Browse DevX
Sign up for e-mail newsletters from DevX


Retrieving NTFS Permissions with C++ : Page 4

There are plenty of handy things you can do if you have programmatic access to the permissions set in the NT File System. Learn to employ C++ and Win32 APIs to query the Access Control Lists that hold security settings for files or folders and use that information however you like.




Building the Right Environment to Support AI, Machine Learning and Deep Learning

The Output Method
Most of the job of interpreting the queried ACEs is done in the Output method. Each node of m_sAceList has bAllowed field, which defines whether the stored ACE allows or denies permissions. Recall that the information about ACE type resides in its header represented by the ACE_HEADER structure. Knowing ACE type is not enough, because we have to know what exact permissions it allows or denies. At this stage, the AccessMask field comes to our aid. This field is present in both the ACCESS_ALLOWED_ACE and ACCESS_DENIED_ACE structures. It is just a combination (bitwise OR) of permission flags. Any advanced permission (those that appear in Figure 3) has its own bit. Examine the AccessMask field to see what permissions are allowed or denied by an ACE.

Visual C++ header files have predefined macros for advanced permission flags, such as FILE_READ_DATA, FILE_EXECUTE, etc. There are also macros that represent frequently used combinations of permission flags (FILE_GENERIC_READ, FILE_GENERIC_WRITE).

In the ACLInfo sample, I defined my own combinations for read, write, and execute permissions:


There are two different checks for allowed and denied ACE. When I examine an allowed ACE, this code executes:

// For Allowed aces if (pList->bAllowed) { // Read Permissions if ((maskPermissions & READ_PERMISSIONS) == READ_PERMISSIONS) { os << "R"; } else { os << " "; } . . .

The above check assures that an allowed ACE has all the READ_PERMISSIONS flags turned on.

In the case of denied ACE, the check is opposite—if at least one flag of READ_PERMISSIONS is turned on, I decide that ACE denies reading:

. . . else // Denied Ace permissions { // Read Permissions if ((maskPermissions & READ_PERMISSIONS) != 0) { os << "R"; } else { os << " "; } . . .

I perform similar checks for write and execute permissions.

Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date