AccessMask As Long   AceFlags As Byte   AceType As Byte   pSid As Long   SidPassedByCaller As Boolean End Type where AccountName is any user or group account name, and AccessMask is any of the generic or object-specific access masks. All the access mask constants for any securable object are defined in the sample code. AceFlags and AceType structure members have the same values as documented in the ACE_HEADER data structure in the Microsoft Platform SDK. As demonstrated in some of the code samples available through the preceding link, the caller can specify an array of AccountPerm structures to either construct a new security descriptor or add to an existing security descriptor of any securable object. If the caller wants to pass a well known SID, the caller can allocate the SID by using the AllocateAndInitializeSid() function and then specify it in the pSid structure member, with SidPassedByCaller set to True. Step-By-Step Example - First step to test this example is create 3 User accounts (User1, User2 and User3) as shown below - Create a test folder lets say c:\temp\test - Create a standard exe project - Add a module to the project - Place one textbox and one command button on the form1 - Place the following code in form1 code window Form1.frm Click here to copy the following block Private Sub Command1_Click()   Dim success As Boolean   success = UpdatePermissionsOfFolder(Text1)   If success = False Then     MsgBox "Error in UpdatePermissionsOfFolder", vbCritical   Else     MsgBox "Permissions Applied Successfully", vbInformation   End If   '//Create Mutex demo   'call CreateObjectSecurityDescriptor End Sub Private Sub Form_Load() '//make sure that this path exist on your system   Text1.Text = "C:\temp\test"   Command1.Caption = "<< Apply Permissions" End Sub - Place the following code in Module1 Module1.bas Click here to copy the following block Option Explicit ' Constants used within our API calls. Refer to the MSDN for more ' information on how/what these constants are used for. ' Memory constants used by various memory API calls. Private Const LMEM_FIXED = &H0 Private Const LMEM_ZEROINIT = &H40 Private Const LPTR = (LMEM_FIXED + LMEM_ZEROINIT) 'Generic Access Rights Public Const GENERIC_ALL = &H10000000 Public Const GENERIC_READ = &H80000000 Public Const GENERIC_EXECUTE = &H20000000 Public Const GENERIC_WRITE = &H40000000 'Standard Access Rights Public Const DELETE = &H10000 Public Const READ_CONTROL = &H20000 Public Const WRITE_DAC = &H40000 Public Const WRITE_OWNER = &H80000 Public Const SYNCHRONIZE = &H100000 Public Const STANDARD_RIGHTS_REQUIRED = &HF0000 Public Const STANDARD_RIGHTS_READ = READ_CONTROL Public Const STANDARD_RIGHTS_WRITE = READ_CONTROL Public Const STANDARD_RIGHTS_EXECUTE = READ_CONTROL Public Const STANDARD_RIGHTS_ALL = &H1F0000 Public Const SPECIFIC_RIGHTS_ALL = &HFFFF& Public Const ACCESS_SYSTEM_SECURITY = &H1000000 Public Const MAXIMUM_ALLOWED = &H2000000 ' Constants to be used in API calls. Refer to the MSDN for more ' information on how/what these constants are used for. Private Const DACL_SECURITY_INFORMATION = &H4 Private Const SECURITY_DESCRIPTOR_REVISION = 1 Private Const SECURITY_DESCRIPTOR_MIN_LENGTH = 20 Private Const SD_SIZE = (65536 + SECURITY_DESCRIPTOR_MIN_LENGTH) Private Const ACL_REVISION2 = 2 Private Const ACL_REVISION = 2 Private Const MAXDWORD = &HFFFFFFFF Private Const SidTypeUser = 1 Private Const AclSizeInformation = 2 ' The following are the inherit flags that go into the AceFlags ' field of an Ace header. Public Const OBJECT_INHERIT_ACE = &H1 Public Const CONTAINER_INHERIT_ACE = &H2 Public Const NO_PROPAGATE_INHERIT_ACE = &H4 Public Const INHERIT_ONLY_ACE = &H8 Public Const INHERITED_ACE = &H10 Public Const VALID_INHERIT_FLAGS = &H1F ' The following are the security descriptor flags. Private Const SE_DACL_AUTO_INHERIT_REQ = &H100 Private Const SE_SACL_AUTO_INHERIT_REQ = &H200 Private Const SE_DACL_AUTO_INHERITED = &H400 Private Const SE_SACL_AUTO_INHERITED = &H800 Private Const SE_DACL_PROTECTED = &H1000 Private Const SE_SACL_PROTECTED = &H2000 ' Type of ACE being added. Public Const ACCESS_ALLOWED_ACE_TYPE = 0 Public Const ACCESS_DENIED_ACE_TYPE = 1 ' ' Constants from WINNT.H for the various well-known SIDs, users and groups ' Public Const SECURITY_WORLD_SID_AUTHORITY = &H1 Public Const SECURITY_NT_AUTHORITY = &H5 Public Const SECURITY_BUILTIN_DOMAIN_RID = &H20& Public Const DOMAIN_ALIAS_RID_ADMINS = &H220& Public Const DOMAIN_ALIAS_RID_USERS = &H221& Public Const SECURITY_LOCAL_SYSTEM_RID = &H12 Public Const SECURITY_WORLD_RID = &H0 Public Const DOMAIN_USER_RID_ADMIN = &H1F4 Public Const DOMAIN_USER_RID_GUEST = &H1F5 Public Const DOMAIN_GROUP_RID_ADMINS = &H200 Public Const INVALID_HANDLE_VALUE = -1 Public Const OPEN_EXISTING = 3 Public Const FILE_FLAG_BACKUP_SEMANTICS = &H2000000 'Folder Specific Access Rights Public Const FILE_LIST_DIRECTORY = &H1&  ' directory Public Const FILE_ADD_FILE = &H2&  ' directory Public Const FILE_ADD_SUBDIRECTORY = &H4&  ' directory Public Const FILE_TRAVERSE = &H20&  ' directory Public Const FILE_DELETE_CHILD = &H40&  ' directory Public Const FILE_READ_DATA = &H1&  ' file Public Const FILE_WRITE_DATA = &H2&  ' file Public Const FILE_APPEND_DATA = &H4&  ' file Public Const FILE_EXECUTE = &H20&  ' file Public Const FILE_READ_EA = &H8&  ' file & directory Public Const FILE_WRITE_EA = &H10&  ' file & directory Public Const FILE_READ_ATTRIBUTES = &H80&  ' all Public Const FILE_WRITE_ATTRIBUTES = &H100&  ' all ' Generic access masks for files Public Const FILE_ALL_ACCESS As Long = _     STANDARD_RIGHTS_REQUIRED Or _     SYNCHRONIZE Or _     511 Public Const FILE_GENERIC_READ As Long = _     STANDARD_RIGHTS_READ Or _     FILE_READ_DATA Or _     FILE_READ_ATTRIBUTES Or _     FILE_READ_EA Or _     SYNCHRONIZE Public Const FILE_GENERIC_WRITE As Long = _     STANDARD_RIGHTS_WRITE Or _     FILE_WRITE_DATA Or _     FILE_WRITE_ATTRIBUTES Or _     FILE_WRITE_EA Or _     FILE_APPEND_DATA Or _     SYNCHRONIZE Public Const FILE_GENERIC_EXECUTE As Long = _     STANDARD_RIGHTS_EXECUTE Or _     FILE_READ_ATTRIBUTES Or _     FILE_EXECUTE Or _     SYNCHRONIZE ' Other constants Public Const ERROR_SUCCESS = 0& Public Const NERR_Success = 0& ' Version Information constant Private Const VER_PLATFORM_WIN32_NT = &H2 ' Types needed for ACL manipulation. Refer to MSDN for more info Private Type ACL   AclRevision As Byte   Sbz1 As Byte   AclSize As Integer   AceCount As Integer   Sbz2 As Integer End Type Private Type ACL_SIZE_INFORMATION   AceCount As Long   AclBytesInUse As Long   AclBytesFree As Long End Type Private Type ACE_HEADER   AceType As Byte   AceFlags As Byte   AceSize As Integer End Type Private Type ACE   Header As ACE_HEADER   Mask As Long   SidStart As Long End Type Private Type SECURITY_ATTRIBUTES   Length As Long   SecurityDescriptor As Long   InheritHandle As Long End Type Private Type SID_IDENTIFIER_AUTHORITY   Value(6) As Byte End Type Private Type OSVERSIONINFO   dwOSVersionInfoSize As Long   dwMajorVersion As Long   dwMinorVersion As Long   dwBuildNumber As Long   dwPlatformId As Long   szCSDVersion As String * 128 End Type ' Application Types Public Type AccountPerm   AccountName As String   AccessMask As Long   AceFlags As Byte   AceType As Byte   pSid As Long   SidPassedByCaller As Boolean End Type Private Type SDMemInfo   pSD As Long   pAcl As Long End Type Private Declare Function LocalAlloc Lib "kernel32.dll" _     (ByVal wFlags As Long, ByVal wBytes As Long) As Long Private Declare Function LocalFree Lib "kernel32.dll" _     (ByVal hMem As Long) As Long Private Declare Sub CopyMemory Lib "kernel32.dll" Alias "RtlMoveMemory" _     (hpvDest As Any, ByVal hpvSource As Long, _     ByVal cbCopy As Long) Private Declare Function InitializeSecurityDescriptor Lib "advapi32.dll" _     (ByVal pSecurityDescriptor As Long, _     ByVal dwRevision As Long) As Long Private Declare Function LookupAccountName Lib "advapi32.dll" Alias _     "LookupAccountNameA" (ByVal lpSystemName As Long, _     ByVal lpAccountName As String, _     ByVal Sid As Long, _     cbSid As Long, _     ByVal ReferencedDomainName As String, _     cbReferencedDomainName As Long, _     peUse As Long) As Long Private Declare Function GetLengthSid Lib "advapi32.dll" _     (ByVal pSid As Long) As Long Private Declare Function InitializeAcl Lib "advapi32.dll" _     (ByVal pAcl As Long, ByVal nAclLength As Long, _     ByVal dwAclRevision As Long) As Long Private Declare Function SetSecurityDescriptorDacl Lib "advapi32.dll" _     (ByVal pSecurityDescriptor As Long, ByVal bDaclPresent As Long, _     ByVal pDacl As Long, ByVal bDaclDefaulted As Long) As Long Private Declare Function GetAce Lib "advapi32.dll" _     (ByVal pAcl As Long, ByVal dwAceIndex As Long, pACE As Long) As Long Private Declare Function GetSecurityDescriptorDacl Lib "advapi32.dll" _     (ByVal pSecurityDescriptor As Long, lpbDaclPresent As Long, _     pDacl As Long, lpbDaclDefaulted As Long) As Long Private Declare Function GetAclInformation Lib "advapi32.dll" _     (ByVal pAcl As Long, pAclInformation As Any, _     ByVal nAclInformationLength As Long, _     ByVal dwAclInformationClass As Long) As Long Private Declare Function GetSecurityDescriptorControl Lib "advapi32.dll" _     (ByVal pSecurityDescriptor As Long, _     pControl As Long, lpdwRevision As Long) As Long Private Declare Function SetSecurityDescriptorControl Lib "advapi32.dll" _     (ByVal pSecurityDescriptor As Long, _     ByVal controlBitsOfInterest As Long, _     ByVal controlBitsToSet As Long) As Long Private Declare Function EqualSid Lib "advapi32.dll" _     (ByVal pSid1 As Long, ByVal pSid2 As Long) As Long Private Declare Function AddAce Lib "advapi32.dll" (ByVal pAcl As Long, _     ByVal dwAceRevision As Long, ByVal dwStartingAceIndex As Long, _     ByVal pAceList As Long, ByVal nAceListLength As Long) As Long Private Declare Function AllocateAndInitializeSid Lib "advapi32.dll" _     (pIdentifierAuthority As SID_IDENTIFIER_AUTHORITY, _     ByVal nSubAuthorityCount As Byte, ByVal nSubAuthority0 As Long, _     ByVal nSubAuthority1 As Long, ByVal nSubAuthority2 As Long, _     ByVal nSubAuthority3 As Long, ByVal nSubAuthority4 As Long, _     ByVal nSubAuthority5 As Long, ByVal nSubAuthority6 As Long, _     ByVal nSubAuthority7 As Long, lpPSid As Long) As Long Private Declare Sub FreeSid Lib "advapi32.dll" (ByVal pSid As Long) ' APIs for modifying DACL of a kernel object Private Declare Function GetKernelObjectSecurity Lib "advapi32.dll" _     (ByVal hObject As Long, _     ByVal RequestedInformation As Long, _     ByVal pSecurityDescriptor As Long, _     ByVal nLength As Long, _     lpnLengthNeeded As Long) As Long Private Declare Function SetKernelObjectSecurity Lib "advapi32.dll" _     (ByVal hObject As Long, _     ByVal SecurityInformation As Long, _     ByVal pSecurityDescriptor As Long) As Long Private Declare Function CreateMutex Lib "kernel32.dll" _     Alias "CreateMutexA" ( _     lpMutexAttributes As SECURITY_ATTRIBUTES, _     bInitialOwner As Long, _     ByVal lpName As String) As Long Private Declare Function CloseHandle Lib "kernel32.dll" _     (ByVal hObject As Long) As Long Private Declare Function CreateFile Lib "kernel32.dll" _     Alias "CreateFileA" (ByVal lpFileName As String, _     ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, _     ByVal lpSecurityAttributes As Long, _     ByVal dwCreationDisposition As Long, _     ByVal dwFlagsAndAttributes As Long, _     ByVal hTemplateFile As Long) As Long ' Version Checking APIs Private Declare Function GetVersionExA Lib "kernel32.dll" _     (lpVersionInformation As OSVERSIONINFO) As Integer Private Function IsEqual(Accounts() As AccountPerm, pSid As Long) As Boolean   Dim nEntries As Long   Dim nIndex As Long   ' Check if the supplied SID pSid matches with one of the   ' new SIDs specified in Accounts()   nEntries = UBound(Accounts)   For nIndex = 0 To nEntries     If (EqualSid(Accounts(nIndex).pSid, pSid)) Then       IsEqual = True       Exit Function     End If   Next   IsEqual = False End Function Private Function ConstructAndAddAce( _     ByVal pNewACL As Long, _     ByVal AceType As Byte, _     ByVal AceFlags As Byte, _     ByVal AccessMask As Long, _     ByVal pSid As Long) As Long   Dim fResult As Long   Dim dwNewACESize As Long   Dim dwSidLen As Long   Dim tempAce As ACE   Dim pACE As Long   fResult = 0   On Error GoTo Label1   ' Find the length of SID and size of new ACE to be added   dwSidLen = GetLengthSid(pSid)   dwNewACESize = Len(tempAce) + dwSidLen - 4   ' Allocate memory for the new ACE   pACE = LocalAlloc(LPTR, dwNewACESize)   If pACE = 0 Then Err.Raise 0   ' Set up the ACE structure in VB variable   tempAce.Header.AceType = AceType   tempAce.Header.AceFlags = AceFlags   tempAce.Header.AceSize = dwNewACESize   tempAce.Mask = AccessMask   ' Copy the VB variable contents and the SID to the   ' the ACE allocated   CopyMemory ByVal pACE, VarPtr(tempAce), LenB(tempAce)   CopyMemory ByVal pACE + 8, pSid, dwSidLen   ' Add the new ACE to the new ACL   fResult = AddAce(pNewACL, ACL_REVISION, _       MAXDWORD, _       pACE, _       dwNewACESize)   LocalFree pACE Label1:   ConstructAndAddAce = fResult End Function Private Function AddSecurityDescriptor(ByVal pOldSD As Long, _                     Accounts() As AccountPerm, _                     sdInfo As SDMemInfo) As Long   Dim pNewACL As Long   Dim dwNewACLSize As Long   Dim dwTotalDACLSize As Long   Dim szDomainName As String   Dim cbDomainName As Long   Dim nSidSize As Long   Dim I As Long, n As Long   Dim eUse As Long   Dim fReturn As Long   Dim fResult As Long   Dim tempACL As ACL   Dim tempAce As ACE   Dim Ptr As Long   Dim dwNumOfAccounts As Long   Dim pSD As Long   Dim AceIndex As Long   Dim lDaclPresent As Long   Dim lDaclDefaulted As Long   Dim sACLInfo As ACL_SIZE_INFORMATION   Dim pAcl As Long   Dim osinfo As OSVERSIONINFO   Dim w2kOrAbove As Boolean   On Error GoTo ExitLabel   ' Determine if system is Windows 2000 or above   osinfo.dwOSVersionInfoSize = Len(osinfo)   osinfo.szCSDVersion = Space$(128)   GetVersionExA osinfo   w2kOrAbove = _       (osinfo.dwPlatformId = VER_PLATFORM_WIN32_NT And _       osinfo.dwMajorVersion >= 5)   ' Intialize some of the variables   fReturn = 0   sdInfo.pAcl = 0   sdInfo.pSD = 0   dwNumOfAccounts = UBound(Accounts)   ' Allocate memory for a new Security Descriptor   pSD = LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH)   If pSD = 0 Then Err.Raise 0   sdInfo.pSD = pSD   ' Initialize the new Security Descriptor   fResult = InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION)   If fResult = 0 Then Err.Raise 0   ' Get the existing ACL size   lDaclPresent = 0   pAcl = 0   If (pOldSD) Then     fResult = GetSecurityDescriptorDacl(pOldSD, lDaclPresent, _         pAcl, lDaclDefaulted)     If fResult = 0 Then Err.Raise 0     If (lDaclPresent <> 0 And pAcl <> 0) Then       fResult = GetAclInformation(pAcl, sACLInfo, Len(sACLInfo), 2&)       If fResult = 0 Then Err.Raise 0       dwTotalDACLSize = sACLInfo.AclBytesInUse     Else       dwTotalDACLSize = Len(tempACL)     End If   Else     dwTotalDACLSize = Len(tempACL)   End If   ' Find the SIDs for each userName supplied in Accounts() array   ' and compute the new ACL size needed.   ' Call LookupAccountName only for the entries where the   ' SID is not supplied by the caller.   szDomainName = Space(256)   For n = 0 To dwNumOfAccounts     If (Accounts(n).pSid = 0) Then       nSidSize = 0       cbDomainName = 256       ' Lookup the SID for this user       ' First call is to find the buffer size required for SID       fResult = LookupAccountName(0, Accounts(n).AccountName, 0, _           nSidSize, szDomainName, _           cbDomainName, eUse)       Accounts(n).pSid = LocalAlloc(LPTR, nSidSize)       If Accounts(n).pSid = 0 Then Err.Raise 0       ' Get the Actual SID value in this second call       fResult = LookupAccountName(0, Accounts(n).AccountName, _           Accounts(n).pSid, _           nSidSize, szDomainName, _           cbDomainName, eUse)       If fResult = 0 Then Err.Raise 0     End If     ' sizeof(DWORD) = 4     dwNewACLSize = Len(tempAce) + GetLengthSid(Accounts(n).pSid) - 4     dwTotalDACLSize = dwTotalDACLSize + dwNewACLSize   Next   ' Allocate memory for the new ACL   pNewACL = LocalAlloc(LPTR, dwTotalDACLSize)   If pNewACL = 0 Then Err.Raise 0   sdInfo.pAcl = pNewACL   ' Initialize the new ACL   fResult = InitializeAcl(pNewACL, dwTotalDACLSize, ACL_REVISION)   If fResult = 0 Then Err.Raise 0   AceIndex = 0   ' Add the new ACCESS DENIED ACEs first to the DACL   For n = 0 To dwNumOfAccounts     If (Accounts(n).AceType = ACCESS_DENIED_ACE_TYPE) Then       fResult = ConstructAndAddAce(pNewACL, _           Accounts(n).AceType, _           Accounts(n).AceFlags, _           Accounts(n).AccessMask, _           Accounts(n).pSid)       If fResult = 0 Then Err.Raise 0       AceIndex = AceIndex + 1     End If   Next   ' Copy all non-inherited ACEs from the existing DACL   If (lDaclPresent <> 0 And pAcl <> 0 And sACLInfo.AceCount > 0) Then     ' Get each ACE from the old DACL and add them into the new DACL.     For I = 0 To (sACLInfo.AceCount - 1)       ' Attempt to get the next ACE.       fResult = GetAce(pAcl, I, Ptr)       If (fResult = 0) Then Err.Raise 0       CopyMemory tempAce, Ptr, LenB(tempAce)       ' Exit this for loop, once the first INHERITED_ACE is found       If ((tempAce.Header.AceFlags And INHERITED_ACE) = INHERITED_ACE) Then         Exit For       End If       'Add the ACE to the new DACL if the SID is not in Accounts()       If Not (IsEqual(Accounts(), Ptr + 8)) Then         ' Now that you have the ACE, add it to the new ACL.         fResult = AddAce(pNewACL, ACL_REVISION, _             MAXDWORD, Ptr, _             tempAce.Header.AceSize)         If fResult = 0 Then Err.Raise 0         AceIndex = AceIndex + 1       End If     Next I   End If   ' Add the new ACCESS ALLOWED ACEs next to the DACL   For n = 0 To dwNumOfAccounts     If (Accounts(n).AceType = ACCESS_ALLOWED_ACE_TYPE) Then       fResult = ConstructAndAddAce(pNewACL, _           Accounts(n).AceType, _           Accounts(n).AceFlags, _           Accounts(n).AccessMask, _           Accounts(n).pSid)       If fResult = 0 Then Err.Raise 0       AceIndex = AceIndex + 1     End If   Next   ' Copy now all inherited ACEs from the existing DACL, so that the   ' new DACL will be in the Windows 2000 preferred order   If (lDaclPresent <> 0 And pAcl <> 0 And sACLInfo.AceCount > 0) Then     ' Get each INHERITED_ACE from the old ACL and     ' add them into the new ACL.     For I = I To (sACLInfo.AceCount - 1)       ' Attempt to get the next ACE.       fResult = GetAce(pAcl, I, Ptr)       If (fResult = 0) Then Err.Raise 0       CopyMemory tempAce, Ptr, LenB(tempAce)       ' Add it to the new ACL.       fResult = AddAce(pNewACL, ACL_REVISION, _           MAXDWORD, Ptr, _           tempAce.Header.AceSize)       If fResult = 0 Then Err.Raise 0       AceIndex = AceIndex + 1     Next I   End If   If w2kOrAbove And pOldSD <> 0 Then     Dim controlFlag As Long     Dim dwRevision As Long     Dim controlBitsOfInterest As Long     Dim controlBitsToSet As Long     fResult = GetSecurityDescriptorControl(pOldSD, _         controlFlag, dwRevision)     If (fResult <> 0) Then       controlBitsOfInterest = 0       controlBitsToSet = 0       If ((controlFlag And SE_DACL_AUTO_INHERITED) = _           SE_DACL_AUTO_INHERITED) Then         controlBitsOfInterest = _             SE_DACL_AUTO_INHERIT_REQ Or _             SE_DACL_AUTO_INHERITED         controlBitsToSet = controlBitsOfInterest       ElseIf ((controlFlag And SE_DACL_PROTECTED) = _           SE_DACL_PROTECTED) Then         controlBitsOfInterest = _             SE_DACL_PROTECTED         controlBitsToSet = controlBitsOfInterest       End If       If controlBitsToSet <> 0 Then         fResult = SetSecurityDescriptorControl(pSD, _             controlBitsOfInterest, _             controlBitsToSet)         If fResult = 0 Then Err.Raise 0       End If     End If   End If   ' Add the new DACL to the new Security Descriptor   fResult = SetSecurityDescriptorDacl(pSD, 1, pNewACL, 0)   If fResult = 0 Then Err.Raise 0   fReturn = 1 ExitLabel:   ' Make sure we clean up   For n = 0 To dwNumOfAccounts     ' Free only the SIDs that has been allocated in this function     If Accounts(n).pSid <> 0 And _         Not (Accounts(n).SidPassedByCaller) Then       LocalFree (Accounts(n).pSid)       Accounts(n).pSid = 0     End If   Next   ' If any of the functions failed, free new SD, and new ACL   If fReturn = 0 Then     If (sdInfo.pSD <> 0) Then LocalFree sdInfo.pSD     sdInfo.pSD = 0     If (sdInfo.pAcl <> 0) Then LocalFree sdInfo.pAcl     sdInfo.pAcl = 0   End If   AddSecurityDescriptor = fReturn End Function Public Function UpdatePermissionsOfKernelObject( _   ByVal hObject As Long, Accounts() As AccountPerm) As Boolean   Dim fResult As Long   Dim sdInfo As SDMemInfo   Dim oldSD As Long   Dim nLengthNeeded As Long   Dim bStatus As Boolean   bStatus = False   On Error GoTo Cleanup   sdInfo.pAcl = 0   sdInfo.pSD = 0   nLengthNeeded = 0   fResult = GetKernelObjectSecurity(hObject, _       DACL_SECURITY_INFORMATION, 0, _       nLengthNeeded, nLengthNeeded)   ' This call will fail. On Return nLengthNeeded will be updated.   ' Check for that below   If nLengthNeeded = 0 Then     MsgBox "GetKernelObjectSecurity failed with error code : " _         & Err.LastDllError     Err.Raise 0   End If   oldSD = LocalAlloc(LPTR, nLengthNeeded)   If oldSD = 0 Then     MsgBox "LocalAlloc failed with error code : " _         & Err.LastDllError     Err.Raise 0   End If   fResult = GetKernelObjectSecurity(hObject, _       DACL_SECURITY_INFORMATION, oldSD, _       nLengthNeeded, nLengthNeeded)   If fResult = 0 Then     MsgBox "GetKernelObjectSecurity failed with error code : " _         & Err.LastDllError     Err.Raise 0   End If   fResult = AddSecurityDescriptor(oldSD, Accounts(), sdInfo)   If fResult = 0 Then     MsgBox "Unable to create Security Descriptor"     Err.Raise 0   End If   fResult = SetKernelObjectSecurity(hObject, _       DACL_SECURITY_INFORMATION, sdInfo.pSD)   If fResult = 0 Then     MsgBox "SetKernelObjectSecurity failed with error code : " _         & Err.LastDllError     Err.Raise 0   End If   bStatus = True Cleanup:   'Free the memory allocated   If (oldSD <> 0) Then LocalFree oldSD   oldSD = 0   If (sdInfo.pSD <> 0) Then LocalFree sdInfo.pSD   sdInfo.pSD = 0   If (sdInfo.pAcl <> 0) Then LocalFree sdInfo.pAcl   sdInfo.pAcl = 0   UpdatePermissionsOfKernelObject = bStatus End Function Public Function UpdatePermissionsOfFolder(FolderName) As Boolean   Dim success As Boolean   Dim hFile As Long   Dim Accounts(0 To 3) As AccountPerm   Dim n As Long   Dim dwNumOfAccounts As Long   Dim siaNtAuthority As SID_IDENTIFIER_AUTHORITY   dwNumOfAccounts = UBound(Accounts)   ' Set up the account permissions that need to be created as an array   ' The following entry will allow permissions on the folder,   ' as well as future subfolders/files   Accounts(0).AccountName = ""   Accounts(0).AccessMask = GENERIC_READ   Accounts(0).AceFlags = CONTAINER_INHERIT_ACE Or OBJECT_INHERIT_ACE   Accounts(0).AceType = ACCESS_ALLOWED_ACE_TYPE   ' Construct SID for Everyone "Universal well-known SID"   siaNtAuthority.Value(5) = SECURITY_WORLD_SID_AUTHORITY   If AllocateAndInitializeSid(siaNtAuthority, 1, _       SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, _       Accounts(0).pSid) = 0 Then     MsgBox "AllocateAndInitializeSid failed with error code : " _         & Err.LastDllError     Exit Function   End If   'If the caller initializes SID, set SidPassedByCaller member to True   Accounts(0).SidPassedByCaller = True   ' The following entry will allow permissions on the folder   Accounts(1).AccountName = "User1"   Accounts(1).AccessMask = FILE_GENERIC_READ Or _       FILE_GENERIC_WRITE Or _       FILE_GENERIC_EXECUTE   Accounts(1).AceFlags = 0   Accounts(1).AceType = ACCESS_ALLOWED_ACE_TYPE   Accounts(1).pSid = 0   Accounts(1).SidPassedByCaller = False   ' The following entry will deny permissions on future files   Accounts(2).AccountName = "User2"   Accounts(2).AccessMask = FILE_ALL_ACCESS   Accounts(2).AceFlags = OBJECT_INHERIT_ACE Or INHERIT_ONLY_ACE   Accounts(2).AceType = ACCESS_DENIED_ACE_TYPE   Accounts(2).pSid = 0   Accounts(2).SidPassedByCaller = False   ' The following entry will allow permissions on future subfolders   Accounts(3).AccountName = "User3"   Accounts(3).AccessMask = FILE_GENERIC_READ Or FILE_GENERIC_EXECUTE   Accounts(3).AceFlags = CONTAINER_INHERIT_ACE Or INHERIT_ONLY_ACE   Accounts(3).AceType = ACCESS_ALLOWED_ACE_TYPE   Accounts(3).pSid = 0   Accounts(3).SidPassedByCaller = False   hFile = CreateFile(FolderName, _       READ_CONTROL Or WRITE_DAC, _       0, 0, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, 0)   If (hFile = INVALID_HANDLE_VALUE) Then     MsgBox "CreateFile failed with error code : " & Err.LastDllError   Else     success = UpdatePermissionsOfKernelObject(hFile, Accounts)     CloseHandle hFile     UpdatePermissionsOfFolder = success   End If   ' Make sure we clean up   For n = 0 To dwNumOfAccounts     If Accounts(n).pSid <> 0 And Accounts(n).SidPassedByCaller Then       FreeSid (Accounts(n).pSid)       Accounts(n).pSid = 0     End If   Next End Function '/////////////////////////////////////////////////////////////////////////// ' Sample Function to demonstrate how a NEW security desciptor can be created '/////////////////////////////////////////////////////////////////////////// Public Sub CreateObjectSecurityDescriptor()   Dim Accounts(0 To 1) As AccountPerm   Dim fResult As Long   Dim secAttr As SECURITY_ATTRIBUTES   Dim hMutex As Long   Dim sdInfo As SDMemInfo   On Error GoTo Cleanup   ' Set up the account permissions that need to be created as an array   Accounts(0).AccountName = "User1"   Accounts(0).AccessMask = GENERIC_ALL   Accounts(0).AceFlags = CONTAINER_INHERIT_ACE Or OBJECT_INHERIT_ACE   Accounts(0).AceType = ACCESS_DENIED_ACE_TYPE   Accounts(0).pSid = 0   Accounts(0).SidPassedByCaller = False   Accounts(1).AccountName = "Group1"   Accounts(1).AccessMask = GENERIC_ALL   Accounts(1).AceFlags = 0   Accounts(1).AceType = ACCESS_ALLOWED_ACE_TYPE   Accounts(1).pSid = 0   Accounts(1).SidPassedByCaller = False   fResult = AddSecurityDescriptor(0, Accounts(), sdInfo)   If fResult = 0 Then     MsgBox "Unable to create Security Descriptor"     Err.Raise 0   End If   ' Example of using the created security descriptor in a   ' kernel/user object creation   secAttr.Length = Len(secAttr)   secAttr.InheritHandle = 0   secAttr.SecurityDescriptor = sdInfo.pSD   'Call any function which uses SECURITY_ATTRIBUTES as a parameter   'Here we have used CreateMutex just for example purpose   hMutex = CreateMutex(secAttr, 0, "TestMutex")   If hMutex = 0 Then     MsgBox "Unable to create mutex"     Err.Raise 0   End If Cleanup:   If (hMutex <> 0) Then CloseHandle (hMutex)   'Free the memory allocated in CreateSecurityDescriptor   If (sdInfo.pSD <> 0) Then LocalFree sdInfo.pSD   sdInfo.pSD = 0   If (sdInfo.pAcl <> 0) Then LocalFree sdInfo.pAcl   sdInfo.pAcl = 0 End Sub - Now press F5 to run the demo - Default path for our example is c:\temp\test, if you dont want to use this folder path then you can enter a different path but make sure this path must exist on the system. - Now click on Apply Permissions button. - If you receive success message then goto the folder path which you have entered and check security of the folder (Properties->Security tab). Click on the Advanced button on security tab and you should see the entries for User1,User2 and User3 as shown below

Related Article(s)

GetFileOwner - Get the owner of an NTFS file

Determining Free Disk Space on a Fat32 (or NTFS) Drive

Programmatically Set NTFS File System Folder Permissions by Using Microsoft Visual Basic .NET

How to set NTFS permission programatically using Security APIs

Inside Disk Defragmenting

NTFSInfo - View NTFS Volume information

Check Access Rights to File/Directory on NTFS Volume

Handling NTFS Permissions Part-2 (handling user object permissions)

Handling NTFS Permissions Part-3 (handling shared resource permissions)

Handling NTFS Permissions Part-4 (handling registry key permissions)

Handling NTFS Permissions Part-5 (handling printer permissions)

Working with LZ (Lempel-Ziv) compression APIs

Working with file time APIs

Taking advantage of EFS (Encrypted File System) APIs in Win2K/XP

Taking advantage of NTFS inbuilt compression using APIs (Only for NTFS file system)

Submitted By : Nayan Patel  (Member Since : 5/26/2004 12:23:06 PM)
	Job Description : He is the moderator of this site and currently working as an independent consultant. He works with VB.net/ASP.net, SQL Server and other MS technologies. He is MCSD.net, MCDBA and MCSE. In his free time he likes to watch funny movies and doing oil painting.
View all (893) submissions by this author  (Birth Date : 7/14/1981 )