NT

NT_AssertPrivilege privilegeName

NT_AssertPrivilege is used to enable special privileges in the thread's access token. This allows you to enable privileges necessary for particular operations (e.g. setting the owner of a file). The privilege names are:

SeCreateTokenPrivilege

SeAssignPrimaryTokenPrivilege

SeLockMemoryPrivilege

SeIncreaseQuotaPrivilege

SeUnsolicitedInputPrivilege

SeMachineAccountPrivilege

SeTcbPrivilege

SeSecurityPrivilege

SeTakeOwnershipPrivilege

SeLoadDriverPrivilege

SeSystemProfilePrivilege

SeSystemtimePrivilege

SeProfileSingleProcessPrivilege

SeIncreaseBasePriorityPrivilege

SeCreatePagefilePrivilege

SeCreatePermanentPrivilege

SeBackupPrivilege

SeRestorePrivilege

SeShutdownPrivilege

SeDebugPrivilege

SeAuditPrivilege

SeSystemEnvironmentPrivilege

SeChangeNotifyPrivilege

SeRemoteShutdownPrivilege

There is currently no way to "turn off" privileges once enabled.

NT_GetSecurityDescriptorProperties securityDescriptorHandle

NT_GetSecurityDescriptorProperties returns a list of three items:

owner's username

group name

Discretionary ACL handle

NT_ListACL aclHandle

NT_CreateACL { aclType aclFlags accessTypes userName} [{aclType aclFlags accessTypes userName} ...]

NT_ListACL returns a list of all the ACE's in the ACL.

NT_CreateACL takes any number of lists of aclType, aclFlags, accessTypes, and Username to create an ACL.

ACE type:

ACCESS_ALLOWED

ACCESS_DENIED

Inheritence flags:

OBJECT_INHERIT

CONTAINER_INHERIT

NO_PROPAGATE_INHERIT

INHERIT_ONLY

Access types:

SPECIFIC1

SPECIFIC2

SPECIFIC4

SPECIFIC8

SPECIFIC10

SPECIFIC20

SPECIFIC40

SPECIFIC80

SPECIFIC100

SPECIFIC200

SPECIFIC400

SPECIFIC800

SPECIFIC1000

SPECIFIC2000

SPECIFIC4000

SPECIFIC8000

DELETE

READ_CONTROL

WRITE_DAC

WRITE_OWNER

SYNCHRONIZE

ACCESS_SYSTEM_SECURITY

MAXIMUM_ALLOWED

GENERIC_READ

GENERIC_WRITE

GENERIC_EXECUTE

GENERIC_ALL

SPECIFIC_RIGHTS_ALL

STANDARD_RIGHTS_ALL

STANDARD_RIGHTS_REQUIRED

STANDARD_RIGHTS_READ

STANDARD_RIGHTS_WRITE

STANDARD_RIGHTS_EXECUTE

The ACE type can be either ACCESS_ALLOWED or ACCESS_DENIED. The inheritence flags and access types are flags that can be grouped together, separated by the verticle bar (this is like C syntax, using the bitwise or function to combine flags).

NT_CreateSecurityDescriptor ownerName groupName discretionaryAclHandle

NT_CreateSecurityDescriptor returns a security descriptor handle which can be passed to NT_SetFileSecurity. It takes the ownerName and groupName (used to set the owner and group fields) and a discretionary acl handle, returned by NT_CreateACL or NT_GetSecurityDescriptorProperties.

NT_GetFileSecurity pathName

NT_GetFileSecurity returns a security descriptor handle.

NT_SetFileSecurity securityDescriptorHandle flags pathName

NT_SetFileSecurity replaces the set of properties specified by flags in the security descriptor for pathName with the one specified for securityDescriptorHandle. This handle can come from NT_GetFileSecurity or NT_CreateSecurityDescriptor.

OWNER_SECURITY_INFORMATION

GROUP_SECURITY_INFORMATION

DACL_SECURITY_INFORMATION

SACL_SECURITY_INFORMATION

These flags are connected with the vertical bar (like C syntax: the bitwise or operator).

NT_WriteSecurityDescriptor channel securityDescriptorHandle

NT_ReadSecurityDescriptor channel

NT_LookupAccountSid ?servername? username