Get File, Folder Permissions [Win_Func]

Share your advanced PureBasic knowledge/code with the community.
Post Reply
User avatar
Thunder93
Addict
Addict
Posts: 1788
Joined: Tue Mar 21, 2006 12:31 am
Location: Canada

Get File, Folder Permissions [Win_Func]

Post by Thunder93 »

The counterpart to my previous tips. :lol:

Code: Select all

#OWNER_SECURITY_INFORMATION            = $1
#GROUP_SECURITY_INFORMATION            = $2
#DACL_SECURITY_INFORMATION             = $4

Enumeration ;ACL_INFORMATION_CLASS
  #AclRevisionInformation = 1
  #AclSizeInformation
EndEnumeration

Procedure.b EnumFileFolderPermissions(Value$)
  Protected *pSecDesc.SECURITY_DESCRIPTOR = #Null, *pDacl.ACL, *pAce.ACCESS_ALLOWED_ACE, aclSize.ACL_SIZE_INFORMATION
  Protected.i retfunc, acl_ACECount, dwAccountNameSize, dwDomainNameSize, SID_NAME_USE
  Protected.s szAccountName, szDomainName
  Protected.b IsFile = Bool(GetExtensionPart(Value$))  
  
  Debug "GetFileSecurity( "+Value$+" )"
  Debug ""
  
  retfunc = GetFileSecurity_(@Value$, #DACL_SECURITY_INFORMATION|#OWNER_SECURITY_INFORMATION, #Null, 0, @lpnLengthNeeded.l)
  
  If Not retfunc
    If GetLastError_() = #ERROR_INSUFFICIENT_BUFFER
      *pSecDesc = AllocateMemory(lpnLengthNeeded)
      If Not *pSecDesc : Debug "*pSecDesc memory allocation failed." : ProcedureReturn 0 : EndIf      
      retfunc = GetFileSecurity_(@Value$, #DACL_SECURITY_INFORMATION|#OWNER_SECURITY_INFORMATION, *pSecDesc, lpnLengthNeeded, @lpnLengthNeeded)
      If Not lpnLengthNeeded : retfunc = 0 : EndIf
    EndIf
    If Not retfunc : Debug "GetFileSecurity API failed." : ProcedureReturn 0 : EndIf
  EndIf
  
  If retfunc    
    Protected pOwner.i, lpbOwnerDef.l
    
    bRetFunc = GetSecurityDescriptorOwner_(*pSecDesc, @pOwner, @lpbOwnerDef)
    
    If bRetFunc
      bRtnBool = LookupAccountSid_(#Null, pOwner, 0, @dwAccountNameSize, 0, @dwDomainNameSize, @SID_NAME_USE)
      
      szAccountName = Space(dwAccountNameSize)
      szDomainName = Space(dwDomainNameSize)
      If LookupAccountSid_(#Null, pOwner, @szAccountName, @dwAccountNameSize, @szDomainName, @dwDomainNameSize, @SID_NAME_USE)
        Debug "Object Ownership:"
        Debug "   Account = " + szAccountName + ", Domain = " + szDomainName
        Debug ""
      EndIf
      
      dwDomainNameSize = 0
    EndIf
    
    If *pSecDesc
      GetSecurityDescriptorDacl_(*pSecDesc, @bDaclPresent.l, @*pDacl, @bDaclDefault.l)
      
      If bDaclPresent = 0
        Debug "No DACL" : ProcedureReturn 0        
      Else
        
        GetAclInformation_(*pDacl, @aclSize, SizeOf(aclSize), #AclSizeInformation)
        
        acl_ACECount = aclSize\AceCount - 1        
        
        Repeat
          GetAce_(*pDacl, acl_ACECount, @*pAce)              
          
          bRtnBool = LookupAccountSid_(#Null, @*pAce\SidStart, 0, @dwAccountNameSize, 0, @dwDomainNameSize, @SID_NAME_USE)
          szAccountName = Space(dwAccountNameSize)
          szDomainName = Space(dwDomainNameSize)
          If LookupAccountSid_(#Null, @*pAce\SidStart, @szAccountName, @dwAccountNameSize, @szDomainName, @dwDomainNameSize, @SID_NAME_USE)
            
            If  *pAce\Mask = #FILE_ALL_ACCESS
              AccessMask$ = "( Full Control ) - "
            ElseIf *pAce\Mask = 268435456
              AccessMask$ = "( Full Control (Sub Only) ) - "
            EndIf          
            
            
            ;Standard Access Rights
            If *pAce\Mask & #STANDARD_RIGHTS_ALL = #STANDARD_RIGHTS_ALL
              StandardAccess$ + "( STANDARD_RIGHTS_ALL ) | "
            EndIf    
            If *pAce\Mask & #DELETE
              StandardAccess$ + "DELETE - "
            EndIf            
            If *pAce\Mask & #READ_CONTROL
              StandardAccess$ + "READ_CONTROL - "
            EndIf            
            If *pAce\Mask & #SYNCHRONIZE
              StandardAccess$ + "SYNCHRONIZE - "
            EndIf            
            If *pAce\Mask & #WRITE_OWNER
              StandardAccess$ + "WRITE_OWNER - "
            EndIf
            
            StandardAccess$ = RemoveString(StandardAccess$, " - ", #PB_String_NoCase, Len(StandardAccess$) - 3, 1)
            
            
            If *pAce\Mask & #FILE_ALL_ACCESS = #FILE_ALL_ACCESS
              GenericAccess$ + " (Full Access) | "
            EndIf
            If *pAce\Mask & #FILE_GENERIC_READ = #FILE_GENERIC_READ
              GenericAccess$ + "FILE_GENERIC_READ - "
            EndIf
            If *pAce\Mask & #FILE_GENERIC_WRITE = #FILE_GENERIC_WRITE
              GenericAccess$ + "FILE_GENERIC_WRITE - "
            EndIf
            If *pAce\Mask & #FILE_GENERIC_EXECUTE = #FILE_GENERIC_EXECUTE
              GenericAccess$ + "FILE_GENERIC_EXECUTE - "
            EndIf
            
            GenericAccess$ = RemoveString(GenericAccess$, " - ", #PB_String_NoCase, Len(GenericAccess$) - 3, 1)
            
            
            ;Specific Access Rights
            If *pAce\Mask & #FILE_READ_DATA
              SpecificAccess$ + "READ / FILE_LIST_DIRECTORY - "
            EndIf
            If *pAce\Mask & #FILE_WRITE_DATA
              SpecificAccess$ + "WRITE / FILE_ADD_FILE - "
            EndIf
            If *pAce\Mask & #FILE_APPEND_DATA
              SpecificAccess$ + "FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY / FILE_CREATE_PIPE_INSTANCE - "
            EndIf
            If *pAce\Mask & #FILE_READ_EA
              SpecificAccess$ + "FILE_READ_EA - "
            EndIf
            If *pAce\Mask & #FILE_WRITE_EA
              SpecificAccess$ + "FILE_WRITE_EA - "
            EndIf
            If *pAce\Mask & #FILE_READ_ATTRIBUTES
              SpecificAccess$ + "FILE_READ_ATTRIBUTES - "
            EndIf
            If *pAce\Mask & #FILE_WRITE_ATTRIBUTES
              SpecificAccess$ + "FILE_WRITE_ATTRIBUTES - "
            EndIf
            If *pAce\Mask & #FILE_EXECUTE
              SpecificAccess$ + "FILE_EXECUTE / FILE_TRAVERSE - "
            EndIf
            If *pAce\Mask & #FILE_DELETE_CHILD
              SpecificAccess$ + "FILE_DELETE_CHILD - "
            EndIf
            
            If *pAce\Mask & #SPECIFIC_RIGHTS_ALL = #SPECIFIC_RIGHTS_ALL
              SpecificAccess$ + "SPECIFIC_RIGHTS_ALL | "
            EndIf
            
            SpecificAccess$ = RemoveString(SpecificAccess$, " - ", #PB_String_NoCase, Len(SpecificAccess$) - 3, 1)
            
            Select *pAce\Header\AceType
              Case #ACCESS_ALLOWED_ACE_TYPE
                AceType$ = "ACCESS_ALLOWED_ACE_TYPE"
                ;Break
              Case #ACCESS_DENIED_ACE_TYPE
                AceType$ = "ACCESS_DENIED_ACE_TYPE"
                ;Break
              Case #SYSTEM_AUDIT_ACE_TYPE
                AceType$ = "SYSTEM_AUDIT_ACE_TYPE"
                ;Break
              Default
                AceType$ = "Unknown ACE type"
                ;Break
            EndSelect
            
            
            Debug "Account = " + szAccountName + ", Domain = " + szDomainName + " Generic Access Rights = " + GenericAccess$
            Debug "Account = " + szAccountName + ", Domain = " + szDomainName + " Standard Access Rights = " + StandardAccess$
            Debug "Account = " + szAccountName + ", Domain = " + szDomainName + " Specific Access Rights = " + AccessMask$ + SpecificAccess$
            Debug "Account = " + szAccountName + ", Domain = " + szDomainName + " ACE Type = " + AceType$ 
            Debug ""
            
            
            GenericAccess$=""
            StandardAccess$=""
            SpecificAccess$=""
            AccessMask$=""
          EndIf
          dwDomainNameSize = 0
          
          If IsFile
            acl_ACECount - 1
          Else            
            acl_ACECount - 2
          EndIf
          
        Until acl_ACECount < 0
        
      EndIf
      FreeMemory(*pSecDesc)
    EndIf
  EndIf 
  
EndProcedure


FileName$="C:\Program Files\Windows Mail"
EnumFileFolderPermissions(FileName$)

Debug "-"
FileName$="C:\Program Files\Windows Mail\wab.exe"
EnumFileFolderPermissions(FileName$)

When compiled, you'll see the following;

Code: Select all

GetFileSecurity( C:\Program Files\Windows Mail )

Object Ownership:
   Account = TrustedInstaller, Domain = NT SERVICE

Account = ALL RESTRICTED APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Generic Access Rights = 
Account = ALL RESTRICTED APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Standard Access Rights = 
Account = ALL RESTRICTED APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Specific Access Rights = 
Account = ALL RESTRICTED APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY ACE Type = ACCESS_ALLOWED_ACE_TYPE

Account = ALL APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Generic Access Rights = 
Account = ALL APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Standard Access Rights = 
Account = ALL APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Specific Access Rights = 
Account = ALL APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY ACE Type = ACCESS_ALLOWED_ACE_TYPE

Account = CREATOR OWNER, Domain =  Generic Access Rights = 
Account = CREATOR OWNER, Domain =  Standard Access Rights = 
Account = CREATOR OWNER, Domain =  Specific Access Rights = ( Full Control (Sub Only) ) - 
Account = CREATOR OWNER, Domain =  ACE Type = ACCESS_ALLOWED_ACE_TYPE

Account = Users, Domain = BUILTIN Generic Access Rights = FILE_GENERIC_READ - FILE_GENERIC_EXECUTE
Account = Users, Domain = BUILTIN Standard Access Rights = READ_CONTROL - SYNCHRONIZE
Account = Users, Domain = BUILTIN Specific Access Rights = READ / FILE_LIST_DIRECTORY - FILE_READ_EA - FILE_READ_ATTRIBUTES - FILE_EXECUTE / FILE_TRAVERSE
Account = Users, Domain = BUILTIN ACE Type = ACCESS_ALLOWED_ACE_TYPE

Account = Administrators, Domain = BUILTIN Generic Access Rights = FILE_GENERIC_READ - FILE_GENERIC_WRITE - FILE_GENERIC_EXECUTE
Account = Administrators, Domain = BUILTIN Standard Access Rights = DELETE - READ_CONTROL - SYNCHRONIZE
Account = Administrators, Domain = BUILTIN Specific Access Rights = READ / FILE_LIST_DIRECTORY - WRITE / FILE_ADD_FILE - FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY / FILE_CREATE_PIPE_INSTANCE - FILE_READ_EA - FILE_WRITE_EA - FILE_READ_ATTRIBUTES - FILE_WRITE_ATTRIBUTES - FILE_EXECUTE / FILE_TRAVERSE
Account = Administrators, Domain = BUILTIN ACE Type = ACCESS_ALLOWED_ACE_TYPE

Account = SYSTEM, Domain = NT AUTHORITY Generic Access Rights = FILE_GENERIC_READ - FILE_GENERIC_WRITE - FILE_GENERIC_EXECUTE
Account = SYSTEM, Domain = NT AUTHORITY Standard Access Rights = DELETE - READ_CONTROL - SYNCHRONIZE
Account = SYSTEM, Domain = NT AUTHORITY Specific Access Rights = READ / FILE_LIST_DIRECTORY - WRITE / FILE_ADD_FILE - FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY / FILE_CREATE_PIPE_INSTANCE - FILE_READ_EA - FILE_WRITE_EA - FILE_READ_ATTRIBUTES - FILE_WRITE_ATTRIBUTES - FILE_EXECUTE / FILE_TRAVERSE
Account = SYSTEM, Domain = NT AUTHORITY ACE Type = ACCESS_ALLOWED_ACE_TYPE

Account = TrustedInstaller, Domain = NT SERVICE Generic Access Rights =  (Full Access) | FILE_GENERIC_READ - FILE_GENERIC_WRITE - FILE_GENERIC_EXECUTE
Account = TrustedInstaller, Domain = NT SERVICE Standard Access Rights = ( STANDARD_RIGHTS_ALL ) | DELETE - READ_CONTROL - SYNCHRONIZE - WRITE_OWNER
Account = TrustedInstaller, Domain = NT SERVICE Specific Access Rights = ( Full Control ) - READ / FILE_LIST_DIRECTORY - WRITE / FILE_ADD_FILE - FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY / FILE_CREATE_PIPE_INSTANCE - FILE_READ_EA - FILE_WRITE_EA - FILE_READ_ATTRIBUTES - FILE_WRITE_ATTRIBUTES - FILE_EXECUTE / FILE_TRAVERSE - FILE_DELETE_CHILD
Account = TrustedInstaller, Domain = NT SERVICE ACE Type = ACCESS_ALLOWED_ACE_TYPE

-
GetFileSecurity( C:\Program Files\Windows Mail\wab.exe )

Object Ownership:
   Account = TrustedInstaller, Domain = NT SERVICE

Account = ALL RESTRICTED APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Generic Access Rights = FILE_GENERIC_READ - FILE_GENERIC_EXECUTE
Account = ALL RESTRICTED APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Standard Access Rights = READ_CONTROL - SYNCHRONIZE
Account = ALL RESTRICTED APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Specific Access Rights = READ / FILE_LIST_DIRECTORY - FILE_READ_EA - FILE_READ_ATTRIBUTES - FILE_EXECUTE / FILE_TRAVERSE
Account = ALL RESTRICTED APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY ACE Type = ACCESS_ALLOWED_ACE_TYPE

Account = ALL APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Generic Access Rights = FILE_GENERIC_READ - FILE_GENERIC_EXECUTE
Account = ALL APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Standard Access Rights = READ_CONTROL - SYNCHRONIZE
Account = ALL APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Specific Access Rights = READ / FILE_LIST_DIRECTORY - FILE_READ_EA - FILE_READ_ATTRIBUTES - FILE_EXECUTE / FILE_TRAVERSE
Account = ALL APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY ACE Type = ACCESS_ALLOWED_ACE_TYPE

Account = Users, Domain = BUILTIN Generic Access Rights = FILE_GENERIC_READ - FILE_GENERIC_EXECUTE
Account = Users, Domain = BUILTIN Standard Access Rights = READ_CONTROL - SYNCHRONIZE
Account = Users, Domain = BUILTIN Specific Access Rights = READ / FILE_LIST_DIRECTORY - FILE_READ_EA - FILE_READ_ATTRIBUTES - FILE_EXECUTE / FILE_TRAVERSE
Account = Users, Domain = BUILTIN ACE Type = ACCESS_ALLOWED_ACE_TYPE

Account = SYSTEM, Domain = NT AUTHORITY Generic Access Rights = FILE_GENERIC_READ - FILE_GENERIC_EXECUTE
Account = SYSTEM, Domain = NT AUTHORITY Standard Access Rights = READ_CONTROL - SYNCHRONIZE
Account = SYSTEM, Domain = NT AUTHORITY Specific Access Rights = READ / FILE_LIST_DIRECTORY - FILE_READ_EA - FILE_READ_ATTRIBUTES - FILE_EXECUTE / FILE_TRAVERSE
Account = SYSTEM, Domain = NT AUTHORITY ACE Type = ACCESS_ALLOWED_ACE_TYPE

Account = Administrators, Domain = BUILTIN Generic Access Rights = FILE_GENERIC_READ - FILE_GENERIC_EXECUTE
Account = Administrators, Domain = BUILTIN Standard Access Rights = READ_CONTROL - SYNCHRONIZE
Account = Administrators, Domain = BUILTIN Specific Access Rights = READ / FILE_LIST_DIRECTORY - FILE_READ_EA - FILE_READ_ATTRIBUTES - FILE_EXECUTE / FILE_TRAVERSE
Account = Administrators, Domain = BUILTIN ACE Type = ACCESS_ALLOWED_ACE_TYPE

Account = TrustedInstaller, Domain = NT SERVICE Generic Access Rights =  (Full Access) | FILE_GENERIC_READ - FILE_GENERIC_WRITE - FILE_GENERIC_EXECUTE
Account = TrustedInstaller, Domain = NT SERVICE Standard Access Rights = ( STANDARD_RIGHTS_ALL ) | DELETE - READ_CONTROL - SYNCHRONIZE - WRITE_OWNER
Account = TrustedInstaller, Domain = NT SERVICE Specific Access Rights = ( Full Control ) - READ / FILE_LIST_DIRECTORY - WRITE / FILE_ADD_FILE - FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY / FILE_CREATE_PIPE_INSTANCE - FILE_READ_EA - FILE_WRITE_EA - FILE_READ_ATTRIBUTES - FILE_WRITE_ATTRIBUTES - FILE_EXECUTE / FILE_TRAVERSE - FILE_DELETE_CHILD
Account = TrustedInstaller, Domain = NT SERVICE ACE Type = ACCESS_ALLOWED_ACE_TYPE
ʽʽSuccess is almost totally dependent upon drive and persistence. The extra energy required to make another effort or try another approach is the secret of winning.ʾʾ --Dennis Waitley
Top
IdeasVacuum
Always Here
Always Here
Posts: 6426
Joined: Fri Oct 23, 2009 2:33 am
Location: Wales, UK
Contact:
Contact IdeasVacuum

Re: Get File, Folder Permissions [Win_Func]

Post by IdeasVacuum »

That's a meaty piece of work Thunder93, thanks for sharing. 8)
IdeasVacuum
If it sounds simple, you have not grasped the complexity.
Top
User avatar
RSBasic
Moderator
Moderator
Posts: 1228
Joined: Thu Dec 31, 2009 11:05 pm
Location: Gernsbach (Germany)
Contact:
Contact RSBasic

Re: Get File, Folder Permissions [Win_Func]

Post by RSBasic »

Very 8) , thanks for sharing.
Image
Image
Top
User avatar
Thunder93
Addict
Addict
Posts: 1788
Joined: Tue Mar 21, 2006 12:31 am
Location: Canada

Re: Get File, Folder Permissions [Win_Func]

Post by Thunder93 »

You fellas are welcome. I'm happy you like. :)
ʽʽSuccess is almost totally dependent upon drive and persistence. The extra energy required to make another effort or try another approach is the secret of winning.ʾʾ --Dennis Waitley
Top
User avatar
Keya
Addict
Addict
Posts: 1890
Joined: Thu Jun 04, 2015 7:10 am

Re: Get File, Folder Permissions [Win_Func]

Post by Keya »

Thunder93, i think a lot more people are more appreciative than you realise lol - Windows has all these security permissions and access tokens and all that, but as programmers it seems we tend to push them aside and intentionally forget about them, especially as they can be a bit confusing and different variations across systems, but thanks to examples like your recent demos a lot of the shroud of mystery has been peeled back!!! plus i have a feeling it'll help with future problems. (but i won't go as far as saying we have no excuse now not to correctly use permissions lol) thankyou :)
Top
User avatar
Thunder93
Addict
Addict
Posts: 1788
Joined: Tue Mar 21, 2006 12:31 am
Location: Canada

Re: Get File, Folder Permissions [Win_Func]

Post by Thunder93 »

That was a delightful read, Keya! Thank you :)

This stuff is interesting to me because It can aid with troubleshooting software issues. Installing, uninstalling and running of them. I'm always manually going into the registry and looking at files and folder permissions, to see if it's been corrupted and the culprit for reported issues. :wink:
ʽʽSuccess is almost totally dependent upon drive and persistence. The extra energy required to make another effort or try another approach is the secret of winning.ʾʾ --Dennis Waitley
Top
Post Reply

Return to “Tricks 'n' Tips”