Browse DevX
Sign up for e-mail newsletters from DevX


Retrieving NTFS Permissions with C++ : Page 5

There are plenty of handy things you can do if you have programmatic access to the permissions set in the NT File System. Learn to employ C++ and Win32 APIs to query the Access Control Lists that hold security settings for files or folders and use that information however you like.




Building the Right Environment to Support AI, Machine Learning and Deep Learning

Extracting Names
It might sometimes be useful to extract the user or group name from an ACE. The following code fragment retrieves an SID that is stored in ACE (the bold lines):

pAce = pList->pAce; if (pList->bAllowed) { ACCESS_ALLOWED_ACE* pAllowed = (ACCESS_ALLOWED_ACE*)pAce; pAceSid = (SID*)(&(pAllowed->SidStart)); maskPermissions = pAllowed->Mask; } else { ACCESS_DENIED_ACE* pDenied = (ACCESS_DENIED_ACE*)pAce; pAceSid = (SID*)(&(pDenied->SidStart)); maskPermissions = pDenied->Mask; }

Having SID in hand, we may successfully obtain account information using the LookuAccounSid API call as shown below:

DWORD dwCbName = 0; DWORD dwCbDomainName = 0; SID_NAME_USE SidNameUse; TCHAR bufName[MAX_PATH]; TCHAR bufDomain[MAX_PATH]; dwCbName = sizeof(bufName); dwCbDomainName = sizeof(bufDomain); // Get account name for SID BOOL bSuccess = LookupAccountSid(NULL, pAceSid, bufName, &dwCbName, bufDomain, &dwCbDomainName, &SidNameUse); if (!bSuccess) { cout << "Failed to get account for SID"; continue; }

LookupAccountSid stores user/group name into bufName and domain name into bufDomain. SidNameUse is populated with a type of security entity that SID represents (user, group, well-known group etc.)

In your programs, you may choose a different interpretation of the information stored in ACLs. Just remember that the account under which these programs run must have sufficient permissions to read permissions.

The Sample Run
I ran the ACLInfo.exe program specifying the path to the file that resides on my NTFS partition (disk G) and obtained the following output:

D:\Articles\DevX\NTFS\ACLInfo\VS_7\Debug>ACLInfo.exe "g:\my documents\specs.txt" Allowed to: BUILTIN\Users [R X] Allowed to: LOTUS\Yevgeny Menaker [RWX] Allowed to: NT AUTHORITY\SYSTEM [RWX] Allowed to: BUILTIN\Administrators [RWX] Denied from: LOTUS\Yevgeny Menaker [ X] Denied from: LOTUS\Rob [R X]

Note that paths containing spaces should be enclosed by double quotes in the command line.

You should now have a working knowledge of how to use Win32 APIs to query security information from NTFS objects (files and folders). You may expand the supplied code to fit your needs and throw the heavy task of managing user permissions onto NTFS. Many products, such as Microsoft IIS already employ this technique. Now you can too.

Yevgeny Menaker is a software engineer for Vidius, where he is developing security technologies. He is the author of "Programming Perl in the .NET Environment" (Prentice Hall) and a Linux consultant. Reach him via e-mail .
Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date