PureBasic Forums - English

http://www.purebasic.com
https://www.purebasic.fr/english/

Get File, Folder Permissions [Win_Func]

https://www.purebasic.fr/english/viewtopic.php?t=66443

Page 1 of 1

Get File, Folder Permissions [Win_Func]

Posted: Tue Aug 23, 2016 12:18 am
by Thunder93
The counterpart to my previous tips. :lol:

Code: Select all

#OWNER_SECURITY_INFORMATION            = $1
#GROUP_SECURITY_INFORMATION            = $2
#DACL_SECURITY_INFORMATION             = $4

Enumeration ;ACL_INFORMATION_CLASS
  #AclRevisionInformation = 1
  #AclSizeInformation
EndEnumeration

Procedure.b EnumFileFolderPermissions(Value$)
  Protected *pSecDesc.SECURITY_DESCRIPTOR = #Null, *pDacl.ACL, *pAce.ACCESS_ALLOWED_ACE, aclSize.ACL_SIZE_INFORMATION
  Protected.i retfunc, acl_ACECount, dwAccountNameSize, dwDomainNameSize, SID_NAME_USE
  Protected.s szAccountName, szDomainName
  Protected.b IsFile = Bool(GetExtensionPart(Value$))  
  
  Debug "GetFileSecurity( "+Value$+" )"
  Debug ""
  
  retfunc = GetFileSecurity_(@Value$, #DACL_SECURITY_INFORMATION|#OWNER_SECURITY_INFORMATION, #Null, 0, @lpnLengthNeeded.l)
  
  If Not retfunc
    If GetLastError_() = #ERROR_INSUFFICIENT_BUFFER
      *pSecDesc = AllocateMemory(lpnLengthNeeded)
      If Not *pSecDesc : Debug "*pSecDesc memory allocation failed." : ProcedureReturn 0 : EndIf      
      retfunc = GetFileSecurity_(@Value$, #DACL_SECURITY_INFORMATION|#OWNER_SECURITY_INFORMATION, *pSecDesc, lpnLengthNeeded, @lpnLengthNeeded)
      If Not lpnLengthNeeded : retfunc = 0 : EndIf
    EndIf
    If Not retfunc : Debug "GetFileSecurity API failed." : ProcedureReturn 0 : EndIf
  EndIf
  
  If retfunc    
    Protected pOwner.i, lpbOwnerDef.l
    
    bRetFunc = GetSecurityDescriptorOwner_(*pSecDesc, @pOwner, @lpbOwnerDef)
    
    If bRetFunc
      bRtnBool = LookupAccountSid_(#Null, pOwner, 0, @dwAccountNameSize, 0, @dwDomainNameSize, @SID_NAME_USE)
      
      szAccountName = Space(dwAccountNameSize)
      szDomainName = Space(dwDomainNameSize)
      If LookupAccountSid_(#Null, pOwner, @szAccountName, @dwAccountNameSize, @szDomainName, @dwDomainNameSize, @SID_NAME_USE)
        Debug "Object Ownership:"
        Debug "   Account = " + szAccountName + ", Domain = " + szDomainName
        Debug ""
      EndIf
      
      dwDomainNameSize = 0
    EndIf
    
    If *pSecDesc
      GetSecurityDescriptorDacl_(*pSecDesc, @bDaclPresent.l, @*pDacl, @bDaclDefault.l)
      
      If bDaclPresent = 0
        Debug "No DACL" : ProcedureReturn 0        
      Else
        
        GetAclInformation_(*pDacl, @aclSize, SizeOf(aclSize), #AclSizeInformation)
        
        acl_ACECount = aclSize\AceCount - 1        
        
        Repeat
          GetAce_(*pDacl, acl_ACECount, @*pAce)              
          
          bRtnBool = LookupAccountSid_(#Null, @*pAce\SidStart, 0, @dwAccountNameSize, 0, @dwDomainNameSize, @SID_NAME_USE)
          szAccountName = Space(dwAccountNameSize)
          szDomainName = Space(dwDomainNameSize)
          If LookupAccountSid_(#Null, @*pAce\SidStart, @szAccountName, @dwAccountNameSize, @szDomainName, @dwDomainNameSize, @SID_NAME_USE)
            
            If  *pAce\Mask = #FILE_ALL_ACCESS
              AccessMask$ = "( Full Control ) - "
            ElseIf *pAce\Mask = 268435456
              AccessMask$ = "( Full Control (Sub Only) ) - "
            EndIf          
            
            
            ;Standard Access Rights
            If *pAce\Mask & #STANDARD_RIGHTS_ALL = #STANDARD_RIGHTS_ALL
              StandardAccess$ + "( STANDARD_RIGHTS_ALL ) | "
            EndIf    
            If *pAce\Mask & #DELETE
              StandardAccess$ + "DELETE - "
            EndIf            
            If *pAce\Mask & #READ_CONTROL
              StandardAccess$ + "READ_CONTROL - "
            EndIf            
            If *pAce\Mask & #SYNCHRONIZE
              StandardAccess$ + "SYNCHRONIZE - "
            EndIf            
            If *pAce\Mask & #WRITE_OWNER
              StandardAccess$ + "WRITE_OWNER - "
            EndIf
            
            StandardAccess$ = RemoveString(StandardAccess$, " - ", #PB_String_NoCase, Len(StandardAccess$) - 3, 1)
            
            
            If *pAce\Mask & #FILE_ALL_ACCESS = #FILE_ALL_ACCESS
              GenericAccess$ + " (Full Access) | "
            EndIf
            If *pAce\Mask & #FILE_GENERIC_READ = #FILE_GENERIC_READ
              GenericAccess$ + "FILE_GENERIC_READ - "
            EndIf
            If *pAce\Mask & #FILE_GENERIC_WRITE = #FILE_GENERIC_WRITE
              GenericAccess$ + "FILE_GENERIC_WRITE - "
            EndIf
            If *pAce\Mask & #FILE_GENERIC_EXECUTE = #FILE_GENERIC_EXECUTE
              GenericAccess$ + "FILE_GENERIC_EXECUTE - "
            EndIf
            
            GenericAccess$ = RemoveString(GenericAccess$, " - ", #PB_String_NoCase, Len(GenericAccess$) - 3, 1)
            
            
            ;Specific Access Rights
            If *pAce\Mask & #FILE_READ_DATA
              SpecificAccess$ + "READ / FILE_LIST_DIRECTORY - "
            EndIf
            If *pAce\Mask & #FILE_WRITE_DATA
              SpecificAccess$ + "WRITE / FILE_ADD_FILE - "
            EndIf
            If *pAce\Mask & #FILE_APPEND_DATA
              SpecificAccess$ + "FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY / FILE_CREATE_PIPE_INSTANCE - "
            EndIf
            If *pAce\Mask & #FILE_READ_EA
              SpecificAccess$ + "FILE_READ_EA - "
            EndIf
            If *pAce\Mask & #FILE_WRITE_EA
              SpecificAccess$ + "FILE_WRITE_EA - "
            EndIf
            If *pAce\Mask & #FILE_READ_ATTRIBUTES
              SpecificAccess$ + "FILE_READ_ATTRIBUTES - "
            EndIf
            If *pAce\Mask & #FILE_WRITE_ATTRIBUTES
              SpecificAccess$ + "FILE_WRITE_ATTRIBUTES - "
            EndIf
            If *pAce\Mask & #FILE_EXECUTE
              SpecificAccess$ + "FILE_EXECUTE / FILE_TRAVERSE - "
            EndIf
            If *pAce\Mask & #FILE_DELETE_CHILD
              SpecificAccess$ + "FILE_DELETE_CHILD - "
            EndIf
            
            If *pAce\Mask & #SPECIFIC_RIGHTS_ALL = #SPECIFIC_RIGHTS_ALL
              SpecificAccess$ + "SPECIFIC_RIGHTS_ALL | "
            EndIf
            
            SpecificAccess$ = RemoveString(SpecificAccess$, " - ", #PB_String_NoCase, Len(SpecificAccess$) - 3, 1)
            
            Select *pAce\Header\AceType
              Case #ACCESS_ALLOWED_ACE_TYPE
                AceType$ = "ACCESS_ALLOWED_ACE_TYPE"
                ;Break
              Case #ACCESS_DENIED_ACE_TYPE
                AceType$ = "ACCESS_DENIED_ACE_TYPE"
                ;Break
              Case #SYSTEM_AUDIT_ACE_TYPE
                AceType$ = "SYSTEM_AUDIT_ACE_TYPE"
                ;Break
              Default
                AceType$ = "Unknown ACE type"
                ;Break
            EndSelect
            
            
            Debug "Account = " + szAccountName + ", Domain = " + szDomainName + " Generic Access Rights = " + GenericAccess$
            Debug "Account = " + szAccountName + ", Domain = " + szDomainName + " Standard Access Rights = " + StandardAccess$
            Debug "Account = " + szAccountName + ", Domain = " + szDomainName + " Specific Access Rights = " + AccessMask$ + SpecificAccess$
            Debug "Account = " + szAccountName + ", Domain = " + szDomainName + " ACE Type = " + AceType$ 
            Debug ""
            
            
            GenericAccess$=""
            StandardAccess$=""
            SpecificAccess$=""
            AccessMask$=""
          EndIf
          dwDomainNameSize = 0
          
          If IsFile
            acl_ACECount - 1
          Else            
            acl_ACECount - 2
          EndIf
          
        Until acl_ACECount < 0
        
      EndIf
      FreeMemory(*pSecDesc)
    EndIf
  EndIf 
  
EndProcedure


FileName$="C:\Program Files\Windows Mail"
EnumFileFolderPermissions(FileName$)

Debug "-"
FileName$="C:\Program Files\Windows Mail\wab.exe"
EnumFileFolderPermissions(FileName$)

When compiled, you'll see the following;

Code: Select all

GetFileSecurity( C:\Program Files\Windows Mail )

Object Ownership:
   Account = TrustedInstaller, Domain = NT SERVICE

Account = ALL RESTRICTED APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Generic Access Rights = 
Account = ALL RESTRICTED APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Standard Access Rights = 
Account = ALL RESTRICTED APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Specific Access Rights = 
Account = ALL RESTRICTED APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY ACE Type = ACCESS_ALLOWED_ACE_TYPE

Account = ALL APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Generic Access Rights = 
Account = ALL APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Standard Access Rights = 
Account = ALL APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Specific Access Rights = 
Account = ALL APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY ACE Type = ACCESS_ALLOWED_ACE_TYPE

Account = CREATOR OWNER, Domain =  Generic Access Rights = 
Account = CREATOR OWNER, Domain =  Standard Access Rights = 
Account = CREATOR OWNER, Domain =  Specific Access Rights = ( Full Control (Sub Only) ) - 
Account = CREATOR OWNER, Domain =  ACE Type = ACCESS_ALLOWED_ACE_TYPE

Account = Users, Domain = BUILTIN Generic Access Rights = FILE_GENERIC_READ - FILE_GENERIC_EXECUTE
Account = Users, Domain = BUILTIN Standard Access Rights = READ_CONTROL - SYNCHRONIZE
Account = Users, Domain = BUILTIN Specific Access Rights = READ / FILE_LIST_DIRECTORY - FILE_READ_EA - FILE_READ_ATTRIBUTES - FILE_EXECUTE / FILE_TRAVERSE
Account = Users, Domain = BUILTIN ACE Type = ACCESS_ALLOWED_ACE_TYPE

Account = Administrators, Domain = BUILTIN Generic Access Rights = FILE_GENERIC_READ - FILE_GENERIC_WRITE - FILE_GENERIC_EXECUTE
Account = Administrators, Domain = BUILTIN Standard Access Rights = DELETE - READ_CONTROL - SYNCHRONIZE
Account = Administrators, Domain = BUILTIN Specific Access Rights = READ / FILE_LIST_DIRECTORY - WRITE / FILE_ADD_FILE - FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY / FILE_CREATE_PIPE_INSTANCE - FILE_READ_EA - FILE_WRITE_EA - FILE_READ_ATTRIBUTES - FILE_WRITE_ATTRIBUTES - FILE_EXECUTE / FILE_TRAVERSE
Account = Administrators, Domain = BUILTIN ACE Type = ACCESS_ALLOWED_ACE_TYPE

Account = SYSTEM, Domain = NT AUTHORITY Generic Access Rights = FILE_GENERIC_READ - FILE_GENERIC_WRITE - FILE_GENERIC_EXECUTE
Account = SYSTEM, Domain = NT AUTHORITY Standard Access Rights = DELETE - READ_CONTROL - SYNCHRONIZE
Account = SYSTEM, Domain = NT AUTHORITY Specific Access Rights = READ / FILE_LIST_DIRECTORY - WRITE / FILE_ADD_FILE - FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY / FILE_CREATE_PIPE_INSTANCE - FILE_READ_EA - FILE_WRITE_EA - FILE_READ_ATTRIBUTES - FILE_WRITE_ATTRIBUTES - FILE_EXECUTE / FILE_TRAVERSE
Account = SYSTEM, Domain = NT AUTHORITY ACE Type = ACCESS_ALLOWED_ACE_TYPE

Account = TrustedInstaller, Domain = NT SERVICE Generic Access Rights =  (Full Access) | FILE_GENERIC_READ - FILE_GENERIC_WRITE - FILE_GENERIC_EXECUTE
Account = TrustedInstaller, Domain = NT SERVICE Standard Access Rights = ( STANDARD_RIGHTS_ALL ) | DELETE - READ_CONTROL - SYNCHRONIZE - WRITE_OWNER
Account = TrustedInstaller, Domain = NT SERVICE Specific Access Rights = ( Full Control ) - READ / FILE_LIST_DIRECTORY - WRITE / FILE_ADD_FILE - FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY / FILE_CREATE_PIPE_INSTANCE - FILE_READ_EA - FILE_WRITE_EA - FILE_READ_ATTRIBUTES - FILE_WRITE_ATTRIBUTES - FILE_EXECUTE / FILE_TRAVERSE - FILE_DELETE_CHILD
Account = TrustedInstaller, Domain = NT SERVICE ACE Type = ACCESS_ALLOWED_ACE_TYPE

-
GetFileSecurity( C:\Program Files\Windows Mail\wab.exe )

Object Ownership:
   Account = TrustedInstaller, Domain = NT SERVICE

Account = ALL RESTRICTED APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Generic Access Rights = FILE_GENERIC_READ - FILE_GENERIC_EXECUTE
Account = ALL RESTRICTED APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Standard Access Rights = READ_CONTROL - SYNCHRONIZE
Account = ALL RESTRICTED APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Specific Access Rights = READ / FILE_LIST_DIRECTORY - FILE_READ_EA - FILE_READ_ATTRIBUTES - FILE_EXECUTE / FILE_TRAVERSE
Account = ALL RESTRICTED APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY ACE Type = ACCESS_ALLOWED_ACE_TYPE

Account = ALL APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Generic Access Rights = FILE_GENERIC_READ - FILE_GENERIC_EXECUTE
Account = ALL APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Standard Access Rights = READ_CONTROL - SYNCHRONIZE
Account = ALL APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY Specific Access Rights = READ / FILE_LIST_DIRECTORY - FILE_READ_EA - FILE_READ_ATTRIBUTES - FILE_EXECUTE / FILE_TRAVERSE
Account = ALL APPLICATION PACKAGES, Domain = APPLICATION PACKAGE AUTHORITY ACE Type = ACCESS_ALLOWED_ACE_TYPE

Account = Users, Domain = BUILTIN Generic Access Rights = FILE_GENERIC_READ - FILE_GENERIC_EXECUTE
Account = Users, Domain = BUILTIN Standard Access Rights = READ_CONTROL - SYNCHRONIZE
Account = Users, Domain = BUILTIN Specific Access Rights = READ / FILE_LIST_DIRECTORY - FILE_READ_EA - FILE_READ_ATTRIBUTES - FILE_EXECUTE / FILE_TRAVERSE
Account = Users, Domain = BUILTIN ACE Type = ACCESS_ALLOWED_ACE_TYPE

Account = SYSTEM, Domain = NT AUTHORITY Generic Access Rights = FILE_GENERIC_READ - FILE_GENERIC_EXECUTE
Account = SYSTEM, Domain = NT AUTHORITY Standard Access Rights = READ_CONTROL - SYNCHRONIZE
Account = SYSTEM, Domain = NT AUTHORITY Specific Access Rights = READ / FILE_LIST_DIRECTORY - FILE_READ_EA - FILE_READ_ATTRIBUTES - FILE_EXECUTE / FILE_TRAVERSE
Account = SYSTEM, Domain = NT AUTHORITY ACE Type = ACCESS_ALLOWED_ACE_TYPE

Account = Administrators, Domain = BUILTIN Generic Access Rights = FILE_GENERIC_READ - FILE_GENERIC_EXECUTE
Account = Administrators, Domain = BUILTIN Standard Access Rights = READ_CONTROL - SYNCHRONIZE
Account = Administrators, Domain = BUILTIN Specific Access Rights = READ / FILE_LIST_DIRECTORY - FILE_READ_EA - FILE_READ_ATTRIBUTES - FILE_EXECUTE / FILE_TRAVERSE
Account = Administrators, Domain = BUILTIN ACE Type = ACCESS_ALLOWED_ACE_TYPE

Account = TrustedInstaller, Domain = NT SERVICE Generic Access Rights =  (Full Access) | FILE_GENERIC_READ - FILE_GENERIC_WRITE - FILE_GENERIC_EXECUTE
Account = TrustedInstaller, Domain = NT SERVICE Standard Access Rights = ( STANDARD_RIGHTS_ALL ) | DELETE - READ_CONTROL - SYNCHRONIZE - WRITE_OWNER
Account = TrustedInstaller, Domain = NT SERVICE Specific Access Rights = ( Full Control ) - READ / FILE_LIST_DIRECTORY - WRITE / FILE_ADD_FILE - FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY / FILE_CREATE_PIPE_INSTANCE - FILE_READ_EA - FILE_WRITE_EA - FILE_READ_ATTRIBUTES - FILE_WRITE_ATTRIBUTES - FILE_EXECUTE / FILE_TRAVERSE - FILE_DELETE_CHILD
Account = TrustedInstaller, Domain = NT SERVICE ACE Type = ACCESS_ALLOWED_ACE_TYPE

Re: Get File, Folder Permissions [Win_Func]

Posted: Tue Aug 23, 2016 11:06 am
by IdeasVacuum
That's a meaty piece of work Thunder93, thanks for sharing. 8)

Re: Get File, Folder Permissions [Win_Func]

Posted: Tue Aug 23, 2016 12:39 pm
by RSBasic
Very 8) , thanks for sharing.

Re: Get File, Folder Permissions [Win_Func]

Posted: Tue Aug 23, 2016 7:30 pm
by Thunder93
You fellas are welcome. I'm happy you like. :)

Re: Get File, Folder Permissions [Win_Func]

Posted: Tue Aug 23, 2016 7:34 pm
by Keya
Thunder93, i think a lot more people are more appreciative than you realise lol - Windows has all these security permissions and access tokens and all that, but as programmers it seems we tend to push them aside and intentionally forget about them, especially as they can be a bit confusing and different variations across systems, but thanks to examples like your recent demos a lot of the shroud of mystery has been peeled back!!! plus i have a feeling it'll help with future problems. (but i won't go as far as saying we have no excuse now not to correctly use permissions lol) thankyou :)

Re: Get File, Folder Permissions [Win_Func]

Posted: Tue Aug 23, 2016 7:56 pm
by Thunder93
That was a delightful read, Keya! Thank you :)

This stuff is interesting to me because It can aid with troubleshooting software issues. Installing, uninstalling and running of them. I'm always manually going into the registry and looking at files and folder permissions, to see if it's been corrupted and the culprit for reported issues. :wink:
All times are UTC+01:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited