/*
This sample illustrates how to regulate
access to the performance data
provided by the registry key HKEY_PERFORMANCE_DATA.
The security on the following registry key dictates which users or groups
can gain
access to the performance data:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
This sample opens the registry key for WRITE_DAC
access, which allows
for a new Dacl to be applied to the registry key.
A Dacl is then built, which grants the following users
access:
Administrators are granted full control to allow for future updates to the
security on the key and to allow for querying performance data.
Interactively logged on users, through the well-known Interactive Sid,
are granted KEY_READ
access, which allows for querying performance
data.
The new Dacl is then applied to the registry key using the
RegSetKeySecurity()
Win32 API.
This sample relies on the import library Advapi32.lib.
Note that not all errors will cause an information message to be
displayed.
*/
#include <windows.h>
#include <stdio.h>
#define RTN_OK 0
#define RTN_USAGE 1
#define RTN_ERROR 13
int
__cdecl
main(
void
)
{
SID_IDENTIFIER_AUTHORITY sia = SECURITY_NT_AUTHORITY;
PSID pInteractiveSid = NULL;
PSID pAdministratorsSid = NULL;
SECURITY_DESCRIPTOR sd;
PACL pDacl = NULL;
DWORD dwAclSize;
HKEY hKey;
LONG lRetCode;
BOOL bSuccess = FALSE; // assume this function fails
//
// open the performance key for WRITE_DAC
access
//
lRetCode = RegOpenKeyEx(
HKEY_LOCAL_MACHINE,
TEXT("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib"),
0,
WRITE_DAC,
&hKey
);
if(lRetCode != ERROR_SUCCESS) {
fprintf(stderr, "RegOpenKeyEx error! (rc=%lu)\n", lRetCode);
return RTN_ERROR;
}
//
// prepare a Sid representing any Interactively logged-on user
//
if(!AllocateAndInitializeSid(
&sia,
1,
SECURITY_INTERACTIVE_RID,
0, 0, 0, 0, 0, 0, 0,
&pInteractiveSid
)) goto cleanup;
//
// prepare a Sid representing the well-known admin group
//
if(!AllocateAndInitializeSid(
&sia,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&pAdministratorsSid
)) goto cleanup;
//
// compute size of new
acl
//
dwAclSize = sizeof(
ACL) +
2 * ( sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) ) +
GetLengthSid(pInteractiveSid) +
GetLengthSid(pAdministratorsSid) ;
//
// allocate storage for
Acl
//
pDacl = (PACL)HeapAlloc(GetProcessHeap(), 0, dwAclSize);
if(pDacl == NULL) goto cleanup;
if(!InitializeAcl(pDacl, dwAclSize, ACL_REVISION))
goto cleanup;
//
// grant the Interactive Sid KEY_READ
access to the perf key
//
if(!AddAccessAllowedAce(
pDacl,
ACL_REVISION,
KEY_READ,
pInteractiveSid
)) goto cleanup;
//
// grant the Administrators Sid GENERIC_ALL
access to the perf key
//
if(!AddAccessAllowedAce(
pDacl,
ACL_REVISION,
KEY_ALL_ACCESS,
pAdministratorsSid
)) goto cleanup;
if(!InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION))
goto cleanup;
if(!SetSecurityDescriptorDacl(&sd, TRUE, pDacl, FALSE)) {
fprintf(stderr, "SetSecurityDescriptorDacl error! (rc=%lu)\n",
GetLastError());
goto cleanup;
}
//
// apply the security descriptor to the registry key
//
lRetCode = RegSetKeySecurity(
hKey,
(SECURITY_INFORMATION)DACL_SECURITY_INFORMATION,
&sd
);
if(lRetCode != ERROR_SUCCESS) {
fprintf(stderr, "RegSetKeySecurity error! (rc=%lu)\n",
lRetCode);
goto cleanup;
}
bSuccess = TRUE; // indicate success
cleanup:
RegCloseKey(hKey);
RegCloseKey(HKEY_LOCAL_MACHINE);
//
// free allocated resources
//
if(pDacl != NULL)
HeapFree(GetProcessHeap(), 0, pDacl);
if(pInteractiveSid != NULL)
FreeSid(pInteractiveSid);
if(pAdministratorsSid != NULL)
FreeSid(pAdministratorsSid);
if(!bSuccess) return RTN_ERROR;
return RTN_OK;
}