using System; using System.Diagnostics; using System.Linq; using System.Runtime.InteropServices; using System.Security.AccessControl; using System.Text; using Vanara.Extensions; using Vanara.InteropServices; using static Vanara.PInvoke.Kernel32; namespace Vanara.PInvoke { public static partial class AdvApi32 { ///

public const uint SECURITY_DESCRIPTOR_REVISION = 1; ///

public const uint SECURITY_DESCRIPTOR_REVISION1 = 1; ///

public const int SID_MAX_SUB_AUTHORITIES = 15; ///

public const int SID_RECOMMENDED_SUB_AUTHORITIES = 1; // Will change to around 6 ///

public const uint SID_REVISION = 1; // Current revision level private const int sizeofSID = 12; ///

The maximum size of a SID.

public static readonly int SECURITY_MAX_SID_SIZE = SECURITY_SID_SIZE(SID_MAX_SUB_AUTHORITIES); ///

Returns the number of bytes required for SID given the number of sub-authorities.

/// The sub authority count. /// The number of bytes required for ths SID. public static int SECURITY_SID_SIZE(int SubAuthorityCount) => sizeofSID + ((SubAuthorityCount - 1) * sizeof(uint)); // 2 (S-) // 4 (Rev(max: 255)-) // 15 ( // If (Auth < 2^32): Auth(max:4294967295)- // Else: 0xAuth(max:FFFFFFFFFFFF)- // ) // (11 * SID_MAX_SUB_AUTHORITIES) (SubN(max:4294967295)-) // 1 (NULL character) // = 187 (assuming SID_MAX_SUB_AUTHORITIES = 15) ///

The maximum characters in a string representation of a SID.

public const int SECURITY_MAX_SID_STRING_CHARACTERS = (2 + 4 + 15 + (11 * SID_MAX_SUB_AUTHORITIES) + 1); ///

Indicates whether the ObjectTypeName and InheritedObjectTypeName members contain strings.

[PInvokeData("winnt.h")] [Flags] public enum AceObjectPresence : uint { ///

The ObjectTypeName member contains a string.

ACE_OBJECT_TYPE_PRESENT = 0x1, ///

The InheritedObjectTypeName member contains a string.

ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x2 } ///

Used by the function.

[PInvokeData("winnt.h")] public enum ACL_INFORMATION_CLASS : uint { ///

Indicates ACL revision information.

[CorrespondingType(typeof(ACL_REVISION_INFORMATION))] AclRevisionInformation = 1, ///

Indicates ACL size information.

[CorrespondingType(typeof(ACL_SIZE_INFORMATION))] AclSizeInformation } ///

/// The attribute flags that are a 32-bitmask. Bits 16 through 31 may be set to any value. Bits 0 through 15 must be zero or a /// combination of one or more of the following mask values. ///

[PInvokeData("winnt.h", MSDNShortId = "FDBB9B00-01C3-474A-81FF-97C5CBA3261B")] [Flags] public enum CLAIM_SECURITY_ATTRIBUTE_FLAG : uint { ///

This attribute is ignored by the operating system. This claim security attribute is not inherited across processes.

CLAIM_SECURITY_ATTRIBUTE_NON_INHERITABLE = 0x0001, ///

/// The value of the claim security attribute is case sensitive. This flag is valid for values that contain string types. ///

CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE = 0x0002, ///

The claim security attribute is considered only for deny access control entries (ACEs).

CLAIM_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY = 0x0004, ///

The claim security attribute is disabled by default.

CLAIM_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT = 0x0008, ///

The claim security attribute is disabled and will not be applied by the AccessCheck function.

CLAIM_SECURITY_ATTRIBUTE_DISABLED = 0x0010, ///

The claim security attribute is mandatory.

CLAIM_SECURITY_ATTRIBUTE_MANDATORY = 0x0020, } ///

A union tag value that indicates the type of information contained in the Values member.

[PInvokeData("winnt.h", MSDNShortId = "FDBB9B00-01C3-474A-81FF-97C5CBA3261B")] public enum CLAIM_SECURITY_ATTRIBUTE_TYPE : ushort { ///

The Values member refers to an array of LONG64 values.

CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64 = 0x0001, ///

The Values member refers to an array of ULONG64 values.

CLAIM_SECURITY_ATTRIBUTE_TYPE_UINT64 = 0x0002, ///

The Values member refers to an array of pointers to Unicode string values.

CLAIM_SECURITY_ATTRIBUTE_TYPE_STRING = 0x0003, ///

The Values member refers to an array of CLAIM_SECURITY_ATTRIBUTE_FQBN_VALUE values.

CLAIM_SECURITY_ATTRIBUTE_TYPE_FQBN = 0x0004, ///

/// The Values member refers to an array of CLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE values where the pValue member of each /// CLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE is a PSID. ///

CLAIM_SECURITY_ATTRIBUTE_TYPE_SID = 0x0005, ///

/// The Values member refers to an array of ULONG64 values where each element indicates a Boolean value. The value 1 indicates /// TRUE and the value 0 indicates FALSE. ///

CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN = 0x0006, ///

The Values member refers to an array of CLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE values.

CLAIM_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING = 0x0010, } ///

Flags that affect the behavior of .

[PInvokeData("winnt.h")] [Flags] public enum CTMF : uint { ///

/// Allows app containers to pass the call as long as the other requirements of the token are met, such as the group specified is /// present and enabled. ///

CTMF_INCLUDE_APPCONTAINER = 0x00000001, ///

Undocumented.

CTMF_INCLUDE_LPAC = 0x00000002 } ///

The status of the event log.

[PInvokeData("Winnt.h", MSDNShortId = "bb309024")] [Flags] public enum ELF_FLAGS { ///

/// Indicates that records have been written to an event log, but the event log file has not been properly closed. For more /// information about this flag, see the Remarks section. ///

ELF_LOGFILE_HEADER_DIRTY = 0x0001, ///

Indicates that records in the event log have wrapped.

ELF_LOGFILE_HEADER_WRAP = 0x0002, ///

Indicates that the most recent write attempt failed due to insufficient space.

ELF_LOGFILE_LOGFULL_WRITTEN = 0x0004, ///

/// Indicates that the archive attribute has been set for the file. Normal file APIs can also be used to determine the value of /// this flag. ///

ELF_LOGFILE_ARCHIVE_SET = 0x0008, } ///

Indicate how to read the log file.

[PInvokeData("winnt.h", MSDNShortId = "53706f83-6bc9-45d6-981c-bd0680d7bc08")] [Flags] public enum EVENTLOG_READ { ///

The eventlog sequential read

EVENTLOG_SEQUENTIAL_READ = 0x0001, ///

/// Begin reading from the record specified in the dwRecordOffset parameter. This option may not work with large log files if the /// function cannot determine the log file's size. For details, see Knowledge Base article, 177199. ///

EVENTLOG_SEEK_READ = 0x0002, ///

The log is read in chronological order (oldest to newest).

EVENTLOG_FORWARDS_READ = 0x0004, ///

The log is read in reverse chronological order (newest to oldest).

EVENTLOG_BACKWARDS_READ = 0x0008, } ///

The type of event to be logged.

[PInvokeData("winnt.h", MSDNShortId = "e39273c3-9e42-41a1-9ec1-1cdff2ab7b55")] public enum EVENTLOG_TYPE : ushort { ///

Information event

EVENTLOG_SUCCESS = 0x0000, ///

Error event

EVENTLOG_ERROR_TYPE = 0x0001, ///

Warning event

EVENTLOG_WARNING_TYPE = 0x0002, ///

Information event

EVENTLOG_INFORMATION_TYPE = 0x0004, ///

Success Audit event

EVENTLOG_AUDIT_SUCCESS = 0x0008, ///

Failure Audit event

EVENTLOG_AUDIT_FAILURE = 0x0010, } ///

Group attributes.

[Flags] [PInvokeData("winnt.h")] public enum GroupAttributes : uint { ///

/// The SID cannot have the SE_GROUP_ENABLED attribute cleared by a call to the AdjustTokenGroups function. However, you can use /// the CreateRestrictedToken function to convert a mandatory SID to a deny-only SID. ///

SE_GROUP_MANDATORY = 0x00000001, ///

The SID is enabled by default.

SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002, ///

/// The SID is enabled for access checks. When the system performs an access check, it checks for access-allowed and /// access-denied access control entries (ACEs) that apply to the SID. A SID without this attribute is ignored during an access /// check unless the SE_GROUP_USE_FOR_DENY_ONLY attribute is set. ///

SE_GROUP_ENABLED = 0x00000004, ///

/// The SID identifies a group account for which the user of the token is the owner of the group, or the SID can be assigned as /// the owner of the token or objects. ///

SE_GROUP_OWNER = 0x00000008, ///

/// The SID is a deny-only SID in a restricted token. When the system performs an access check, it checks for access-denied ACEs /// that apply to the SID; it ignores access-allowed ACEs for the SID. If this attribute is set, SE_GROUP_ENABLED is not set, and /// the SID cannot be reenabled. ///

SE_GROUP_USE_FOR_DENY_ONLY = 0x00000010, ///

The SID is a mandatory integrity SID.

SE_GROUP_INTEGRITY = 0x00000020, ///

The SID is enabled for mandatory integrity checks.

SE_GROUP_INTEGRITY_ENABLED = 0x00000040, ///

The SID is a logon SID that identifies the logon session associated with an access token.

SE_GROUP_LOGON_ID = 0xC0000000, ///

The SID identifies a domain-local group.

SE_GROUP_RESOURCE = 0x20000000 } ///

/// The capability SID constants define for applications well-known capabilities by using the AllocateAndInitializeSid function. ///

/// /// When constructing a capability SID, you need to include the package authority, SECURITY_APP_PACKAGE_AUTHORITY {0,0,0,0,0,15}, in /// the call to the AllocateAndInitializeSid function. Additionally, you need the base RID and RID count for the built-in /// capabilities, SECURITY_CAPABILITY_BASE_RID (0x00000003L) and SECURITY_BUILTIN_CAPABILITY_RID_COUNT (2L). /// public enum KnownSIDCapability { ///

An account has access to the Internet from a client computer.

SECURITY_CAPABILITY_INTERNET_CLIENT = 0x00000001, ///

An account has access to the Internet from the client and server computers.

SECURITY_CAPABILITY_INTERNET_CLIENT_SERVER = 0x00000002, ///

An account has access to the Internet from a private network.

SECURITY_CAPABILITY_PRIVATE_NETWORK_CLIENT_SERVER = 0x00000003, ///

An account has access to the pictures library.

SECURITY_CAPABILITY_PICTURES_LIBRARY = 0x00000004, ///

An account has access to the videos library.

SECURITY_CAPABILITY_VIDEOS_LIBRARY = 0x00000005, ///

An account has access to the music library.

SECURITY_CAPABILITY_MUSIC_LIBRARY = 0x00000006, ///

An account has access to the documentation library.

SECURITY_CAPABILITY_DOCUMENTS_LIBRARY = 0x00000007, ///

An account has access to the default Windows credentials.

SECURITY_CAPABILITY_ENTERPRISE_AUTHENTICATION = 0x00000008, ///

An account has access to the shared user certificates.

SECURITY_CAPABILITY_SHARED_USER_CERTIFICATES = 0x00000009, ///

An account has access to removable storage.

SECURITY_CAPABILITY_REMOVABLE_STORAGE = 0x0000000A, } ///

/// A set of bit flags that indicate whether the ObjectType and InheritedObjectType members are present in an object ACE. ///

[Flags] public enum ObjectAceFlags : uint { ///

/// ObjectType is present and contains a GUID. If this value is not specified, the InheritedObjectType member follows immediately /// after the Flags member. ///

ACE_OBJECT_TYPE_PRESENT = 0x1, ///

/// InheritedObjectType is present and contains a GUID. If this value is not specified, all types of child objects can inherit /// the ACE. ///

ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x2 } ///

Privilege attributes.

[Flags] [PInvokeData("winnt.h")] public enum PrivilegeAttributes : uint { ///

The privilege is disabled.

SE_PRIVILEGE_DISABLED = 0x00000000, ///

The privilege is enabled by default.

SE_PRIVILEGE_ENABLED_BY_DEFAULT = 0x00000001, ///

The privilege is enabled.

SE_PRIVILEGE_ENABLED = 0x00000002, ///

Used to remove a privilege. The other privileges in the list are reordered to remain contiguous.

SE_PRIVILEGE_REMOVED = 0x00000004, ///

/// The privilege was used to gain access to an object or service. This flag is used to identify the relevant privileges in a set /// passed by a client application that may contain unnecessary privileges. ///

SE_PRIVILEGE_USED_FOR_ACCESS = 0x80000000 } ///

Flags used by PRIVILEGE_SET.

[PInvokeData("winnt.h")] public enum PrivilegeSetControl { ///

The presence of any privileges in the user's access token grants the access.

None = 0, ///

Indicates that all of the specified privileges must be held by the process requesting access.

PRIVILEGE_SET_ALL_NECESSARY = 1 } ///

Additional privilege options for .

[PInvokeData("winnt.h")] public enum RestrictedPrivilegeOptions : uint { ///

/// Disables all privileges in the new token except the SeChangeNotifyPrivilege privilege. If this value is specified, the /// DeletePrivilegeCount and PrivilegesToDelete parameters are ignored. ///

DISABLE_MAX_PRIVILEGE = 0x1, ///

/// If this value is used, the system does not check AppLocker rules or apply Software Restriction Policies. For AppLocker, this /// flag disables checks for all four rule collections: Executable, Windows Installer, Script, and DLL. /// /// When creating a setup program that must run extracted DLLs during installation, use the flag SAFER_TOKEN_MAKE_INERT in the /// SaferComputeTokenFromLevel function. /// /// A token can be queried for existence of this flag by using GetTokenInformation. /// /// Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: On systems with /// KB2532445 installed, the caller must be running as LocalSystem or TrustedInstaller or the system ignores this flag. For more /// information, see "You can circumvent AppLocker rules by using an Office macro on a computer that is running Windows 7 or /// Windows Server 2008 R2" in the Help and Support Knowledge Base at http://support.microsoft.com/kb/2532445. /// /// /// Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: AppLocker is not supported. AppLocker was introduced /// in Windows 7 and Windows Server 2008 R2. /// ///

SANDBOX_INERT = 0x2, ///

/// The new token is a LUA token. /// Windows Server 2003 and Windows XP: This value is not supported. ///

LUA_TOKEN = 0x4, ///

/// The new token contains restricting SIDs that are considered only when evaluating write access. /// /// Windows XP with SP2 and later: The value of this constant is 0x4. For an application to be compatible with Windows XP with /// SP2 and later operating systems, the application should query the operating system by calling the GetVersionEx function to /// determine which value should be used. /// /// Windows Server 2003 and Windows XP with SP1 and earlier: This value is not supported. ///

WRITE_RESTRICTED = 0x8, } ///

/// A set of bit flags that qualify the meaning of a security descriptor or its components. Each security descriptor has a Control /// member that stores the SECURITY_DESCRIPTOR_CONTROL bits. ///

[Flags] public enum SECURITY_DESCRIPTOR_CONTROL : ushort { ///

/// Indicates a required security descriptor in which the discretionary access control list (DACL) is set up to support automatic /// propagation of inheritable access control entries (ACEs) to existing child objects. /// /// For access control lists (ACLs) that support auto inheritance, this bit is always set. Protected servers can call the /// ConvertToAutoInheritPrivateObjectSecurity function to convert a security descriptor and set this flag. /// ///

SE_DACL_AUTO_INHERIT_REQ = 0x0100, ///

/// Indicates a security descriptor in which the discretionary access control list (DACL) is set up to support automatic /// propagation of inheritable access control entries (ACEs) to existing child objects. /// /// For access control lists (ACLs) that support auto inheritance, this bit is always set. Protected servers can call the /// ConvertToAutoInheritPrivateObjectSecurity function to convert a security descriptor and set this flag. /// ///

SE_DACL_AUTO_INHERITED = 0x0400, ///

/// Indicates a security descriptor with a default DACL. For example, if the creator an object does not specify a DACL, the /// object receives the default DACL from the access token of the creator. This flag can affect how the system treats the DACL /// with respect to ACE inheritance. The system ignores this flag if the SE_DACL_PRESENT flag is not set. /// /// This flag is used to determine how the final DACL on the object is to be computed and is not stored physically in the /// security descriptor control of the securable object. /// /// To set this flag, use the SetSecurityDescriptorDacl function. ///

SE_DACL_DEFAULTED = 0x0008, ///

/// Indicates a security descriptor that has a DACL. If this flag is not set, or if this flag is set and the DACL is NULL, the /// security descriptor allows full access to everyone. /// /// This flag is used to hold the security information specified by a caller until the security descriptor is associated with a /// securable object. After the security descriptor is associated with a securable object, the SE_DACL_PRESENT flag is always set /// in the security descriptor control. /// /// To set this flag, use the SetSecurityDescriptorDacl function. ///

SE_DACL_PRESENT = 0x0004, ///

/// Prevents the DACL of the security descriptor from being modified by inheritable ACEs. To set this flag, use the /// SetSecurityDescriptorControl function. ///

SE_DACL_PROTECTED = 0x1000, ///

/// Indicates that the security identifier (SID) of the security descriptor group was provided by a default mechanism. This flag /// can be used by a resource manager to identify objects whose security descriptor group was set by a default mechanism. To set /// this flag, use the SetSecurityDescriptorGroup function. ///

SE_GROUP_DEFAULTED = 0x0002, ///

/// Indicates that the SID of the owner of the security descriptor was provided by a default mechanism. This flag can be used by /// a resource manager to identify objects whose owner was set by a default mechanism. To set this flag, use the /// SetSecurityDescriptorOwner function. ///

SE_OWNER_DEFAULTED = 0x0001, ///

Indicates that the resource manager control is valid.

SE_RM_CONTROL_VALID = 0x4000, ///

/// Indicates a required security descriptor in which the system access control list (SACL) is set up to support automatic /// propagation of inheritable ACEs to existing child objects. /// /// The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects. /// To convert a security descriptor and set this flag, protected servers can call the ConvertToAutoInheritPrivateObjectSecurity function. /// ///

SE_SACL_AUTO_INHERIT_REQ = 0x0200, ///

/// Indicates a security descriptor in which the system access control list (SACL) is set up to support automatic propagation of /// inheritable ACEs to existing child objects. /// /// The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects. /// To convert a security descriptor and set this flag, protected servers can call the ConvertToAutoInheritPrivateObjectSecurity function. /// ///

SE_SACL_AUTO_INHERITED = 0x0800, ///

/// A default mechanism, rather than the original provider of the security descriptor, provided the SACL. This flag can affect /// how the system treats the SACL, with respect to ACE inheritance. The system ignores this flag if the SE_SACL_PRESENT flag is /// not set. To set this flag, use the SetSecurityDescriptorSacl function. ///

SE_SACL_DEFAULTED = 0x0008, ///

Indicates a security descriptor that has a SACL. To set this flag, use the SetSecurityDescriptorSacl function.

SE_SACL_PRESENT = 0x0010, ///

/// Prevents the SACL of the security descriptor from being modified by inheritable ACEs. To set this flag, use the /// SetSecurityDescriptorControl function. ///

SE_SACL_PROTECTED = 0x2000, ///

/// Indicates a self-relative security descriptor. If this flag is not set, the security descriptor is in absolute format. For /// more information, see Absolute and Self-Relative Security Descriptors. ///

SE_SELF_RELATIVE = 0x8000 } ///

/// The SECURITY_IMPERSONATION_LEVEL enumeration contains values that specify security impersonation levels. Security impersonation /// levels govern the degree to which a server process can act on behalf of a client process. ///

[PInvokeData("winnt.h")] public enum SECURITY_IMPERSONATION_LEVEL { ///

/// The server process cannot obtain identification information about the client, and it cannot impersonate the client. It is /// defined with no value given, and thus, by ANSI C rules, defaults to a value of zero. ///

SecurityAnonymous, ///

/// The server process can obtain information about the client, such as security identifiers and privileges, but it cannot /// impersonate the client. This is useful for servers that export their own objects, for example, database products that export /// tables and views. Using the retrieved client-security information, the server can make access-validation decisions without /// being able to use other services that are using the client's security context. ///

SecurityIdentification, ///

/// The server process can impersonate the client's security context on its local system. The server cannot impersonate the /// client on remote systems. ///

SecurityImpersonation, ///

The server process can impersonate the client's security context on remote systems.

SecurityDelegation } ///

A set of bit flags that control how access control entries (ACEs) are inherited from ParentDescriptor.

[PInvokeData("winnt.h")] [Flags] public enum SEF : uint { ///

/// The new discretionary access control list (DACL) contains ACEs inherited from the DACL of ParentDescriptor, as well as any /// explicit ACEs specified in the DACL of CreatorDescriptor. If this flag is not set, the new DACL does not inherit ACEs. ///

SEF_DACL_AUTO_INHERIT = 0x01, ///

/// The new system access control list (SACL) contains ACEs inherited from the SACL of ParentDescriptor, as well as any explicit /// ACEs specified in the SACL of CreatorDescriptor. If this flag is not set, the new SACL does not inherit ACEs. ///

SEF_SACL_AUTO_INHERIT = 0x02, ///

/// CreatorDescriptor is the default descriptor for the types of objects specified by ObjectTypes. As such, CreatorDescriptor is /// ignored if ParentDescriptor has any object-specific ACEs for the types of objects specified by the ObjectTypes parameter. If /// no such ACEs are inherited, CreatorDescriptor is handled as though this flag were not specified. ///

SEF_DEFAULT_DESCRIPTOR_FOR_OBJECT = 0x04, ///

/// The function does not perform privilege checking. If the SEF_AVOID_OWNER_CHECK flag is also set, the Token parameter can be /// NULL. This flag is useful while implementing automatic inheritance to avoid checking privileges on each child updated. ///

SEF_AVOID_PRIVILEGE_CHECK = 0x08, ///

/// The function does not check the validity of the owner in the resultant NewDescriptor as described in the Remarks section. If /// the SEF_AVOID_PRIVILEGE_CHECK flag is also set, the Token parameter can be NULL. ///

SEF_AVOID_OWNER_CHECK = 0x10, ///

/// The owner of NewDescriptor defaults to the owner from ParentDescriptor. If not set, the owner of NewDescriptor defaults to /// the owner of the token specified by the Token parameter. The owner of the token is specified in the token itself. In either /// case, if the CreatorDescriptor parameter is not NULL, the NewDescriptor owner is set to the owner from CreatorDescriptor. ///

SEF_DEFAULT_OWNER_FROM_PARENT = 0x20, ///

/// The group of NewDescriptor defaults to the group from ParentDescriptor. If not set, the group of NewDescriptor defaults to /// the group of the token specified by the Token parameter. The group of the token is specified in the token itself. In either /// case, if the CreatorDescriptor parameter is not NULL, the NewDescriptor group is set to the group from CreatorDescriptor. ///

SEF_DEFAULT_GROUP_FROM_PARENT = 0x40, ///

A principal with a mandatory level lower than that of the object cannot write to the object.

SEF_MACL_NO_WRITE_UP = 0x100, ///

A principal with a mandatory level lower than that of the object cannot read the object.

SEF_MACL_NO_READ_UP = 0x200, ///

A principal with a mandatory level lower than that of the object cannot execute the object.

SEF_MACL_NO_EXECUTE_UP = 0x400, ///

Undocumented

SEF_AI_USE_EXTRA_PARAMS = 0x800, ///

/// Any restrictions specified by the ParentDescriptor parameter that would limit the caller's ability to specify a DACL in the /// CreatorDescriptor are ignored. ///

SEF_AVOID_OWNER_RESTRICTION = 0x1000, ///

Undocumented

SEF_FORCE_USER_MODE = 0x2000 } ///

The SID_NAME_USE enumeration contains values that specify the type of a security identifier (SID).

public enum SID_NAME_USE { ///

A user SID.

SidTypeUser = 1, ///

A group SID

SidTypeGroup, ///

A domain SID.

SidTypeDomain, ///

An alias SID.

SidTypeAlias, ///

A SID for a well-known group.

SidTypeWellKnownGroup, ///

A SID for a deleted account.

SidTypeDeletedAccount, ///

A SID that is not valid.

SidTypeInvalid, ///

A SID of unknown type/.

SidTypeUnknown, ///

A SID for a computer.

SidTypeComputer, ///

A mandatory integrity label SID.

SidTypeLabel, ///

SidTypeLogonSession } ///

/// The access policy for principals with a mandatory integrity level lower than the object associated with the SACL that contains /// this ACE. ///

[PInvokeData("winnt.h")] [Flags] public enum SYSTEM_MANDATORY_LABEL : uint { ///

A principal with a lower mandatory level than the object cannot write to the object.

SYSTEM_MANDATORY_LABEL_NO_WRITE_UP = 0x1, ///

A principal with a lower mandatory level than the object cannot read the object.

SYSTEM_MANDATORY_LABEL_NO_READ_UP = 0x2, ///

A principal with a lower mandatory level than the object cannot execute the object.

SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP = 0x4, } ///

/// The TOKEN_ELEVATION_TYPE enumeration indicates the elevation type of token being queried by the GetTokenInformation function. ///

[PInvokeData("winnt.h")] public enum TOKEN_ELEVATION_TYPE { ///

The token does not have a linked token.

TokenElevationTypeDefault = 1, ///

The token is an elevated token.

TokenElevationTypeFull, ///

The token is a limited token.

TokenElevationTypeLimited } ///

/// The TOKEN_INFORMATION_CLASS enumeration contains values that specify the type of information being assigned to or retrieved from /// an access token. /// The GetTokenInformation function uses these values to indicate the type of token information to retrieve. /// The SetTokenInformation function uses these values to set the token information. ///

[PInvokeData("winnt.h")] public enum TOKEN_INFORMATION_CLASS { ///

The buffer receives a TOKEN_USER structure that contains the user account of the token.

[CorrespondingType(typeof(TOKEN_USER), CorrespondingAction.Get)] TokenUser = 1, ///

The buffer receives a TOKEN_GROUPS structure that contains the group accounts associated with the token.

[CorrespondingType(typeof(TOKEN_GROUPS), CorrespondingAction.Get)] TokenGroups, ///

The buffer receives a TOKEN_PRIVILEGES structure that contains the privileges of the token.

[CorrespondingType(typeof(TOKEN_PRIVILEGES), CorrespondingAction.Get)] TokenPrivileges, ///

/// The buffer receives a TOKEN_OWNER structure that contains the default owner security identifier (SID) for newly created objects. ///

[CorrespondingType(typeof(TOKEN_OWNER), CorrespondingAction.GetSet)] TokenOwner, ///

/// The buffer receives a TOKEN_PRIMARY_GROUP structure that contains the default primary group SID for newly created objects. ///

[CorrespondingType(typeof(TOKEN_PRIMARY_GROUP), CorrespondingAction.GetSet)] TokenPrimaryGroup, ///

The buffer receives a TOKEN_DEFAULT_DACL structure that contains the default DACL for newly created objects.

[CorrespondingType(typeof(TOKEN_DEFAULT_DACL), CorrespondingAction.GetSet)] TokenDefaultDacl, ///

/// The buffer receives a TOKEN_SOURCE structure that contains the source of the token. TOKEN_QUERY_SOURCE access is needed to /// retrieve this information. ///

[CorrespondingType(typeof(TOKEN_SOURCE), CorrespondingAction.Get)] TokenSource, ///

The buffer receives a TOKEN_TYPE value that indicates whether the token is a primary or impersonation token.

[CorrespondingType(typeof(TOKEN_TYPE), CorrespondingAction.Get)] TokenType, ///

/// The buffer receives a SECURITY_IMPERSONATION_LEVEL value that indicates the impersonation level of the token. If the access /// token is not an impersonation token, the function fails. ///

[CorrespondingType(typeof(SECURITY_IMPERSONATION_LEVEL), CorrespondingAction.Get)] TokenImpersonationLevel, ///

The buffer receives a TOKEN_STATISTICS structure that contains various token statistics.

[CorrespondingType(typeof(TOKEN_STATISTICS), CorrespondingAction.Get)] TokenStatistics, ///

The buffer receives a TOKEN_GROUPS structure that contains the list of restricting SIDs in a restricted token.

[CorrespondingType(typeof(TOKEN_GROUPS), CorrespondingAction.Get)] TokenRestrictedSids, ///

/// The buffer receives a DWORD value that indicates the Terminal Services session identifier that is associated with the token. /// If the token is associated with the terminal server client session, the session identifier is nonzero. /// /// Windows Server 2003 and Windows XP: If the token is associated with the terminal server console session, the session /// identifier is zero. /// /// In a non-Terminal Services environment, the session identifier is zero. /// /// If TokenSessionId is set with SetTokenInformation, the application must have the Act As Part Of the Operating System /// privilege, and the application must be enabled to set the session ID in a token. /// ///

[CorrespondingType(typeof(uint), CorrespondingAction.GetSet)] TokenSessionId, ///

/// The buffer receives a TOKEN_GROUPS_AND_PRIVILEGES structure that contains the user SID, the group accounts, the restricted /// SIDs, and the authentication ID associated with the token. ///

[CorrespondingType(typeof(TOKEN_GROUPS_AND_PRIVILEGES), CorrespondingAction.Get)] TokenGroupsAndPrivileges, ///

Reserved.

[CorrespondingType(CorrespondingAction.Exception)] TokenSessionReference, ///

The buffer receives a DWORD value that is nonzero if the token includes the SANDBOX_INERT flag.

[CorrespondingType(typeof(uint), CorrespondingAction.Get)] TokenSandBoxInert, ///

Reserved.

[CorrespondingType(CorrespondingAction.Exception)] TokenAuditPolicy, ///

/// The buffer receives a TOKEN_ORIGIN value. /// /// If the token resulted from a logon that used explicit credentials, such as passing a name, domain, and password to the /// LogonUser function, then the TOKEN_ORIGIN structure will contain the ID of the logon session that created it. /// /// /// If the token resulted from network authentication, such as a call to AcceptSecurityContext or a call to LogonUser with /// dwLogonType set to LOGON32_LOGON_NETWORK or LOGON32_LOGON_NETWORK_CLEARTEXT, then this value will be zero. /// ///

[CorrespondingType(typeof(TOKEN_ORIGIN), CorrespondingAction.GetSet)] TokenOrigin, ///

The buffer receives a TOKEN_ELEVATION_TYPE value that specifies the elevation level of the token.

[CorrespondingType(typeof(TOKEN_ELEVATION_TYPE), CorrespondingAction.Get)] TokenElevationType, ///

/// The buffer receives a TOKEN_LINKED_TOKEN structure that contains a handle to another token that is linked to this token. ///

[CorrespondingType(typeof(TOKEN_LINKED_TOKEN), CorrespondingAction.GetSet)] TokenLinkedToken, ///

The buffer receives a TOKEN_ELEVATION structure that specifies whether the token is elevated.

[CorrespondingType(typeof(TOKEN_ELEVATION), CorrespondingAction.Get)] TokenElevation, ///

The buffer receives a DWORD value that is nonzero if the token has ever been filtered.

[CorrespondingType(typeof(uint), CorrespondingAction.Get)] TokenHasRestrictions, ///

/// The buffer receives a TOKEN_ACCESS_INFORMATION structure that specifies security information contained in the token. ///

[CorrespondingType(typeof(TOKEN_ACCESS_INFORMATION), CorrespondingAction.Get)] TokenAccessInformation, ///

The buffer receives a DWORD value that is nonzero if virtualization is allowed for the token.

[CorrespondingType(typeof(uint), CorrespondingAction.GetSet)] TokenVirtualizationAllowed, ///

The buffer receives a DWORD value that is nonzero if virtualization is enabled for the token.

[CorrespondingType(typeof(uint), CorrespondingAction.GetSet)] TokenVirtualizationEnabled, ///

The buffer receives a TOKEN_MANDATORY_LABEL structure that specifies the token's integrity level.

[CorrespondingType(typeof(TOKEN_MANDATORY_LABEL), CorrespondingAction.GetSet)] TokenIntegrityLevel, ///

The buffer receives a DWORD value that is nonzero if the token has the UIAccess flag set.

[CorrespondingType(typeof(uint), CorrespondingAction.GetSet)] TokenUIAccess, ///

The buffer receives a TOKEN_MANDATORY_POLICY structure that specifies the token's mandatory integrity policy.

[CorrespondingType(typeof(TOKEN_MANDATORY_POLICY), CorrespondingAction.GetSet)] TokenMandatoryPolicy, ///

The buffer receives a TOKEN_GROUPS structure that specifies the token's logon SID.

[CorrespondingType(typeof(TOKEN_GROUPS), CorrespondingAction.Get)] TokenLogonSid, ///

/// The buffer receives a DWORD value that is nonzero if the token is an application container token. Any callers who check the /// TokenIsAppContainer and have it return 0 should also verify that the caller token is not an identify level impersonation /// token. If the current token is not an application container but is an identity level token, you should return AccessDenied. ///

[CorrespondingType(typeof(uint), CorrespondingAction.Get)] TokenIsAppContainer, ///

The buffer receives a TOKEN_GROUPS structure that contains the capabilities associated with the token.

[CorrespondingType(typeof(TOKEN_GROUPS), CorrespondingAction.Get)] TokenCapabilities, ///

/// The buffer receives a TOKEN_APPCONTAINER_INFORMATION structure that contains the AppContainerSid associated with the token. /// If the token is not associated with an application container, the TokenAppContainer member of the /// TOKEN_APPCONTAINER_INFORMATION structure points to NULL. ///

[CorrespondingType(typeof(TOKEN_APPCONTAINER_INFORMATION), CorrespondingAction.Get)] TokenAppContainerSid, ///

/// The buffer receives a DWORD value that includes the application container number for the token. For tokens that are not /// application container tokens, this value is zero. ///

[CorrespondingType(typeof(uint), CorrespondingAction.Get)] TokenAppContainerNumber, ///

/// The buffer receives a CLAIM_SECURITY_ATTRIBUTES_INFORMATION structure that contains the user claims associated with the token. ///

[CorrespondingType(typeof(CLAIM_SECURITY_ATTRIBUTES_INFORMATION), CorrespondingAction.Get)] TokenUserClaimAttributes, ///

/// The buffer receives a CLAIM_SECURITY_ATTRIBUTES_INFORMATION structure that contains the device claims associated with the token. ///

[CorrespondingType(typeof(CLAIM_SECURITY_ATTRIBUTES_INFORMATION), CorrespondingAction.Get)] TokenDeviceClaimAttributes, ///

This value is reserved.

[CorrespondingType(CorrespondingAction.Exception)] TokenRestrictedUserClaimAttributes, ///

This value is reserved.

[CorrespondingType(CorrespondingAction.Exception)] TokenRestrictedDeviceClaimAttributes, ///

The buffer receives a TOKEN_GROUPS structure that contains the device groups that are associated with the token.

[CorrespondingType(typeof(TOKEN_GROUPS), CorrespondingAction.Get)] TokenDeviceGroups, ///

/// The buffer receives a TOKEN_GROUPS structure that contains the restricted device groups that are associated with the token. ///

[CorrespondingType(typeof(TOKEN_GROUPS), CorrespondingAction.Get)] TokenRestrictedDeviceGroups, ///

This value is reserved.

[CorrespondingType(CorrespondingAction.Exception)] TokenSecurityAttributes, ///

This value is reserved.

[CorrespondingType(CorrespondingAction.Exception)] TokenIsRestricted } ///

The TOKEN_TYPE enumeration contains values that differentiate between a primary token and an impersonation token.

[Serializable] [PInvokeData("winnt.h")] public enum TOKEN_TYPE { ///

Indicates a primary token.

TokenPrimary = 1, ///

Indicates an impersonation token.

TokenImpersonation = 2 } ///

Token access flags.

[Flags] [PInvokeData("winnt.h")] public enum TokenAccess : uint { ///

/// Required to attach a primary token to a process. The SE_ASSIGNPRIMARYTOKEN_NAME privilege is also required to accomplish this task. ///

TOKEN_ASSIGN_PRIMARY = 0x0001, ///

Required to duplicate an access token.

TOKEN_DUPLICATE = 0x0002, ///

Required to attach an impersonation access token to a process.

TOKEN_IMPERSONATE = 0x0004, ///

Required to query an access token.

TOKEN_QUERY = 0x0008, ///

Required to query the source of an access token.

TOKEN_QUERY_SOURCE = 0x0010, ///

Required to enable or disable the privileges in an access token.

TOKEN_ADJUST_PRIVILEGES = 0x0020, ///

Required to adjust the attributes of the groups in an access token.

TOKEN_ADJUST_GROUPS = 0x0040, ///

Required to change the default owner, primary group, or DACL of an access token.

TOKEN_ADJUST_DEFAULT = 0x0080, ///

Required to adjust the session ID of an access token. The SE_TCB_NAME privilege is required.

TOKEN_ADJUST_SESSIONID = 0x0100, ///

The token all access p

TOKEN_ALL_ACCESS_P = 0x000F00FF, ///

Combines all possible access rights for a token.

TOKEN_ALL_ACCESS = 0x000F01FF, ///

Combines STANDARD_RIGHTS_READ and TOKEN_QUERY.

TOKEN_READ = 0x00020008, ///

Combines STANDARD_RIGHTS_WRITE, TOKEN_ADJUST_PRIVILEGES, TOKEN_ADJUST_GROUPS, and TOKEN_ADJUST_DEFAULT.

TOKEN_WRITE = 0x000200E0, ///

Combines STANDARD_RIGHTS_EXECUTE and TOKEN_IMPERSONATE.

TOKEN_EXECUTE = 0x00020000 } ///

The mandatory integrity access policy for the associated token.

[PInvokeData("winnt.h", MSDNShortId = "f5fc438b-c4f0-46f6-a188-52ce660d13da")] public enum TokenMandatoryPolicy { ///

No mandatory integrity policy is enforced for the token.

TOKEN_MANDATORY_POLICY_OFF = 0x0, ///

A process associated with the token cannot write to objects that have a greater mandatory integrity level.

TOKEN_MANDATORY_POLICY_NO_WRITE_UP = 0x1, ///

/// A process created with the token has an integrity level that is the lesser of the parent-process integrity level and the /// executable-file integrity level. ///

TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN = 0x2, ///

A combination of TOKEN_MANDATORY_POLICY_NO_WRITE_UP and TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN.

TOKEN_MANDATORY_POLICY_VALID_MASK = 0x3, } ///

/// /// The WELL_KNOWN_SID_TYPE enumeration is a list of commonly used security identifiers (SIDs). Programs can pass these values /// to the CreateWellKnownSid function to create a SID from this list. /// ///

// https://docs.microsoft.com/en-us/windows/desktop/api/winnt/ne-winnt-well_known_sid_type [PInvokeData("winnt.h", MSDNShortId = "6f1fa59e-17c0-412b-937b-ddf746ed68bd")] public enum WELL_KNOWN_SID_TYPE { ///

Indicates a null SID.

WinNullSid, ///

Indicates a SID that matches everyone.

WinWorldSid, ///

Indicates a local SID.

WinLocalSid, ///

Indicates a SID that matches the owner or creator of an object.

WinCreatorOwnerSid, ///

Indicates a SID that matches the creator group of an object.

WinCreatorGroupSid, ///

Indicates a creator owner server SID.

WinCreatorOwnerServerSid, ///

Indicates a creator group server SID.

WinCreatorGroupServerSid, ///

Indicates a SID for the Windows NT authority account.

WinNtAuthoritySid, ///

Indicates a SID for a dial-up account.

WinDialupSid, ///

/// Indicates a SID for a network account. This SID is added to the process of a token when it logs on across a network. The /// corresponding logon type is LOGON32_LOGON_NETWORK. ///

WinNetworkSid, ///

/// Indicates a SID for a batch process. This SID is added to the process of a token when it logs on as a batch job. The /// corresponding logon type is LOGON32_LOGON_BATCH. ///

WinBatchSid, ///

/// Indicates a SID for an interactive account. This SID is added to the process of a token when it logs on interactively. The /// corresponding logon type is LOGON32_LOGON_INTERACTIVE. ///

WinInteractiveSid, ///

/// Indicates a SID for a service. This SID is added to the process of a token when it logs on as a service. The corresponding /// logon type is LOGON32_LOGON_SERVICE. ///

WinServiceSid, ///

Indicates a SID for the anonymous account.

WinAnonymousSid, ///

Indicates a proxy SID.

WinProxySid, ///

Indicates a SID for an enterprise controller.

WinEnterpriseControllersSid, ///

Indicates a SID for self.

WinSelfSid, ///

Indicates a SID that matches any authenticated user.

WinAuthenticatedUserSid, ///

Indicates a SID for restricted code.

WinRestrictedCodeSid, ///

Indicates a SID that matches a terminal server account.

WinTerminalServerSid, ///

Indicates a SID that matches remote logons.

WinRemoteLogonIdSid, ///

Indicates a SID that matches logon IDs.

WinLogonIdsSid, ///

Indicates a SID that matches the local system.

WinLocalSystemSid, ///

Indicates a SID that matches a local service.

WinLocalServiceSid, ///

Indicates a SID that matches a network service.

WinNetworkServiceSid, ///

Indicates a SID that matches the domain account.

WinBuiltinDomainSid, ///

Indicates a SID that matches the administrator group.

WinBuiltinAdministratorsSid, ///

Indicates a SID that matches built-in user accounts.

WinBuiltinUsersSid, ///

Indicates a SID that matches the guest account.

WinBuiltinGuestsSid, ///

Indicates a SID that matches the power users group.

WinBuiltinPowerUsersSid, ///

Indicates a SID that matches the account operators account.

WinBuiltinAccountOperatorsSid, ///

Indicates a SID that matches the system operators group.

WinBuiltinSystemOperatorsSid, ///

Indicates a SID that matches the print operators group.

WinBuiltinPrintOperatorsSid, ///

Indicates a SID that matches the backup operators group.

WinBuiltinBackupOperatorsSid, ///

Indicates a SID that matches the replicator account.

WinBuiltinReplicatorSid, ///

Indicates a SID that matches pre-Windows 2000 compatible accounts.

WinBuiltinPreWindows2000CompatibleAccessSid, ///

Indicates a SID that matches remote desktop users.

WinBuiltinRemoteDesktopUsersSid, ///

Indicates a SID that matches the network operators group.

WinBuiltinNetworkConfigurationOperatorsSid, ///

Indicates a SID that matches the account administrator's account.

WinAccountAdministratorSid, ///

Indicates a SID that matches the account guest group.

WinAccountGuestSid, ///

Indicates a SID that matches account Kerberos target group.

WinAccountKrbtgtSid, ///

Indicates a SID that matches the account domain administrator group.

WinAccountDomainAdminsSid, ///

Indicates a SID that matches the account domain users group.

WinAccountDomainUsersSid, ///

Indicates a SID that matches the account domain guests group.

WinAccountDomainGuestsSid, ///

Indicates a SID that matches the account computer group.

WinAccountComputersSid, ///

Indicates a SID that matches the account controller group.

WinAccountControllersSid, ///

Indicates a SID that matches the certificate administrators group.

WinAccountCertAdminsSid, ///

Indicates a SID that matches the schema administrators group.

WinAccountSchemaAdminsSid, ///

Indicates a SID that matches the enterprise administrators group.

WinAccountEnterpriseAdminsSid, ///

Indicates a SID that matches the policy administrators group.

WinAccountPolicyAdminsSid, ///

Indicates a SID that matches the RAS and IAS server account.

WinAccountRasAndIasServersSid, ///

Indicates a SID present when the Microsoft NTLM authentication package authenticated the client.

WinNTLMAuthenticationSid, ///

Indicates a SID present when the Microsoft Digest authentication package authenticated the client.

WinDigestAuthenticationSid, ///

Indicates a SID present when the Secure Channel (SSL/TLS) authentication package authenticated the client.

WinSChannelAuthenticationSid, ///

/// Indicates a SID present when the user authenticated from within the forest or across a trust that does not have the selective /// authentication option enabled. If this SID is present, then WinOtherOrganizationSid cannot be present. ///

WinThisOrganizationSid, ///

/// Indicates a SID present when the user authenticated across a forest with the selective authentication option enabled. If this /// SID is present, then WinThisOrganizationSid cannot be present. ///

WinOtherOrganizationSid, ///

/// Indicates a SID that allows a user to create incoming forest trusts. It is added to the token of users who are a member of /// the Incoming Forest Trust Builders built-in group in the root domain of the forest. ///

WinBuiltinIncomingForestTrustBuildersSid, ///

Indicates a SID that matches the performance monitor user group.

WinBuiltinPerfMonitoringUsersSid, ///

Indicates a SID that matches the performance log user group.

WinBuiltinPerfLoggingUsersSid, ///

Indicates a SID that matches the Windows Authorization Access group.

WinBuiltinAuthorizationAccessSid, ///

Indicates a SID is present in a server that can issue terminal server licenses.

WinBuiltinTerminalServerLicenseServersSid, ///

Indicates a SID that matches the distributed COM user group.

WinBuiltinDCOMUsersSid, ///

Indicates a SID that matches the Internet built-in user group.

WinBuiltinIUsersSid, ///

Indicates a SID that matches the Internet user group.

WinIUserSid, ///

/// Indicates a SID that allows a user to use cryptographic operations. It is added to the token of users who are a member of the /// CryptoOperators built-in group. ///

WinBuiltinCryptoOperatorsSid, ///

Indicates a SID that matches an untrusted label.

WinUntrustedLabelSid, ///

Indicates a SID that matches an low level of trust label.

WinLowLabelSid, ///

Indicates a SID that matches an medium level of trust label.

WinMediumLabelSid, ///

Indicates a SID that matches a high level of trust label.

WinHighLabelSid, ///

Indicates a SID that matches a system label.

WinSystemLabelSid, ///

Indicates a SID that matches a write restricted code group.

WinWriteRestrictedCodeSid, ///

Indicates a SID that matches a creator and owner rights group.

WinCreatorOwnerRightsSid, ///

Indicates a SID that matches a cacheable principals group.

WinCacheablePrincipalsGroupSid, ///

Indicates a SID that matches a non-cacheable principals group.

WinNonCacheablePrincipalsGroupSid, ///

Indicates a SID that matches an enterprise wide read-only controllers group.

WinEnterpriseReadonlyControllersSid, ///

Indicates a SID that matches an account read-only controllers group.

WinAccountReadonlyControllersSid, ///

Indicates a SID that matches an event log readers group.

WinBuiltinEventLogReadersGroup, ///

Indicates a SID that matches a read-only enterprise domain controller.

WinNewEnterpriseReadonlyControllersSid, ///

Indicates a SID that matches the built-in DCOM certification services access group.

WinBuiltinCertSvcDComAccessGroup, ///

/// Indicates a SID that matches the medium plus integrity label. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows /// Vista, Windows Server 2003 and Windows XP: This value is not available. ///

WinMediumPlusLabelSid, ///

/// Indicates a SID that matches a local logon group. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, /// Windows Server 2003 and Windows XP: This value is not available. ///

WinLocalLogonSid, ///

/// Indicates a SID that matches a console logon group. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, /// Windows Server 2003 and Windows XP: This value is not available. ///

WinConsoleLogonSid, ///

Undocumented

WinThisOrganizationCertificateSid, ///

/// Indicates a SID that matches the application package authority. Windows Server 2008 R2, Windows 7, Windows Server 2008, /// Windows Vista, Windows Server 2003 and Windows XP: This value is not available. ///

WinApplicationPackageAuthoritySid, ///

Undocumented

WinBuiltinAnyPackageSid, ///

/// Indicates a SID of Internet client capability for app containers. Windows Server 2008 R2, Windows 7, Windows Server 2008, /// Windows Vista, Windows Server 2003 and Windows XP: This value is not available. ///

WinCapabilityInternetClientSid, ///

Undocumented

WinCapabilityInternetClientServerSid, ///

/// Indicates a SID of private network client and server capability for app containers. Windows Server 2008 R2, Windows 7, /// Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This value is not available. ///

WinCapabilityPrivateNetworkClientServerSid, ///

Undocumented

WinCapabilityPicturesLibrarySid, ///

/// Indicates a SID for videos library capability for app containers. Windows Server 2008 R2, Windows 7, Windows Server 2008, /// Windows Vista, Windows Server 2003 and Windows XP: This value is not available. ///

WinCapabilityVideosLibrarySid, ///

Undocumented

WinCapabilityMusicLibrarySid, ///

/// Indicates a SID for documents library capability for app containers. Windows Server 2008 R2, Windows 7, Windows Server 2008, /// Windows Vista, Windows Server 2003 and Windows XP: This value is not available. ///

WinCapabilityDocumentsLibrarySid, ///

Undocumented

WinCapabilitySharedUserCertificatesSid, ///

/// Indicates a SID for Windows credentials capability for app containers. Windows Server 2008 R2, Windows 7, Windows Server /// 2008, Windows Vista, Windows Server 2003 and Windows XP: This value is not available. ///

WinCapabilityEnterpriseAuthenticationSid, ///

Undocumented

WinCapabilityRemovableStorageSid, ///

WinBuiltinRDSRemoteAccessServersSid, ///

WinBuiltinRDSEndpointServersSid, ///

WinBuiltinRDSManagementServersSid, ///

WinUserModeDriversSid, ///

WinBuiltinHyperVAdminsSid, ///

WinAccountCloneableControllersSid, ///

WinBuiltinAccessControlAssistanceOperatorsSid, ///

WinBuiltinRemoteManagementUsersSid, ///

WinAuthenticationAuthorityAssertedSid, ///

WinAuthenticationServiceAssertedSid, ///

WinLocalAccountSid, ///

WinLocalAccountAndAdministratorSid, ///

WinAccountProtectedUsersSid, ///

WinCapabilityAppointmentsSid, ///

WinCapabilityContactsSid, ///

WinAccountDefaultSystemManagedSid, ///

WinBuiltinDefaultSystemManagedGroupSid, ///

WinBuiltinStorageReplicaAdminsSid, ///

WinAccountKeyAdminsSid, ///

WinAccountEnterpriseKeyAdminsSid, ///

WinAuthenticationKeyTrustSid, ///

WinAuthenticationKeyPropertyMFASid, ///

WinAuthenticationKeyPropertyAttestationSid, ///

WinAuthenticationFreshKeyAuthSid, ///

WinBuiltinDeviceOwnersSid, } ///

/// The ACCESS_ALLOWED_ACE structure defines an access control entry (ACE) for the discretionary access control list (DACL) /// that controls access to an object. An access-allowed ACE allows access to an object for a specific trustee identified by a /// security identifier (SID). ///

/// /// /// ACE structures must be aligned on DWORD boundaries. All Windows memory-management functions return DWORD-aligned /// handles to memory. /// /// /// The access rights specified by the Mask member are granted to any trustee that possesses an enabled SID that matches the /// SID stored in the SidStart member. /// /// /// An ACCESS_ALLOWED_ACE structure can be created in an access control list (ACL) by a call to the AddAccessAllowedAce or /// AddAccessAllowedAceEx function. When these functions are used, the correct amount of memory needed to accommodate the trustee's /// SID is allocated and the values of the Header.AceType and Header.AceSize members are set automatically. If the /// AddAccessAllowedAceEx function is used, the Header.AceFlags member is also set. When an ACCESS_ALLOWED_ACE /// structure is created outside an ACL, sufficient memory must be allocated to accommodate the complete SID of the trustee in the /// SidStart member and the contiguous memory following it, and the values of the Header.AceType, /// Header.AceFlags, and Header.AceSize members must be set explicitly by the application. /// /// // https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-access_allowed_ace typedef struct _ACCESS_ALLOWED_ACE { // ACE_HEADER Header; ACCESS_MASK Mask; DWORD SidStart; } ACCESS_ALLOWED_ACE; [PInvokeData("winnt.h", MSDNShortId = "002a3fa7-02a3-4832-948e-b048f5f5818f")] [StructLayout(LayoutKind.Sequential)] public struct ACCESS_ALLOWED_ACE { ///

/// ACE_HEADER structure that specifies the size and type of ACE. It also contains flags that control inheritance of the ACE by /// child objects. The AceType member of the ACE_HEADER structure should be set to ACCESS_ALLOWED_ACE_TYPE, and the AceSize /// member should be set to the total number of bytes allocated for the ACCESS_ALLOWED_ACE structure. ///

public ACE_HEADER Header; ///

Specifies an ACCESS_MASK structure that specifies the access rights granted by this ACE.

public ACCESS_MASK Mask; ///

/// The first DWORD of a trustee's SID. The remaining bytes of the SID are stored in contiguous memory after the SidStart member. /// This SID can be appended with application data. ///

public uint SidStart; } ///

/// /// The ACCESS_ALLOWED_CALLBACK_ACE structure defines an access control entry (ACE) for the discretionary access control list /// (DACL) that controls access to an object. An access-allowed ACE allows access to an object for a specific trustee identified by a /// security identifier (SID). /// /// /// When the AuthzAccessCheck function is called, each ACCESS_ALLOWED_CALLBACK_ACE structure contained in the DACL of a /// SECURITY_DESCRIPTOR structure passed through a pointer to the AuthzAccessCheck function invokes a call to the /// application-defined AuthzAccessCheckCallback function, in which a pointer to the ACCESS_ALLOWED_CALLBACK_ACE structure /// found is passed in the pAce parameter. /// ///

/// ACE_HEADER structure that specifies the size and type of ACE. It also contains flags that control inheritance of the ACE by /// child objects. The AceType member of the ACE_HEADER structure should be set to /// ACCESS_ALLOWED_CALLBACK_ACE_TYPE, and the AceSize member should be set to the total number of bytes allocated for the /// ACCESS_ALLOWED_CALLBACK_ACE structure. ///

public ACE_HEADER Header; ///

Specifies an ACCESS_MASK structure that specifies the access rights granted by this ACE.

public ACCESS_MASK Mask; ///

The first DWORD of a trustee's SID.

public uint SidStart; } ///

/// /// The ACCESS_ALLOWED_CALLBACK_OBJECT_ACE structure defines an access control entry (ACE) that controls allowed access to an /// object, property set, or property. The ACE contains a set of access rights, a GUID that identifies the type of object, and /// a security identifier (SID) that identifies the trustee to whom the system will grant access. The ACE also contains a GUID /// and a set of flags that control inheritance of the ACE by child objects. /// /// /// When the AuthzAccessCheck function is called, each ACCESS_ALLOWED_CALLBACK_OBJECT_ACE structure contained in the DACL of a /// SECURITY_DESCRIPTOR structure passed through a pointer to the AuthzAccessCheck function invokes a call to the /// application-defined AuthzAccessCheckCallback function, in which a pointer to the ACCESS_ALLOWED_CALLBACK_OBJECT_ACE /// structure found is passed in the pAce parameter. /// ///

/// /// /// If neither the ObjectType nor InheritedObjectTypeGUID is specified, the /// ACCESS_ALLOWED_CALLBACK_OBJECT_ACE structure has the same semantics as those used by the ACCESS_ALLOWED_CALLBACK_ACE /// structure. In that case, use the ACCESS_ALLOWED_CALLBACK_ACE structure because it is smaller and more efficient. /// /// /// An ACL that contains an ACCESS_ALLOWED_CALLBACK_OBJECT_ACE must specify the ACL_REVISION_DS revision number in its ACL header. /// /// /// The access rights specified by the Mask member are granted to any trustee that possesses an enabled SID that matches the /// SID stored in the SidStart member. /// /// /// When an ACCESS_ALLOWED_CALLBACK_OBJECT_ACE structure is created, sufficient memory must be allocated to accommodate the /// GUID structures in the ObjectType and InheritedObjectType members, if one or both of them exists, as well as to /// accommodate the complete SID of the trustee in the SidStart member and the contiguous memory that follows it. /// /// // https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-access_allowed_callback_object_ace typedef struct // _ACCESS_ALLOWED_CALLBACK_OBJECT_ACE { ACE_HEADER Header; ACCESS_MASK Mask; DWORD Flags; GUID ObjectType; GUID InheritedObjectType; // DWORD SidStart; } ACCESS_ALLOWED_CALLBACK_OBJECT_ACE, *PACCESS_ALLOWED_CALLBACK_OBJECT_ACE; [PInvokeData("winnt.h", MSDNShortId = "83b00ef3-f7b2-455e-8f3f-01b1da6024b7")] [StructLayout(LayoutKind.Sequential)] public struct ACCESS_ALLOWED_CALLBACK_OBJECT_ACE { ///

/// ACE_HEADER structure that specifies the size and type of ACE. It also contains flags that control inheritance of the ACE by /// child objects. The AceType member of the ACE_HEADER structure should be set to /// ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE, and the AceSize member should be set to the total number of bytes allocated /// for the ACCESS_ALLOWED_CALLBACK_OBJECT_ACE structure. ///

public ACE_HEADER Header; ///

An ACCESS_MASK that specifies the access rights the system will allow to the trustee.

public ACCESS_MASK Mask; ///

/// /// A set of bit flags that indicate whether the ObjectType and InheritedObjectType members are present. This /// parameter can be one or more of the following values. /// /// /// /// Value /// Meaning /// /// /// 0 /// Neither ObjectType nor InheritedObjectType are present. The SidStart member follows immediately after the Flags member. /// /// /// ACE_OBJECT_TYPE_PRESENT /// /// ObjectType is present and contains a GUID. If this value is not specified, the InheritedObjectType member follows immediately /// after the Flags member. /// /// /// /// ACE_INHERITED_OBJECT_TYPE_PRESENT /// /// InheritedObjectType is present and contains a GUID. If this value is not specified, all types of child objects can inherit /// the ACE. /// /// /// ///

public ObjectAceFlags Flags; ///

/// /// This member exists only if the ACE_OBJECT_TYPE_PRESENT bit is set in the Flags member. Otherwise, the /// InheritedObjectType member follows immediately after the Flags member. /// /// /// If this member exists, it is a GUID structure that identifies a property set, property, extended right, or type of child /// object. The purpose of this GUID depends on the access rights specified in the Mask member. /// /// /// /// Value /// Meaning /// /// /// ADS_RIGHT_DS_CONTROL_ACCESS /// The ObjectType GUID identifies an extended access right. /// /// /// ADS_RIGHT_DS_CREATE_CHILD /// /// The ObjectType GUID identifies a type of child object. The ACE controls the trustee's right to create this type of child object. /// /// /// /// ADS_RIGHT_DS_READ_PROP /// /// The ObjectType GUID identifies a property set or property of the object. The ACE controls the trustee's right to read the /// property or property set. /// /// /// /// ADS_RIGHT_DS_WRITE_PROP /// /// The ObjectType GUID identifies a property set or property of the object. The ACE controls the trustee's right to write the /// property or property set. /// /// /// /// ADS_RIGHT_DS_SELF /// The ObjectType GUID identifies a validated write. /// /// ///

public Guid ObjectType; ///

/// This member exists only if the ACE_INHERITED_OBJECT_TYPE_PRESENT bit is set in the Flags member. /// /// If this member exists, it is a GUID structure that identifies the type of child object that can inherit the ACE. Inheritance /// is also controlled by the inheritance flags in the ACE_HEADER, as well as by any protection against inheritance placed on the /// child objects. /// /// /// The offset of this member can vary. If the Flags member does not contain the ACE_OBJECT_TYPE_PRESENT flag, the /// InheritedObjectType member starts at the offset specified by the ObjectType member. /// ///

public Guid InheritedObjectType; ///

/// The first DWORD of a trustee's SID. The remaining bytes of the SID are stored in contiguous memory after the /// SidStart member. This SID can be appended with application data. ///

public uint SidStart; } ///

/// The ACCESS_ALLOWED_OBJECT_ACE structure defines an access control entry (ACE) that controls allowed access to an object, a /// property set, or property. The ACE contains a set of access rights, a GUID that identifies the type of object, and a /// security identifier (SID) that identifies the trustee to whom the system will grant access. The ACE also contains a GUID /// and a set of flags that control inheritance of the ACE by child objects. ///

/// /// /// If neither the ObjectType nor InheritedObjectType GUID is specified, the ACCESS_ALLOWED_OBJECT_ACE structure /// has the same semantics as those used by the ACCESS_ALLOWED_ACE structure. In that case, use the ACCESS_ALLOWED_ACE /// structure because it is smaller and more efficient. /// /// An ACL that contains an ACCESS_ALLOWED_OBJECT_ACE must specify the ACL_REVISION_DS revision number in its ACL header. /// /// The access rights specified by the Mask member are granted to any trustee that possesses an enabled SID that matches the /// SID stored in the SidStart member. /// /// /// An ACCESS_ALLOWED_OBJECT_ACE structure can be created in an access control list (ACL) by a call to the /// AddAccessAllowedObjectAce function. When this function is used, the correct amount of memory needed to accommodate the GUID /// structures in the ObjectType and InheritedObjectType members, if one or both of them exists, as well as to /// accommodate the trustee's SID is automatically allocated. In addition, the values of the Header.AceType and /// Header.AceSize members are set automatically. When an ACCESS_ALLOWED_OBJECT_ACE structure is created outside an /// ACL, sufficient memory must be allocated to accommodate the GUID structures in the ObjectType and /// InheritedObjectType members, if one or both of them exists, as well as to accommodate the complete SID of the trustee in /// the SidStart member and the contiguous memory following it. In addition, the values of the Header.AceType and /// Header.AceSize members must be set explicitly by the application. /// /// // https://docs.microsoft.com/en-us/windows/desktop/api/winnt/ns-winnt-_access_allowed_object_ace typedef struct // _ACCESS_ALLOWED_OBJECT_ACE { ACE_HEADER Header; ACCESS_MASK Mask; DWORD Flags; GUID ObjectType; GUID InheritedObjectType; DWORD // SidStart; } ACCESS_ALLOWED_OBJECT_ACE, *PACCESS_ALLOWED_OBJECT_ACE; [PInvokeData("winnt.h", MSDNShortId = "ee91ca50-e81b-4872-95eb-349c2d5be004")] [StructLayout(LayoutKind.Sequential)] public struct ACCESS_ALLOWED_OBJECT_ACE { ///

/// ACE_HEADER structure that specifies the size and type of ACE. It also contains flags that control inheritance of the ACE by /// child objects. The AceType member of the ACE_HEADER structure should be set to ACCESS_ALLOWED_OBJECT_ACE_TYPE, /// and the AceSize member should be set to the total number of bytes allocated for the ACCESS_ALLOWED_OBJECT_ACE structure. ///

public ACE_HEADER Header; ///

An ACCESS_MASK that specifies the access rights the system will allow to the trustee.

public ACCESS_MASK Mask; ///

public ObjectAceFlags Flags; ///

public Guid ObjectType; ///

public Guid InheritedObjectType; ///

/// /// Specifies the first DWORD of a SID that identifies the trustee to whom the access rights are granted. The remaining /// bytes of the SID are stored in contiguous memory after the SidStart member. This SID can be appended with application data. /// /// /// The offset of this member can vary. If the Flags member is zero, the SidStart member starts at the offset /// specified by the ObjectType member. If Flags contains only one flag (either ACE_OBJECT_TYPE_PRESENT or /// ACE_INHERITED_OBJECT_TYPE_PRESENT), the SidStart member starts at the offset specified by the /// InheritedObjectType member. /// ///

public uint SidStart; } ///

/// The ACCESS_DENIED_ACE structure defines an access control entry (ACE) for the discretionary access control list (DACL) /// that controls access to an object. An access-denied ACE denies access to an object for a specific trustee identified by a /// security identifier (SID). ///

/// /// /// ACE structures must be aligned on DWORD boundaries. All Windows memory-management functions return DWORD-aligned /// handles to memory. /// /// /// The access rights specified by the Mask member are denied to any trustee that possesses an enabled SID that matches the /// SID stored in the SidStart member. /// /// /// An ACCESS_DENIED_ACE structure can be created in an access control list (ACL) by a call to the AddAccessDeniedAce or /// AddAccessDeniedAceEx function. When these functions are used, the correct amount of memory needed to accommodate the trustee's /// SID is allocated and the values of the Header.AceType and Header.AceSize members are set automatically. If the /// AddAccessDeniedAceEx function is used, the Header.AceFlags member is also set. When an ACCESS_DENIED_ACE /// structure is created outside an ACL, sufficient memory must be allocated to accommodate the complete SID of the trustee in the /// SidStart member and the contiguous memory following it, and the values of the Header.AceType, /// Header.AceFlags, and Header.AceSize members must be set explicitly by the application. /// /// // https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-access_denied_ace typedef struct _ACCESS_DENIED_ACE { ACE_HEADER // Header; ACCESS_MASK Mask; DWORD SidStart; } ACCESS_DENIED_ACE; [PInvokeData("winnt.h", MSDNShortId = "d76a92d0-ccd0-4e73-98b6-43bcd661134d")] [StructLayout(LayoutKind.Sequential)] public struct ACCESS_DENIED_ACE { ///

/// An ACE_HEADER structure that specifies the size and type of ACE. It also contains flags that control inheritance of the ACE /// by child objects. The AceType member of the ACE_HEADER structure should be set to ACCESS_DENIED_ACE_TYPE, and /// the AceSize member should be set to the total number of bytes allocated for the ACCESS_DENIED_ACE structure. ///

public ACE_HEADER Header; ///

An ACCESS_MASK structure that specifies the access rights explicitly denied by this ACE.

public ACCESS_MASK Mask; ///

/// The first DWORD of a trustee's SID. The remaining bytes of the SID are stored in contiguous memory after the /// SidStart member. This SID can be appended with application data. ///

public uint SidStart; } ///

/// /// The ACCESS_DENIED_CALLBACK_ACE structure defines an access control entry (ACE) for the discretionary access control list /// (DACL) that controls access to an object. An access-denied ACE denies access to an object for a specific trustee identified by a /// security identifier (SID). /// /// /// When the AuthzAccessCheck function is called, each ACCESS_DENIED_CALLBACK_ACE structure contained in the DACL of a /// SECURITY_DESCRIPTOR structure passed through a pointer to the AuthzAccessCheck function invokes a call to the /// application–defined AuthzAccessCheckCallback function, in which a pointer to the ACCESS_DENIED_CALLBACK_ACE structure /// found is passed in the pAce parameter. /// ///

/// ACE_HEADER structure that specifies the size and type of ACE. It also contains flags that control inheritance of the ACE by /// child objects. The AceType member of the ACE_HEADER structure should be set to ACCESS_DENIED_CALLBACK_ACE_TYPE, /// and the AceSize member should be set to the total number of bytes allocated for the ACCESS_DENIED_CALLBACK_ACE structure. ///

public ACE_HEADER Header; ///

Specifies an ACCESS_MASK structure that specifies the access rights explicitly denied by this ACE.

public ACCESS_MASK Mask; ///

/// The first DWORD of a trustee's SID. The remaining bytes of the SID are stored in contiguous memory after the /// SidStart member. This SID can be appended with application data. ///

public uint SidStart; } ///

/// /// The ACCESS_DENIED_CALLBACK_OBJECT_ACE structure defines an access control entry (ACE) that controls denied access to an /// object, a property set, or property. The ACE contains a set of access rights, a GUID that identifies the type of object, /// and a security identifier (SID) that identifies the trustee to whom the system will deny access. The ACE also contains a /// GUID and a set of flags that control inheritance of the ACE by child objects. /// /// /// When the AuthzAccessCheck function is called, each ACCESS_DENIED_CALLBACK_OBJECT_ACE structure contained in the DACL of a /// SECURITY_DESCRIPTOR structure passed through a pointer to the AuthzAccessCheck function invokes a call to the /// application–defined AuthzAccessCheckCallback function, in which a pointer to the ACCESS_DENIED_CALLBACK_OBJECT_ACE /// structure found is passed in the pAce parameter. /// ///

/// /// /// If neither the ObjectType nor InheritedObjectTypeGUID is specified, the /// ACCESS_DENIED_CALLBACK_OBJECT_ACE structure has the same semantics as those used by the ACCESS_DENIED_CALLBACK_ACE /// structure. In that case, use the ACCESS_DENIED_CALLBACK_ACE structure because it is smaller and more efficient. /// /// /// An ACL that contains an ACCESS_DENIED_CALLBACK_OBJECT_ACE must specify the ACL_REVISION_DS revision number in its ACL header. /// /// /// The access rights specified by the Mask member are denied to any trustee that possesses an enabled SID that matches the /// SID stored in the SidStart member. /// /// /// When an ACCESS_DENIED_CALLBACK_OBJECT_ACE structure is created, sufficient memory must be allocated to accommodate the /// GUID structures in the ObjectType and InheritedObjectType members, if one or both of them exists, as well as to /// accommodate the complete SID of the trustee in the SidStart member and the contiguous memory that follows it. /// /// // https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-access_denied_callback_object_ace typedef struct // _ACCESS_DENIED_CALLBACK_OBJECT_ACE { ACE_HEADER Header; ACCESS_MASK Mask; DWORD Flags; GUID ObjectType; GUID InheritedObjectType; // DWORD SidStart; } ACCESS_DENIED_CALLBACK_OBJECT_ACE, *PACCESS_DENIED_CALLBACK_OBJECT_ACE; [PInvokeData("winnt.h", MSDNShortId = "945d9c3b-922f-481d-bb1d-3dca50fb9edb")] [StructLayout(LayoutKind.Sequential)] public struct ACCESS_DENIED_CALLBACK_OBJECT_ACE { ///

/// ACE_HEADER structure that specifies the size and type of ACE. It contains flags that control inheritance of the ACE by child /// objects. The AceType member of the ACE_HEADER structure should be set to ACCESS_DENIED_CALLBACK_ACE_TYPE, and /// the AceSize member should be set to the total number of bytes allocated for the /// ACCESS_DENIED_CALLBACK_OBJECT_ACE structure. ///

public ACE_HEADER Header; ///

An ACCESS_MASK that specifies the access rights the system will deny to the trustee.

public ACCESS_MASK Mask; ///

public ObjectAceFlags Flags; ///

public Guid ObjectType; ///

public Guid InheritedObjectType; ///

/// The first DWORD of a trustee's SID. The remaining bytes of the SID are stored in contiguous memory after the /// SidStart member. This SID can be appended with application data. ///

public uint SidStart; } ///

/// The ACCESS_DENIED_OBJECT_ACE structure defines an access control entry (ACE) that controls denied access to an object, a /// property set, or property. The ACE contains a set of access rights, a GUID that identifies the type of object, and a /// security identifier (SID) that identifies the trustee to whom the system will deny access. The ACE also contains a GUID /// and a set of flags that control inheritance of the ACE by child objects. ///

/// /// /// If neither the ObjectType nor InheritedObjectTypeGUID is specified, the ACCESS_DENIED_OBJECT_ACE /// structure has the same semantics as those used by the ACCESS_DENIED_ACE structure. In that case, use the ACCESS_DENIED_ACE /// structure because it is smaller and more efficient. /// /// An ACL that contains an ACCESS_DENIED_OBJECT_ACE must specify the ACL_REVISION_DS revision number in its ACL header. /// /// The access rights specified by the Mask member are denied to any trustee that possesses an enabled SID that matches the /// SID stored in the SidStart member. /// /// /// An ACCESS_DENIED_OBJECT_ACE structure can be created in an access control list (ACL) by a call to the /// AddAccessDeniedObjectAce function. When this function is used, the correct amount of memory needed to accommodate the GUID /// structures in the ObjectType and InheritedObjectType members, if one or both of them exists, as well as to /// accommodate the trustee's SID is automatically allocated. In addition, the values of the Header.AceType and /// Header.AceSize members are set automatically. When an ACCESS_DENIED_OBJECT_ACE structure is created outside an ACL, /// sufficient memory must be allocated to accommodate the GUID structures in the ObjectType and InheritedObjectType /// members, if one or both of them exists, as well as to accommodate the complete SID of the trustee in the SidStart member /// and the contiguous memory following it. In addition, the values of the Header.AceType and Header.AceSize members /// must be set explicitly by the application. /// /// // https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-access_denied_object_ace typedef struct // _ACCESS_DENIED_OBJECT_ACE { ACE_HEADER Header; ACCESS_MASK Mask; DWORD Flags; GUID ObjectType; GUID InheritedObjectType; DWORD // SidStart; } ACCESS_DENIED_OBJECT_ACE, *PACCESS_DENIED_OBJECT_ACE; [PInvokeData("winnt.h", MSDNShortId = "80e00c2b-7c31-428d-96c1-c4e3d22619f3")] [StructLayout(LayoutKind.Sequential)] public struct ACCESS_DENIED_OBJECT_ACE { ///

/// ACE_HEADER structure that specifies the size and type of ACE. It contains flags that control inheritance of the ACE by child /// objects. The AceType member of the ACE_HEADER structure should be set to ACCESS_DENIED_OBJECT_ACE_TYPE, and the /// AceSize member should be set to the total number of bytes allocated for the ACCESS_DENIED_OBJECT_ACE structure. ///

public ACE_HEADER Header; ///

An ACCESS_MASK that specifies the access rights the system will deny to the trustee.

public ACCESS_MASK Mask; ///

public ObjectAceFlags Flags; ///

public Guid ObjectType; ///

public Guid InheritedObjectType; ///

/// /// Specifies the first DWORD of a SID that identifies the trustee for whom the access rights are denied. The remaining /// bytes of the SID are stored in contiguous memory after the SidStart member. This SID can be appended with application data. /// /// /// The offset of this member can vary. If the Flags member is zero, the SidStart member starts at the offset /// specified by the ObjectType member. If Flags contains only one flag (either ACE_OBJECT_TYPE_PRESENT or /// ACE_INHERITED_OBJECT_TYPE_PRESENT), the SidStart member starts at the offset specified by the /// InheritedObjectType member. /// ///

public uint SidStart; } ///

The ACE_HEADER structure describes the type and size of an access-control entry (ACE).

/// /// The ACE_HEADER structure is the first member of the various types of ACE structures, such as ACCESS_ALLOWED_ACE. /// /// System-alarm ACEs are not currently supported. The AceType member cannot specify the SYSTEM_ALARM_ACE_TYPE. Do not use the /// SYSTEM_ALARM_ACE structure. /// /// // https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntifs/ns-ntifs-_ace_header typedef struct _ACE_HEADER { // UCHAR AceType; UCHAR AceFlags; USHORT AceSize; } ACE_HEADER; [PInvokeData("ntifs.h", MSDNShortId = "f5f39310-8b15-4d6b-a985-3f25522a16b1")] [StructLayout(LayoutKind.Sequential)] public struct ACE_HEADER { ///

/// ACE type. This member can be one of the following values: /// /// /// Value /// Meaning /// /// /// ACCESS_ALLOWED_ACE_TYPE /// Access-allowed ACE that uses the ACCESS_ALLOWED_ACE structure. /// /// /// ACCESS_DENIED_ACE_TYPE /// Access-denied ACE that uses the ACCESS_DENIED_ACE structure. /// /// /// SYSTEM_AUDIT_ACE_TYPE /// System-audit ACE that uses the SYSTEM_AUDIT_ACE structure. /// /// ///

public AceType AceType; ///

/// Set of ACE type-specific control flags. This member can be a combination of the following values: /// /// /// Value /// Meaning /// /// /// CONTAINER_INHERIT_ACE /// /// Child objects that are containers, such as directories, inherit the ACE as an effective ACE. The inherited ACE is inheritable /// unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set. /// /// /// /// FAILED_ACCESS_ACE_FLAG /// Used with system-audit ACEs in a SACL to generate audit messages for failed access attempts. /// /// /// INHERIT_ONLY_ACE /// /// Indicates an inherit-only ACE which does not control access to the object to which it is attached. If this flag is not set, /// the ACE is an effective ACE which controls access to the object to which it is attached. Both effective and inherit-only ACEs /// can be inherited depending on the state of the other inheritance flags. /// /// /// /// INHERITED_ACE /// /// Microsoft Windows 2000 or later: Indicates that the ACE was inherited. The system sets this bit when it propagates an /// inherited ACE to a child object. /// /// /// /// NO_PROPAGATE_INHERIT_ACE /// /// If the ACE is inherited by a child object, the system clears the OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE flags in the /// inherited ACE. This prevents the ACE from being inherited by subsequent generations of objects. /// /// /// /// OBJECT_INHERIT_ACE /// /// Noncontainer child objects inherit the ACE as an effective ACE. For child objects that are containers, the ACE is inherited /// as an inherit-only ACE unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set. /// /// /// /// SUCCESSFUL_ACCESS_ACE_FLAG /// Used with system-audit ACEs in a SACL to generate audit messages for successful access attempts. /// /// ///

public AceFlags AceFlags; ///

Size, in bytes, of the ACE.

public ushort AceSize; ///

Initializes a new instance of the struct.

/// ACE type. /// Set of ACE type-specific control flags. /// Size, in bytes, of the ACE. public ACE_HEADER(AceType aceType, AceFlags aceFlags, int aceSize) { AceType = aceType; AceFlags = aceFlags; AceSize = (ushort)aceSize; } } ///

/// The ACL structure is the header of an access control list (ACL). A complete ACL consists of an ACL structure followed by an /// ordered list of zero or more access control entries (ACEs). ///

/// /// An ACL includes a sequential list of zero or more ACEs. The individual ACEs in an ACL are numbered from 0 to n, where n+1 is the /// number of ACEs in the ACL. When editing an ACL, an application refers to an ACE within the ACL by the ACE's index. /// There are two types of ACL: discretionary and system. /// /// A discretionary access control list (DACL) is controlled by the owner of an object or anyone granted WRITE_DAC access to the /// object. It specifies the access particular users and groups can have to an object. For example, the owner of a file can use a /// DACL to control which users and groups can and cannot have access to the file. /// /// /// An object can also have system-level security information associated with it, in the form of a system access control list (SACL) /// controlled by a system administrator. A SACL allows the system administrator to audit any attempts to gain access to an object. /// /// For a list of currently defined ACE structures, see ACE. /// A fourth ACE structure, SYSTEM_ALARM_ACE, is not currently supported. /// /// The ACL structure is to be treated as though it were opaque and applications are not to attempt to work with its members /// directly. To ensure that ACLs are semantically correct, applications can use the functions listed in the See Also section to /// create and manipulate ACLs. /// /// Each ACL and ACE structure begins on a DWORD boundary. /// The maximum size for an ACL, including its ACEs, is 64 KB. /// [StructLayout(LayoutKind.Sequential, Pack = 1)] [PInvokeData("Winnt.h", MSDNShortId = "aa374931")] public struct ACL { ///

/// Specifies the revision level of the ACL. This value should be ACL_REVISION, unless the ACL contains an object-specific ACE, /// in which case this value must be ACL_REVISION_DS. All ACEs in an ACL must be at the same revision level. ///

public byte AclRevision; ///

Specifies a zero byte of padding that aligns the AclRevision member on a 16-bit boundary.

public byte Sbz1; ///

Specifies the size, in bytes, of the ACL. This value includes both the ACL structure and all the ACEs.

public ushort AclSize; ///

Specifies the number of ACEs stored in the ACL.

public ushort AceCount; ///

Specifies two zero-bytes of padding that align the ACL structure on a 32-bit boundary.

public ushort Sbz2; } ///

The ACL_REVISION_INFORMATION structure contains revision information about an ACL structure.

[StructLayout(LayoutKind.Sequential)] [PInvokeData("Winnt.h", MSDNShortId = "aa374942")] public struct ACL_REVISION_INFORMATION { ///

Specifies a revision number. The current revision number is ACL_REVISION.

public uint AclRevision; } ///

The ACL_SIZE_INFORMATION structure contains information about the size of an ACL structure.

[StructLayout(LayoutKind.Sequential)] [PInvokeData("Winnt.h", MSDNShortId = "aa374945")] public struct ACL_SIZE_INFORMATION { ///

The number of access control entries (ACEs) in the access control list (ACL).

public uint AceCount; ///

/// The number of bytes in the ACL actually used to store the ACEs and ACL structure. This may be less than the total number of /// bytes allocated to the ACL. ///

public uint AclBytesInUse; ///

The number of unused bytes in the ACL.

public uint AclBytesFree; } ///

The CLAIM_SECURITY_ATTRIBUTE_FQBN_VALUE structure specifies the fully qualified binary name.

// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-_claim_security_attribute_fqbn_value typedef struct // _CLAIM_SECURITY_ATTRIBUTE_FQBN_VALUE { DWORD64 Version; PWSTR Name; } CLAIM_SECURITY_ATTRIBUTE_FQBN_VALUE, *PCLAIM_SECURITY_ATTRIBUTE_FQBN_VALUE; [PInvokeData("winnt.h", MSDNShortId = "1FD9A519-40EA-4780-90F5-C9DF4ADAE72C")] [StructLayout(LayoutKind.Sequential)] public struct CLAIM_SECURITY_ATTRIBUTE_FQBN_VALUE { ///

The version of the fully qualified binary name value.

public ulong Version; ///

A fully qualified binary name.

[MarshalAs(UnmanagedType.LPWStr)] public string Name; } ///

/// The CLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE structure specifies the OCTET_STRING value type of the claim /// security attribute. ///

// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-claim_security_attribute_octet_string_value typedef struct // _CLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE { PVOID pValue; DWORD ValueLength; } CLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PCLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE; [PInvokeData("winnt.h", MSDNShortId = "6647CC4F-1A84-43B2-A80E-7B6BF3A2D7AD")] [StructLayout(LayoutKind.Sequential)] public struct CLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE { ///

/// A pointer buffer that contains the OCTET_STRING value. The value is a series of bytes of the length indicated in the /// ValueLength member. ///

public IntPtr pValue; ///

The length, in bytes, of the OCTET_STRING value.

public uint ValueLength; } ///

/// The CLAIM_SECURITY_ATTRIBUTE_V1 structure defines a security attribute that can be associated with a token or /// authorization context. ///

// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-_claim_security_attribute_v1 typedef struct // _CLAIM_SECURITY_ATTRIBUTE_V1 { PWSTR Name; WORD ValueType; WORD Reserved; DWORD Flags; DWORD ValueCount; union { PLONG64 pInt64; // PDWORD64 pUint64; PWSTR *ppString; PCLAIM_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn; PCLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE // pOctetString; } Values; } CLAIM_SECURITY_ATTRIBUTE_V1, *PCLAIM_SECURITY_ATTRIBUTE_V1; [PInvokeData("winnt.h", MSDNShortId = "FDBB9B00-01C3-474A-81FF-97C5CBA3261B")] [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct CLAIM_SECURITY_ATTRIBUTE_V1 { ///

/// A pointer to a string of Unicode characters that contains the name of the security attribute. This string must be at least 4 /// bytes in length. ///

[MarshalAs(UnmanagedType.LPWStr)] public string Name; ///

/// /// A union tag value that indicates the type of information contained in the Values member. The ValueType member /// must be one of the following values. /// /// /// /// Value /// Meaning /// /// /// CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64 0x0001 /// The Values member refers to an array of LONG64 values. /// /// /// CLAIM_SECURITY_ATTRIBUTE_TYPE_UINT64 0x0002 /// The Values member refers to an array of ULONG64 values. /// /// /// CLAIM_SECURITY_ATTRIBUTE_TYPE_STRING 0x0003 /// The Values member refers to an array of pointers to Unicode string values. /// /// /// CLAIM_SECURITY_ATTRIBUTE_TYPE_FQBN 0x0004 /// The Values member refers to an array of CLAIM_SECURITY_ATTRIBUTE_FQBN_VALUE values. /// /// /// CLAIM_SECURITY_ATTRIBUTE_TYPE_SID 0x0005 /// /// The Values member refers to an array of CLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE values where the pValue member of each /// CLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE is a PSID. /// /// /// /// CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN 0x0006 /// /// The Values member refers to an array of ULONG64 values where each element indicates a Boolean value. The value 1 indicates /// TRUE and the value 0 indicates FALSE. /// /// /// /// CLAIM_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING 0x0010 /// The Values member refers to an array of CLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE values. /// /// ///

public CLAIM_SECURITY_ATTRIBUTE_TYPE ValueType; ///

This member is reserved and must be set to zero when sent and must be ignored when received.

public ushort Reserved; ///

/// /// The attribute flags that are a 32-bitmask. Bits 16 through 31 may be set to any value. Bits 0 through 15 must be zero or a /// combination of one or more of the following mask values. /// /// /// /// Value /// Meaning /// /// /// CLAIM_SECURITY_ATTRIBUTE_NON_INHERITABLE 0x0001 /// This attribute is ignored by the operating system. This claim security attribute is not inherited across processes. /// /// /// CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE 0x0002 /// The value of the claim security attribute is case sensitive. This flag is valid for values that contain string types. /// /// /// CLAIM_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY 0x0004 /// The claim security attribute is considered only for deny access control entries (ACEs). /// /// /// CLAIM_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT 0x0008 /// The claim security attribute is disabled by default. /// /// /// CLAIM_SECURITY_ATTRIBUTE_DISABLED 0x0010 /// The claim security attribute is disabled and will not be applied by the AccessCheck function. /// /// /// CLAIM_SECURITY_ATTRIBUTE_MANDATORY 0x0020 /// The claim security attribute is mandatory. /// /// ///

public CLAIM_SECURITY_ATTRIBUTE_FLAG Flags; ///

The number of values specified in the Values member.

public uint ValueCount; ///

An array of security attribute values of the type specified in the ValueType member.

public VALUESUNION Values; ///

[StructLayout(LayoutKind.Explicit)] public struct VALUESUNION { ///

Pointer to an array of ValueCount members where each member is a LONG64 of type CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64.

[FieldOffset(0)] public IntPtr pInt64; ///

Pointer to an array of ValueCount members where each member is a ULONG64 of type CLAIM_SECURITY_ATTRIBUTE_TYPE_UINT64.

[FieldOffset(0)] public IntPtr pUint64; ///

Pointer to an array of ValueCount members where each member is a PWSTR of type CLAIM_SECURITY_ATTRIBUTE_TYPE_STRING.

[FieldOffset(0)] public IntPtr ppString; ///

/// Pointer to an array of ValueCount members where each member is a fully qualified binary name value of type CLAIM_SECURITY_ATTRIBUTE_FQBN_VALUE. ///

[FieldOffset(0)] public IntPtr pFqbn; ///

Pointer to an array of ValueCount members where each member is an octet string of type CLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE.

[FieldOffset(0)] public IntPtr pOctetString; } } ///

The CLAIM_SECURITY_ATTRIBUTES_INFORMATION structure defines the security attributes for the claim.

[StructLayout(LayoutKind.Sequential)] [PInvokeData("Winnt.h", MSDNShortId = "hh448481")] public struct CLAIM_SECURITY_ATTRIBUTES_INFORMATION { ///

A default instance which sets the field.

public static readonly CLAIM_SECURITY_ATTRIBUTES_INFORMATION Default = new CLAIM_SECURITY_ATTRIBUTES_INFORMATION { Version = 1 }; ///

The version of the security attribute. This must be 1.

public ushort Version; ///

/// This member is currently reserved and must be zero when setting an attribute and is ignored when getting an attribute. ///

public ushort Reserved; ///

The number of values.

public uint AttributeCount; ///

The actual attribute.

public ATTRUNION Attribute; ///

The actual attribute.

[StructLayout(LayoutKind.Explicit)] [PInvokeData("Winnt.h", MSDNShortId = "hh448481")] public struct ATTRUNION { ///

Pointer to an array that contains the AttributeCount member of the CLAIM_SECURITY_ATTRIBUTE_V1 structure.

[FieldOffset(0)] public IntPtr pAttributeV1; } } ///

/// Contains information that is included immediately after the newest event log record. /// /// The ELF_EOF_RECORD structure is used in an event log to enable the event-logging service to reconstruct the /// ELF_LOGFILE_HEADER. The event-logging service must add the ELF_EOF_RECORD to the event log. For more information /// about ELF_EOF_RECORD, see Event Log File Format. /// ///

// typedef struct _EVENTLOGEOF { ULONG RecordSizeBeginning; ULONG One; ULONG Two; ULONG Three; ULONG Four; ULONG BeginRecord; ULONG // EndRecord; ULONG CurrentRecordNumber; ULONG OldestRecordNumber; ULONG RecordSizeEnd;} EVENTLOGEOF, *PEVENTLOGEOF; https://msdn.microsoft.com/en-us/library/windows/desktop/bb309022(v=vs.85).aspx [PInvokeData("Winnt.h", MSDNShortId = "bb309022")] [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)] public struct EVENTLOGEOF { ///

The beginning size of the ELF_EOF_RECORD. The beginning size is always 0x28.

public uint RecordSizeBeginning; ///

/// An identifier that helps to differentiate this record from other records in the event log. The value is always set to 0x11111111. ///

public uint One; ///

/// An identifier that helps to differentiate this record from other records in the event log. The value is always set to 0x22222222. ///

public uint Two; ///

/// An identifier that helps to differentiate this record from other records in the event log. The value is always set to 0x33333333. ///

public uint Three; ///

/// An identifier that helps to differentiate this record from other records in the event log. The value is always set to 0x44444444. ///

public uint Four; ///

The offset to the oldest record. If the event log is empty, this is set to the start of this structure.

public uint BeginRecord; ///

The offset to the start of this structure.

public uint EndRecord; ///

The record number of the next event that will be written to the event log.

public uint CurrentRecordNumber; ///

The record number of the oldest record in the event log. The record number will be 0 if the event log is empty.

public uint OldestRecordNumber; ///

The ending size of the ELF_EOF_RECORD. The ending size is always 0x28.

public uint RecordSizeEnd; } ///

/// Contains information that is included at the beginning of an event log. /// /// The ELF_LOGFILE_HEADER structure is used at the beginning of an event log to define information about the event log. The /// event-logging service must add the ELF_LOGFILE_HEADER to the event log. For more information about how the /// ELF_LOGFILE_HEADER is used, see Event Log File Format. /// ///

// typedef struct _EVENTLOGHEADER { ULONG HeaderSize; ULONG Signature; ULONG MajorVersion; ULONG MinorVersion; ULONG StartOffset; // ULONG EndOffset; ULONG CurrentRecordNumber; ULONG OldestRecordNumber; ULONG MaxSize; ULONG Flags; ULONG Retention; ULONG // EndHeaderSize;} EVENTLOGHEADER, *PEVENTLOGHEADER; https://msdn.microsoft.com/en-us/library/windows/desktop/bb309024(v=vs.85).aspx [PInvokeData("Winnt.h", MSDNShortId = "bb309024")] [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)] public struct EVENTLOGHEADER { ///

The size of the header structure. The size is always 0x30.

public uint HeaderSize; ///

The signature is always 0x654c664c, which is ASCII for eLfL.

public uint Signature; ///

The major version number of the event log. The major version number is always set to 1.

public uint MajorVersion; ///

The minor version number of the event log. The minor version number is always set to 1.

public uint MinorVersion; ///

The offset to the oldest record in the event log.

public uint StartOffset; ///

The offset to the ELF_EOF_RECORD in the event log.

public uint EndOffset; ///

The number of the next record that will be added to the event log.

public uint CurrentRecordNumber; ///

The number of the oldest record in the event log. For an empty file, the oldest record number is set to 0.

public uint OldestRecordNumber; ///

/// The maximum size, in bytes, of the event log. The maximum size is defined when the event log is created. The event-logging /// service does not typically update this value, it relies on the registry configuration. The reader of the event log can use /// normal file APIs to determine the size of the file. For more information about registry configuration values, see Eventlog Key. ///

public uint MaxSize; ///

/// The status of the event log. This member can be one of the following values: /// /// /// /// Value /// Meaning /// /// /// ELF_LOGFILE_HEADER_DIRTY0x0001 /// /// Indicates that records have been written to an event log, but the event log file has not been properly closed. For more /// information about this flag, see the Remarks section. /// /// /// /// ELF_LOGFILE_HEADER_WRAP0x0002 /// Indicates that records in the event log have wrapped. /// /// /// ELF_LOGFILE_LOGFULL_WRITTEN0x0004 /// Indicates that the most recent write attempt failed due to insufficient space. /// /// /// ELF_LOGFILE_ARCHIVE_SET0x0008 /// /// Indicates that the archive attribute has been set for the file. Normal file APIs can also be used to determine the value of /// this flag. /// /// /// /// ///

public ELF_FLAGS Flags; ///

/// The retention value of the file when it is created. The event-logging service does not typically update this value, it relies /// on the registry configuration. For more information about registry configuration values, see Eventlog Key. ///

public uint Retention; ///

The ending size of the header structure. The size is always 0x30.

public uint EndHeaderSize; } ///

Contains information about an event record returned by the ReadEventLog function.

/// /// /// The defined members are followed by the replacement strings for the message identified by the event identifier, the binary /// information, some pad bytes to make sure the full entry is on a DWORD boundary, and finally the length of the log entry /// again. Because the strings and the binary information can be of any length, no structure members are defined to reference them. /// The declaration of this structure in Winnt.h describes these members as follows: /// /// /// The source name is a variable-length string that specifies the name of the event source. The computer name is the name of the /// computer that generated the event. It may be followed with some padding bytes so that the user SID is aligned on a DWORD /// boundary. The user SID identifies the active user at the time this event was logged. If UserSidLength is zero, this field /// may be empty. /// /// /// The event identifier together with source name and a language identifier identify a string that describes the event in more /// detail. The strings are used as replacement strings and are merged into the message string to make a complete message. The /// message strings are contained in a message file specified in the source entry in the registry. To obtain the appropriate message /// string from the message file, load the message file with the LoadLibrary function and use the FormatMessage function. /// /// /// The binary information is information that is specific to the event. It could be the contents of the processor registers when a /// device driver got an error, a dump of an invalid packet that was received from the network, a dump of all the structures in a /// program (when the data area was detected to be corrupt), and so on. This information should be useful to the writer of the device /// driver or the application in tracking down bugs or unauthorized breaks into the application. /// /// // https://docs.microsoft.com/en-us/windows/desktop/api/winnt/ns-winnt-_eventlogrecord typedef struct _EVENTLOGRECORD { DWORD Length; // DWORD Reserved; DWORD RecordNumber; DWORD TimeGenerated; DWORD TimeWritten; DWORD EventID; WORD EventType; WORD NumStrings; WORD // EventCategory; WORD ReservedFlags; DWORD ClosingRecordNumber; DWORD StringOffset; DWORD UserSidLength; DWORD UserSidOffset; DWORD // DataLength; DWORD DataOffset; } EVENTLOGRECORD, *PEVENTLOGRECORD; [PInvokeData("winnt.h", MSDNShortId = "669b182a-bc81-4386-9815-6ffa09e2e743")] [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct EVENTLOGRECORD { ///

/// The size of this event record, in bytes. Note that this value is stored at both ends of the entry to ease moving forward or /// backward through the log. The length includes any pad bytes inserted at the end of the record for DWORD alignment. ///

public uint Length; ///

A DWORD value that is always set to ELF_LOG_SIGNATURE (the value is 0x654c664c), which is ASCII for eLfL.

public uint Reserved; ///

/// The number of the record. This value can be used with the EVENTLOG_SEEK_READ flag in the ReadEventLog function to begin /// reading at a specified record. For more information, see Event Log Records. ///

public uint RecordNumber; ///

/// The time at which this entry was submitted. This time is measured in the number of seconds elapsed since 00:00:00 January 1, /// 1970, Universal Coordinated Time. ///

public uint TimeGenerated; ///

/// The time at which this entry was received by the service to be written to the log. This time is measured in the number of /// seconds elapsed since 00:00:00 January 1, 1970, Universal Coordinated Time. ///

public uint TimeWritten; ///

/// The event identifier. The value is specific to the event source for the event, and is used with source name to locate a /// description string in the message file for the event source. For more information, see Event Identifiers. ///

public uint EventID; ///

/// The type of event. This member can be one of the following values. /// /// /// Value /// Meaning /// /// /// EVENTLOG_ERROR_TYPE 0x0001 /// Error event /// /// /// EVENTLOG_AUDIT_FAILURE 0x0010 /// Failure Audit event /// /// /// EVENTLOG_AUDIT_SUCCESS 0x0008 /// Success Audit event /// /// /// EVENTLOG_INFORMATION_TYPE 0x0004 /// Information event /// /// /// EVENTLOG_WARNING_TYPE 0x0002 /// Warning event /// /// /// For more information, see Event Types. ///

public EVENTLOG_TYPE EventType; ///

/// The number of strings present in the log (at the position indicated by StringOffset). These strings are merged into /// the message before it is displayed to the user. ///

public ushort NumStrings; ///

/// The category for this event. The meaning of this value depends on the event source. For more information, see Event Categories. ///

public ushort EventCategory; ///

Reserved.

public ushort ReservedFlags; ///

Reserved.

public uint ClosingRecordNumber; ///

The offset of the description strings within this event log record.

public uint StringOffset; ///

The size of the UserSid member, in bytes. This value can be zero if no security identifier was provided.

public uint UserSidLength; ///

/// The offset of the security identifier (SID) within this event log record. To obtain the user name for this SID, use the /// LookupAccountSid function. ///

public uint UserSidOffset; ///

The size of the event-specific data (at the position indicated by DataOffset), in bytes.

public uint DataLength; ///

/// The offset of the event-specific information within this event log record, in bytes. This information could be something /// specific (a disk driver might log the number of retries, for example), followed by binary information specific to the event /// being logged and to the source that generated the entry. ///

public uint DataOffset; } ///

/// Defines the mapping of generic access rights to specific and standard access rights for an object. When a client application /// requests generic access to an object, that request is mapped to the access rights defined in this structure. ///

[StructLayout(LayoutKind.Sequential)] [PInvokeData("Winnt.h", MSDNShortId = "aa446633")] public struct GENERIC_MAPPING { ///

Specifies an access mask defining read access to an object.

public uint GenericRead; ///

Specifies an access mask defining write access to an object.

public uint GenericWrite; ///

Specifies an access mask defining execute access to an object.

public uint GenericExecute; ///

Specifies an access mask defining all possible types of access to an object.

public uint GenericAll; ///

Initializes a new instance of the structure.

/// The read mapping. /// The write mapping. /// The execute mapping. /// The 'all' mapping. public GENERIC_MAPPING(uint read, uint write, uint execute, uint all) { GenericRead = read; GenericWrite = write; GenericExecute = execute; GenericAll = all; } ///

The generic file mappings (FILE_GENERIC_READ, FILE_GENERIC_WRITE, FILE_GENERIC_READ, FILE_ALL_ACCESS).

public static readonly GENERIC_MAPPING GenericFileMapping = new GENERIC_MAPPING((uint)FileAccess.FILE_GENERIC_READ, (uint)FileAccess.FILE_GENERIC_WRITE, (uint)FileAccess.FILE_GENERIC_READ, (uint)FileAccess.FILE_ALL_ACCESS); } ///

/// An LUID is a 64-bit value guaranteed to be unique only on the system on which it was generated. The uniqueness of a locally /// unique identifier (LUID) is guaranteed only until the system is restarted. /// Applications must use functions and structures to manipulate LUID values. ///

[StructLayout(LayoutKind.Sequential, Pack = 1)] public struct LUID { ///

Low order bits.

public uint LowPart; ///

High order bits.

public int HighPart; ///

Gets the privilege name for this LUID.

/// /// Name of the system on which to perform the lookup. Specifying null will query the local system. /// /// The name retrieved for the LUID. public string GetName(string systemName = null) { var sb = new StringBuilder(1024); var sz = (uint)sb.Capacity; if (!LookupPrivilegeName(systemName, in this, sb, ref sz)) Win32Error.ThrowLastError(); return sb.ToString(); } ///

Creates a new LUID instance from a privilege name.

/// The privilege name. /// /// Name of the system on which to perform the lookup. Specifying null will query the local system. /// /// The LUID instance corresponding to the . public static LUID FromName(string name, string systemName = null) => !LookupPrivilegeValue(systemName, name, out var val) ? throw Win32Error.GetLastError().GetException() : val; ///

/// Creates a new LUID that is unique to the local system only, and uniqueness is guaranteed only until the system is next restarted. ///

/// A new LUID. public static LUID NewLUID() { if (!AllocateLocallyUniqueId(out var ret)) Win32Error.ThrowLastError(); return ret; } ///

Returns a that represents this instance.

/// A that represents this instance. public override string ToString() { try { return GetName(); } catch { return $"0x{Macros.MAKELONG64(LowPart, (uint)HighPart):X}"; } } } ///

The LUID_AND_ATTRIBUTES structure represents a locally unique identifier (LUID) and its attributes.

/// /// An LUID_AND_ATTRIBUTES structure can represent an LUID whose attributes change frequently, such as when the LUID is used to /// represent privileges in the PRIVILEGE_SET structure. Privileges are represented by LUIDs and have attributes indicating whether /// they are currently enabled or disabled. /// [StructLayout(LayoutKind.Sequential, Pack = 1)] public struct LUID_AND_ATTRIBUTES { ///

Specifies a LUID value.

public LUID Luid; ///

/// Specifies attributes of the LUID. This value contains up to 32 one-bit flags. Its meaning is dependent on the definition and /// use of the LUID. ///

public PrivilegeAttributes Attributes; ///

Initializes a new instance of the struct.

/// The LUID value. /// The attribute value. public LUID_AND_ATTRIBUTES(LUID luid, PrivilegeAttributes attr) { Luid = luid; Attributes = attr; } ///

Returns a that represents this instance.

/// A that represents this instance. public override string ToString() => $"{Luid}:{Attributes}"; } ///

The QUOTA_LIMITS structure describes the amount of system resources available to a user.

[StructLayout(LayoutKind.Sequential)] [PInvokeData("Winnt.h", MSDNShortId = "aa379363")] public struct QUOTA_LIMITS { ///

/// Specifies the amount of paged pool memory assigned to the user. The paged pool is an area of system memory (physical memory /// used by the operating /// system) for objects that can be written to disk when they are not being used. /// /// The value set in this member is not enforced by the LSA. You should set this member to 0, which causes the default value to /// be used. /// ///

public uint PagedPoolLimit; ///

/// Specifies the amount of nonpaged pool memory assigned to the user. The nonpaged pool is an area of system memory for objects /// that cannot be written to disk but must remain in physical memory as long as they are allocated. /// /// The value set in this member is not enforced by the LSA. You should set this member to 0, which causes the default value to /// be used. /// ///

public uint NonPagedPoolLimit; ///

/// Specifies the minimum set size assigned to the user. The "working set" of a process is the set of memory pages currently /// visible to the process in physical RAM memory. These pages are present in memory when the application is running and /// available for an application to use without triggering a page fault. /// /// The value set in this member is not enforced by the LSA. You should set this member to NULL, which causes the default value /// to be used. /// ///

public uint MinimumWorkingSetSize; ///

/// Specifies the maximum set size assigned to the user. /// /// The value set in this member is not enforced by the LSA. You should set this member to 0, which causes the default value to /// be used. /// ///

public uint MaximumWorkingSetSize; ///

/// Specifies the maximum size, in bytes, of the paging file, which is a reserved space on disk that backs up committed physical /// memory on the computer. /// /// The value set in this member is not enforced by the LSA. You should set this member to 0, which causes the default value to /// be used. /// ///

public uint PagefileLimit; ///

/// Indicates the maximum amount of time the process can run. /// /// The value set in this member is not enforced by the LSA. You should set this member to NULL, which causes the default value /// to be used. /// ///

public long TimeLimit; } ///

/// The SECURITY_DESCRIPTOR structure contains the security information associated with an object. Applications use this structure to /// set and query an object's security status. /// /// Because the internal format of a security descriptor can vary, we recommend that applications not modify the SECURITY_DESCRIPTOR /// structure directly. /// ///

[StructLayout(LayoutKind.Sequential, Pack = 1)] [PInvokeData("Winnt.h", MSDNShortId = "aa379561")] public struct SECURITY_DESCRIPTOR { ///

Undocumented.

public byte Revision; ///

Undocumented.

public byte Sbz1; ///

Undocumented.

public SECURITY_DESCRIPTOR_CONTROL Control; ///

Undocumented.

public PSID Owner; ///

Undocumented.

public PSID Group; ///

Undocumented.

public PACL Sacl; ///

Undocumented.

public PACL Dacl; } ///

/// The security identifier (SID) structure is a variable-length structure used to uniquely identify users or groups. /// /// Applications should not modify a SID directly. To create and manipulate a security identifier, use the functions listed in the /// See Also section. /// ///

// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-sid typedef struct _SID { BYTE Revision; BYTE // SubAuthorityCount; SID_IDENTIFIER_AUTHORITY IdentifierAuthority; #if ... DWORD *SubAuthority[]; #else DWORD // SubAuthority[ANYSIZE_ARRAY]; #endif } SID, *PISID; [PInvokeData("winnt.h", MSDNShortId = "NS:winnt._SID")] [VanaraMarshaler(typeof(AnySizeStringMarshaler), nameof(SubAuthorityCount))] [StructLayout(LayoutKind.Sequential)] public struct SID { ///

public byte Revision; ///

public byte SubAuthorityCount; ///

public SID_IDENTIFIER_AUTHORITY IdentifierAuthority; ///

[MarshalAs(UnmanagedType.ByValArray, SizeConst = 1)] public uint[] SubAuthority; } ///

/// The SID_AND_ATTRIBUTES structure represents a security identifier (SID) and its attributes. SIDs are used to uniquely identify /// users or groups. ///

[StructLayout(LayoutKind.Sequential)] public struct SID_AND_ATTRIBUTES { ///

A pointer to a SID structure.

public PSID Sid; ///

/// Specifies attributes of the SID. This value contains up to 32 one-bit flags. Its meaning depends on the definition and use of /// the SID. ///

public uint Attributes; ///

Initializes a new instance of the struct.

/// The SID. /// The attributes of the SID. public SID_AND_ATTRIBUTES(PSID sid, uint attributes) { Sid = sid; Attributes = attributes; } ///

Returns a that represents this instance.

/// A that represents this instance. public override string ToString() => $"{(Sid.IsValidSid() ? Sid.ToString("N") : "")}:{Attributes}"; } ///

The SID_IDENTIFIER_AUTHORITY structure represents the top-level authority of a security identifier (SID).

[StructLayout(LayoutKind.Sequential, Pack = 1)] [PInvokeData("Winnt.h", MSDNShortId = "aa379598")] public struct SID_IDENTIFIER_AUTHORITY { ///

An array of 6 bytes specifying a SID's top-level authority.

[MarshalAs(UnmanagedType.ByValArray, SizeConst = 6)] public byte[] Value; } ///

/// Not supported. /// The SYSTEM_ALARM_ACE structure is reserved for future use. ///

// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-system_alarm_ace typedef struct _SYSTEM_ALARM_ACE { ACE_HEADER // Header; ACCESS_MASK Mask; DWORD SidStart; } SYSTEM_ALARM_ACE; [PInvokeData("winnt.h", MSDNShortId = "491cc5c7-abb6-4d03-b3b0-ba5eedb5e2ba")] [StructLayout(LayoutKind.Sequential)] public struct SYSTEM_ALARM_ACE { ///

public ACE_HEADER Header; ///

public ACCESS_MASK Mask; ///

public uint SidStart; } ///

/// Not supported. /// The SYSTEM_ALARM_CALLBACK_ACE structure is reserved for future use. ///

/// /// ACE structures must be aligned on DWORD boundaries. All Windows memory-management functions return DWORD-aligned /// handles to memory. /// // https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-system_alarm_callback_ace typedef struct // _SYSTEM_ALARM_CALLBACK_ACE { ACE_HEADER Header; ACCESS_MASK Mask; DWORD SidStart; } SYSTEM_ALARM_CALLBACK_ACE, *PSYSTEM_ALARM_CALLBACK_ACE; [PInvokeData("winnt.h", MSDNShortId = "8bfb579f-4bee-454e-827b-63a800bccf85")] [StructLayout(LayoutKind.Sequential)] public struct SYSTEM_ALARM_CALLBACK_ACE { ///

public ACE_HEADER Header; ///

/// Specifies an ACCESS_MASK structure that gives the access rights that cause audit messages to be generated. The /// SUCCESSFUL_ACCESS_ACE_FLAG and FAILED_ACCESS_ACE_FLAG flags in the AceFlags member of the ACE_HEADER structure /// indicate whether messages are generated for successful access attempts, unsuccessful access attempts, or both. ///

public ACCESS_MASK Mask; ///

/// The first DWORD of a trustee's ACE. This ACE can be appended with application data. When the AuthzAccessCheckCallback /// function is called, this ACE is passed as the pAce parameter of that function. ///

public uint SidStart; } ///

/// Not supported. /// The SYSTEM_ALARM_CALLBACK_OBJECT_ACE structure is reserved for future use. ///

/// /// /// If neither the ObjectType nor InheritedObjectType GUID is specified, the SYSTEM_ALARM_CALLBACK_OBJECT_ACE /// structure has the same semantics as the SYSTEM_ALARM_CALLBACK_ACE structure. In that case, use the /// SYSTEM_ALARM_CALLBACK_ACE structure because it is smaller and more efficient. /// /// /// An ACL that contains an SYSTEM_ALARM_CALLBACK_OBJECT_ACE must specify the ACL_REVISION_DS revision number in its /// ACE_HEADER structure. /// /// // https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-system_alarm_callback_object_ace typedef struct // _SYSTEM_ALARM_CALLBACK_OBJECT_ACE { ACE_HEADER Header; ACCESS_MASK Mask; DWORD Flags; GUID ObjectType; GUID InheritedObjectType; // DWORD SidStart; } SYSTEM_ALARM_CALLBACK_OBJECT_ACE, *PSYSTEM_ALARM_CALLBACK_OBJECT_ACE; [PInvokeData("winnt.h", MSDNShortId = "3fdd0b75-666a-4064-95ed-9e708f34bed6")] [StructLayout(LayoutKind.Sequential)] public struct SYSTEM_ALARM_CALLBACK_OBJECT_ACE { ///

/// ACE_HEADER structure that specifies the size and type of ACE. It contains flags that control inheritance of the ACE by child /// objects. The structure also contains flags that indicate whether the ACE audits successful access attempts, failed access /// attempts, or both. The AceType member of the ACE_HEADER structure should be set to SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE. ///

public ACE_HEADER Header; ///

An ACCESS_MASK that specifies the access rights the system will audit for access attempts by the trustee.

public ACCESS_MASK Mask; ///

/// /// A set of bit flags that indicate whether the ObjectType and InheritedObjectType members contain GUIDs. This /// parameter can be a combination of the following values. Set all undefined bits to zero. /// /// /// /// Value /// Meaning /// /// /// ACE_OBJECT_TYPE_PRESENT /// The ObjectType member contains a GUID. /// /// /// ACE_INHERITED_OBJECT_TYPE_PRESENT /// The InheritedObjectType member contains a GUID. /// /// ///

public ObjectAceFlags Flags; ///

/// A GUID structure that identifies a property set, property, extended right, or type of child object. /// /// This member is valid only if the ACE_OBJECT_TYPE_PRESENT bit is set in the Flags member. Otherwise, ObjectType /// is ignored. /// /// The purpose of this GUID depends on the access rights specified in the Mask member. /// /// /// Value /// Meaning /// /// /// ADS_RIGHT_DS_READ_PROP and/or ADS_RIGHT_DS_WRITE_PROP /// /// The ObjectType GUID identifies a property set or property of the object. The ACE controls auditing of the trustee's attempts /// to read or write the property or property set. /// /// /// /// ADS_RIGHT_DS_CONTROL_ACCESS /// The ObjectType GUID identifies an extended access right. /// /// /// ADS_RIGHT_DS_CREATE_CHILD /// /// The ObjectType GUID identifies a type of child object. The ACE controls auditing of the trustee's attempts to create this /// type of child object. /// /// /// /// ADS_RIGHT_DS_SELF /// The ObjectType GUID identifies a validated write. /// /// ///

public Guid ObjectType; ///

public Guid InheritedObjectType; ///

public uint SidStart; } ///

The SYSTEM_ALARM_OBJECT_ACE structure is reserved for future use.

// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-system_alarm_object_ace typedef struct _SYSTEM_ALARM_OBJECT_ACE // { ACE_HEADER Header; ACCESS_MASK Mask; DWORD Flags; GUID ObjectType; GUID InheritedObjectType; DWORD SidStart; } // SYSTEM_ALARM_OBJECT_ACE, *PSYSTEM_ALARM_OBJECT_ACE; [PInvokeData("winnt.h", MSDNShortId = "a55f6039-d1d2-4a7d-a6c9-e8f51b291582")] [StructLayout(LayoutKind.Sequential)] public struct SYSTEM_ALARM_OBJECT_ACE { ///

public ACE_HEADER Header; ///

public ACCESS_MASK Mask; ///

public ObjectAceFlags Flags; ///

public Guid ObjectType; ///

public Guid InheritedObjectType; ///

public uint SidStart; } ///

/// The SYSTEM_AUDIT_ACE structure defines an access control entry (ACE) for the system access control list (SACL) that /// specifies what types of access cause system-level notifications. A system-audit ACE causes an audit message to be logged when a /// specified trustee attempts to gain access to an object. The trustee is identified by a security identifier (SID). ///

/// /// /// Audit messages are stored in an event log that can be manipulated by using the Windows API event-logging functions or by using /// the Event Viewer (Eventvwr.exe). /// /// /// ACE structures should be aligned on DWORD boundaries. All Windows memory-management functions return DWORD-aligned /// handles to memory. /// /// /// When a SYSTEM_AUDIT_ACE structure is created, sufficient memory must be allocated to accommodate the complete SID of the /// trustee in the SidStart member and the contiguous memory that follows it. /// /// // https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-system_audit_ace typedef struct _SYSTEM_AUDIT_ACE { ACE_HEADER // Header; ACCESS_MASK Mask; DWORD SidStart; } SYSTEM_AUDIT_ACE; [PInvokeData("winnt.h", MSDNShortId = "c26b5856-5447-4606-8110-f24a4d235c64")] [StructLayout(LayoutKind.Sequential)] public struct SYSTEM_AUDIT_ACE { ///

/// ACE_HEADER structure that specifies the size and type of ACE. It also contains flags that control inheritance of the ACE by /// child objects. The AceType member of the ACE_HEADER structure should be set to SYSTEM_AUDIT_ACE_TYPE, and the /// AceSize member should be set to the total number of bytes allocated for the SYSTEM_AUDIT_ACE structure. ///

public ACE_HEADER Header; ///

public ACCESS_MASK Mask; ///

/// /// The first DWORD of a trustee's SID. The remaining bytes of the SID are stored in contiguous memory after the /// SidStart member. This SID can be appended with application data. /// /// /// An access attempt of a kind specified by the Mask member by any trustee whose SID matches the SidStart member /// causes the system to generate an audit message. If an application does not specify a SID for this member, audit messages are /// generated for the specified access rights for all trustees. /// ///

public uint SidStart; } ///

/// /// The SYSTEM_AUDIT_CALLBACK_ACE structure defines an access control entry (ACE) for the system access control list (SACL) /// that specifies what types of access cause system-level notifications. A system-audit ACE causes an audit message to be logged /// when a specified trustee attempts to gain access to an object. The trustee is identified by a security identifier (SID). /// /// /// When the AuthzAccessCheck function is called, each SYSTEM_AUDIT_CALLBACK_ACE structure contained in the DACL of a /// SECURITY_DESCRIPTOR structure passed through a pointer to the AuthzAccessCheck function invokes a call to the /// application-defined AuthzAccessCheckCallback function, in which a pointer to the SYSTEM_AUDIT_CALLBACK_ACE structure found /// is passed in the pAce parameter. /// ///

/// /// /// ACE structures must be aligned on DWORD boundaries. All Windows memory-management functions return DWORD-aligned /// handles to memory. /// /// /// When a SYSTEM_AUDIT_CALLBACK_ACE structure is created, sufficient memory must be allocated to accommodate the complete SID /// of the trustee in the SidStart member and the contiguous memory that follows it. /// /// // https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-system_audit_callback_ace typedef struct // _SYSTEM_AUDIT_CALLBACK_ACE { ACE_HEADER Header; ACCESS_MASK Mask; DWORD SidStart; } SYSTEM_AUDIT_CALLBACK_ACE, *PSYSTEM_AUDIT_CALLBACK_ACE; [PInvokeData("winnt.h", MSDNShortId = "4d1799b0-3e55-48d7-94ff-c0094945adea")] [StructLayout(LayoutKind.Sequential)] public struct SYSTEM_AUDIT_CALLBACK_ACE { ///

/// ACE_HEADER structure that specifies the size and type of ACE. It also contains flags that control inheritance of the ACE by /// child objects. The AceType member of the ACE_HEADER structure should be set to SYSTEM_AUDIT_CALLBACK_ACE_TYPE, /// and the AceSize member should be set to the total number of bytes allocated for the SYSTEM_AUDIT_CALLBACK_ACE structure. ///

public ACE_HEADER Header; ///

public ACCESS_MASK Mask; ///

/// The first DWORD of a trustee's SID. The remaining bytes of the SID are stored in contiguous memory after the /// SidStart member. This SID can be appended with application data. ///

public uint SidStart; } ///

/// /// The SYSTEM_AUDIT_CALLBACK_OBJECT_ACE structure defines an access control entry (ACE) for a system access control list /// (SACL). The ACE can audit access to an object or subobjects such as property sets or properties. The ACE contains a set of access /// rights, a GUID that identifies the type of object or subobject, and a security identifier (SID) that identifies the trustee for /// whom the system will audit access. The ACE also contains a GUID and a set of flags that control inheritance of the ACE by child objects. /// /// /// When the AuthzAccessCheck function is called, each SYSTEM_AUDIT_CALLBACK_OBJECT_ACE structure contained in the DACL of a /// SECURITY_DESCRIPTOR structure passed through a pointer to the AuthzAccessCheck function invokes a call to the /// application-defined AuthzAccessCheckCallback function, in which a pointer to the SYSTEM_AUDIT_CALLBACK_OBJECT_ACE /// structure found is passed in the pAce parameter. /// ///

/// /// /// If neither the ObjectType nor InheritedObjectType GUID is specified, the SYSTEM_AUDIT_CALLBACK_OBJECT_ACE /// structure has the same semantics as the SYSTEM_AUDIT_CALLBACK_ACE structure. In that case, use the /// SYSTEM_AUDIT_CALLBACK_ACE structure because it is smaller and more efficient. /// /// /// An ACL that contains a SYSTEM_AUDIT_CALLBACK_OBJECT_ACE structure must specify the ACL_REVISION_DS revision number in its /// ACE_HEADER structure. /// /// /// When a SYSTEM_AUDIT_CALLBACK_OBJECT_ACE structure is created, sufficient memory must be allocated to accommodate the GUID /// structures in ObjectType and InheritedObjectType members, if one or both of them exists, as well as to accommodate /// the complete SID of the trustee in the SidStart member and the contiguous memory that follows it. /// /// // https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-system_audit_callback_object_ace typedef struct // _SYSTEM_AUDIT_CALLBACK_OBJECT_ACE { ACE_HEADER Header; ACCESS_MASK Mask; DWORD Flags; GUID ObjectType; GUID InheritedObjectType; // DWORD SidStart; } SYSTEM_AUDIT_CALLBACK_OBJECT_ACE, *PSYSTEM_AUDIT_CALLBACK_OBJECT_ACE; [PInvokeData("winnt.h", MSDNShortId = "f547c928-4850-4072-be05-76a6c83b79bb")] [StructLayout(LayoutKind.Sequential)] public struct SYSTEM_AUDIT_CALLBACK_OBJECT_ACE { ///

public ACE_HEADER Header; ///

An ACCESS_MASK that specifies the access rights the system will audit for access attempts by the trustee.

public ACCESS_MASK Mask; ///

/// /// A set of bit flags that indicate whether the ObjectType and InheritedObjectType members contain GUIDs. This /// member can be a combination of the following values. Set all undefined bits to zero. /// /// /// /// Value /// Meaning /// /// /// ACE_OBJECT_TYPE_PRESENT /// The ObjectType member contains a GUID. /// /// /// ACE_INHERITED_OBJECT_TYPE_PRESENT /// The InheritedObjectType member contains a GUID. /// /// ///

public ObjectAceFlags Flags; ///

/// A GUID structure that identifies a property set, property, extended right, or type of child object. /// /// This member is valid only if the ACE_OBJECT_TYPE_PRESENT bit is set in the Flags member. Otherwise, ObjectType /// is ignored. /// /// The purpose of this GUID depends on the access rights specified in the Mask member. /// This member can be one of the following values. /// /// /// Value /// Meaning /// /// /// ADS_RIGHT_DS_READ_PROP and/or ADS_RIGHT_DS_WRITE_PROP /// /// The ObjectType GUID identifies a property set or property of the object. The ACE controls auditing of the trustee's attempts /// to read or write the property or property set. /// /// /// /// ADS_RIGHT_DS_CONTROL_ACCESS /// The ObjectType GUID identifies an extended access right. /// /// /// ADS_RIGHT_DS_CREATE_CHILD /// /// The ObjectType GUID identifies a type of child object. The ACE controls auditing of the trustee's attempts to create this /// type of child object. /// /// /// /// ADS_RIGHT_DS_SELF /// The ObjectType GUID identifies a validated write. /// /// ///

public Guid ObjectType; ///

public Guid InheritedObjectType; ///

/// The first DWORD of a trustee's SID. The remaining bytes of the SID are stored in contiguous memory after the /// SidStart member. This SID can be appended with application data. ///

public uint SidStart; } ///

/// The SYSTEM_AUDIT_OBJECT_ACE structure defines an access control entry (ACE) for a system access control list (SACL). The /// ACE can audit access to an object or subobjects such as property sets or properties. The ACE contains a set of access rights, a /// GUID that identifies the type of object or subobject, and a security identifier (SID) that identifies the trustee for whom the /// system will audit access. The ACE also contains a GUID and a set of flags that control inheritance of the ACE by child objects. ///

/// /// /// If neither the ObjectType nor InheritedObjectType GUID is specified, the SYSTEM_AUDIT_OBJECT_ACE structure /// has the same semantics as the SYSTEM_AUDIT_ACE structure. In that case, use the SYSTEM_AUDIT_ACE structure because it is /// smaller and more efficient. /// /// /// An ACL that contains an SYSTEM_AUDIT_OBJECT_ACE must specify the ACL_REVISION_DS revision number in its ACE_HEADER structure. /// /// /// When a SYSTEM_AUDIT_OBJECT_ACE structure is created, sufficient memory must be allocated to accommodate the GUID /// structures in ObjectType and InheritedObjectType members, if one or both of them exists, as well as to accommodate /// the complete SID of the trustee in the SidStart member and the contiguous memory that follows it. /// /// /// An SYSTEM_AUDIT_OBJECT_ACE structure can be created in an access control list (ACL) by a call to the /// AddAuditAccessObjectAce function. When this function is used, the correct amount of memory needed to accommodate the GUID /// structures in the ObjectType and InheritedObjectType members, if one or both of them exists, as well as to /// accommodate the trustee's SID is automatically allocated. In addition, the values of the Header.AceType and /// Header.AceSize members are set automatically. When an SYSTEM_AUDIT_OBJECT_ACE structure is created outside an ACL, /// sufficient memory must be allocated to accommodate the GUID structures in the ObjectType and InheritedObjectType /// members, if one or both of them exists, as well as to accommodate the complete SID of the trustee in the SidStart member /// and the contiguous memory following it. In addition, the values of the Header.AceType and Header.AceSize members /// must be set explicitly by the application. /// /// // https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-system_audit_object_ace typedef struct _SYSTEM_AUDIT_OBJECT_ACE // { ACE_HEADER Header; ACCESS_MASK Mask; DWORD Flags; GUID ObjectType; GUID InheritedObjectType; DWORD SidStart; } // SYSTEM_AUDIT_OBJECT_ACE, *PSYSTEM_AUDIT_OBJECT_ACE; [PInvokeData("winnt.h", MSDNShortId = "de37bef6-e6c8-4455-856a-adebebda4cc7")] [StructLayout(LayoutKind.Sequential)] public struct SYSTEM_AUDIT_OBJECT_ACE { ///

/// An ACE_HEADER structure that specifies the size and type of ACE. It contains flags that control inheritance of the ACE by /// child objects. The structure also contains flags that indicate whether the ACE audits successful access attempts, failed /// access attempts, or both. The AceType member of the ACE_HEADER structure should be set to /// SYSTEM_AUDIT_OBJECT_ACE_TYPE, and the AceSize member should be set to the total number of bytes allocated for the /// SYSTEM_AUDIT_OBJECT_ACE structure. ///

public ACE_HEADER Header; ///

An ACCESS_MASK that specifies the access rights the system will audit for access attempts by the trustee.

public ACCESS_MASK Mask; ///

public ObjectAceFlags Flags; ///

/// A GUID structure that identifies a property set, property, extended right, or type of child object. /// /// This member is valid only if the ACE_OBJECT_TYPE_PRESENT bit is set in the Flags member. Otherwise, ObjectType /// is ignored. /// /// The purpose of this GUID depends on the access rights specified in the Mask member. /// This member can be one of the following values. /// /// /// Value /// Meaning /// /// /// ADS_RIGHT_DS_READ_PROP and/or ADS_RIGHT_DS_WRITE_PROP /// /// The ObjectType GUID identifies a property set or property of the object. The ACE controls auditing of the trustee's attempts /// to read or write the property or property set. /// /// /// /// ADS_RIGHT_DS_CONTROL_ACCESS /// The ObjectType GUID identifies an extended access right. /// /// /// ADS_RIGHT_DS_CREATE_CHILD /// /// The ObjectType GUID identifies a type of child object. The ACE controls auditing of the trustee's attempts to create this /// type of child object. /// /// /// /// ADS_RIGHT_DS_SELF /// The ObjectType GUID identifies a validated write. /// /// ///

public Guid ObjectType; ///

/// A GUID structure that identifies the type of child object that can inherit the ACE. /// /// This member is valid only if the ACE_INHERITED_OBJECT_TYPE_PRESENT bit is set in the Flags member. If that bit is not /// set, InheritedObjectType is ignored and all types of child objects can inherit the ACE. In either case, inheritance is /// also controlled by the inheritance flags in the ACE_HEADER, as well as by any protection against inheritance placed on the /// child objects. /// /// /// The offset of this member can vary. If the Flags member does not contain the ACE_OBJECT_TYPE_PRESENT flag, the /// InheritedObjectType member starts at the offset specified by the ObjectType member. /// ///

public Guid InheritedObjectType; ///

/// /// Specifies the first DWORD of a SID that identifies the trustee for whom the access attempts are audited. The remaining /// bytes of the SID are stored in contiguous memory after the SidStart member. This SID can be appended with application data. /// /// /// The offset of this member can vary. If the Flags member is zero, the SidStart member starts at the offset /// specified by the ObjectType member. If Flags contains only one flag (either ACE_OBJECT_TYPE_PRESENT or /// ACE_INHERITED_OBJECT_TYPE_PRESENT), the SidStart member starts at the offset specified by the /// InheritedObjectType member. /// ///

public uint SidStart; } ///

/// The TOKEN_ACCESS_INFORMATION structure specifies all the information in a token that is necessary to perform an access check. ///

[StructLayout(LayoutKind.Sequential)] [PInvokeData("WinNT.h", MSDNShortId = "bb394726")] public struct TOKEN_ACCESS_INFORMATION { ///

A pointer to a SID_AND_ATTRIBUTES_HASH structure that specifies a hash of the token's security identifier (SID).

public IntPtr SidHash; ///

A pointer to a SID_AND_ATTRIBUTES_HASH structure that specifies a hash of the token's restricted SID.

public IntPtr RestrictedSidHash; ///

A pointer to a TOKEN_PRIVILEGES structure that specifies information about the token's privileges.

public IntPtr Privileges; ///

A LUID structure that specifies the token's identity.

public LUID AuthenticationId; ///

A value of the TOKEN_TYPE enumeration that specifies the token's type.

public TOKEN_TYPE TokenType; ///

A value of the SECURITY_IMPERSONATION_LEVEL enumeration that specifies the token's impersonation level.

public SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; ///

A TOKEN_MANDATORY_POLICY structure that specifies the token's mandatory integrity policy.

public TOKEN_MANDATORY_POLICY MandatoryPolicy; ///

Reserved. Must be set to zero.

public uint Flags; ///

/// The app container number for the token or zero if this is not an app container token. /// Windows Server 2008 R2, Windows 7, Windows Server 2008 and Windows Vista: This member is not available. ///

public uint AppContainerNumber; ///

/// The app container SID or NULL if this is not an app container token. /// Windows Server 2008 R2, Windows 7, Windows Server 2008 and Windows Vista: This member is not available. ///

public PSID PackageSid; ///

/// Pointer to a SID_AND_ATTRIBUTES_HASH structure that specifies a hash of the token's capability SIDs. /// Windows Server 2008 R2, Windows 7, Windows Server 2008 and Windows Vista: This member is not available. ///

public IntPtr CapabilitiesHash; ///

The protected process trust level of the token.

public PSID TrustLevelSid; ///

/// Reserved. Must be set to NULL. /// Prior to Windows 10: This member is not available. ///

public IntPtr SecurityAttributes; } ///

/// The TOKEN_APPCONTAINER_INFORMATION structure specifies all the information in a token that is necessary for an app container. ///

[StructLayout(LayoutKind.Sequential)] public struct TOKEN_APPCONTAINER_INFORMATION { ///

The security identifier (SID) of the app container.

public PSID TokenAppContainer; } ///

The TOKEN_DEFAULT_DACL structure specifies a discretionary access control list (DACL).

[StructLayout(LayoutKind.Sequential)] [PInvokeData("WinNT.h", MSDNShortId = "aa379623")] public struct TOKEN_DEFAULT_DACL { ///

/// A pointer to an ACL structure assigned by default to any objects created by the user. The user is represented by the access token. ///

public PACL DefaultDacl; } ///

The TOKEN_ELEVATION structure indicates whether a token has elevated privileges.

[StructLayout(LayoutKind.Sequential)] public struct TOKEN_ELEVATION { ///

A nonzero value if the token has elevated privileges; otherwise, a zero value.

[MarshalAs(UnmanagedType.Bool)] public bool TokenIsElevated; } ///

The TOKEN_GROUPS structure contains information about the group security identifiers (SIDs) in an access token.

[VanaraMarshaler(typeof(SafeAnysizeStructMarshaler), nameof(GroupCount))] [StructLayout(LayoutKind.Sequential)] public struct TOKEN_GROUPS { ///

Specifies the number of groups in the access token.

public uint GroupCount; ///

Specifies an array of SID_AND_ATTRIBUTES structures that contain a set of SIDs and corresponding attributes.

[MarshalAs(UnmanagedType.ByValArray)] public SID_AND_ATTRIBUTES[] Groups; ///

Initializes a new instance of the struct.

/// The number of groups. public TOKEN_GROUPS(uint count = 0) { GroupCount = count; Groups = new SID_AND_ATTRIBUTES[count]; } ///

Initializes a new instance of the struct with and array of SIDs and attributes.

/// An array of SID_AND_ATTRIBUTES structures that contain a set of SIDs and corresponding attributes. public TOKEN_GROUPS(SID_AND_ATTRIBUTES[] groups) { Groups = groups; GroupCount = (uint)(groups?.Length ?? 0); } ///

Initializes a new instance of the struct with a single SID and attribute.

/// The SID. /// The attributes of the SID. public TOKEN_GROUPS(PSID sid, uint attributes = 0) : this(1U) { Groups[0] = new SID_AND_ATTRIBUTES(sid, attributes); } } ///

/// The TOKEN_GROUPS_AND_PRIVILEGES structure contains information about the group security identifiers (SIDs) and privileges in an /// access token. ///

[StructLayout(LayoutKind.Sequential)] [PInvokeData("WinNT.h", MSDNShortId = "aa379625")] public struct TOKEN_GROUPS_AND_PRIVILEGES { ///

Number of SIDs in the access token.

public uint SidCount; ///

Length, in bytes, required to hold all of the user SIDs and the account SID for the group.

public uint SidLength; ///

A pointer to an array of SID_AND_ATTRIBUTES structures that contain a set of SIDs and corresponding attributes.

public IntPtr Sids; ///

Number of restricted SIDs.

public uint RestrictedSidCount; ///

Length, in bytes, required to hold all of the restricted SIDs.

public uint RestrictedSidLength; ///

/// A pointer to an array of SID_AND_ATTRIBUTES structures that contain a set of restricted SIDs and corresponding attributes. /// /// The Attributes members of the SID_AND_ATTRIBUTES structures can have the same values as those listed for the preceding Sids member. /// ///

public IntPtr RestrictedSids; ///

Number of privileges.

public uint PrivilegeCount; ///

Length, in bytes, needed to hold the privilege array.

public uint PrivilegeLength; ///

Array of privileges.

public IntPtr Privileges; ///

Locally unique identifier (LUID) of the authenticator of the token.

public LUID AuthenticationId; } ///

/// The TOKEN_LINKED_TOKEN structure contains a handle to a token. This token is linked to the token being queried by the /// GetTokenInformation function or set by the SetTokenInformation function. ///

[StructLayout(LayoutKind.Sequential)] [PInvokeData("WinNT.h", MSDNShortId = "bb530719")] public struct TOKEN_LINKED_TOKEN { ///

A handle to the linked token. When you have finished using the handle, close it by calling the CloseHandle function.

public HTOKEN LinkedToken; } ///

The TOKEN_MANDATORY_LABEL structure specifies the mandatory integrity level for a token.

[StructLayout(LayoutKind.Sequential)] public struct TOKEN_MANDATORY_LABEL { ///

A SID_AND_ATTRIBUTES structure that specifies the mandatory integrity level of the token.

public SID_AND_ATTRIBUTES Label; } ///

The TOKEN_MANDATORY_POLICY structure specifies the mandatory integrity policy for a token.

// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_mandatory_policy // typedef struct _TOKEN_MANDATORY_POLICY { DWORD Policy; } TOKEN_MANDATORY_POLICY, *PTOKEN_MANDATORY_POLICY; [PInvokeData("winnt.h", MSDNShortId = "f5fc438b-c4f0-46f6-a188-52ce660d13da")] [StructLayout(LayoutKind.Sequential)] public struct TOKEN_MANDATORY_POLICY { ///

/// The mandatory integrity access policy for the associated token. This can be one of the following values. /// /// /// Value /// Meaning /// /// /// TOKEN_MANDATORY_POLICY_OFF 0x0 /// No mandatory integrity policy is enforced for the token. /// /// /// TOKEN_MANDATORY_POLICY_NO_WRITE_UP 0x1 /// A process associated with the token cannot write to objects that have a greater mandatory integrity level. /// /// /// TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN 0x2 /// A process created with the token has an integrity level that is the lesser of the parent-process integrity level and the executable-file integrity level. /// /// /// TOKEN_MANDATORY_POLICY_VALID_MASK 0x3 /// A combination of TOKEN_MANDATORY_POLICY_NO_WRITE_UP and TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN. /// /// ///

public TokenMandatoryPolicy Policy; } ///

/// The TOKEN_ORIGIN structure contains information about the origin of the logon session. This structure is used by the /// GetTokenInformation function. ///

[StructLayout(LayoutKind.Sequential)] [PInvokeData("WinNT.h", MSDNShortId = "aa379627")] public struct TOKEN_ORIGIN { ///

/// Locally unique identifier (LUID) for the logon session. If the token passed to GetTokenInformation resulted from a logon /// using explicit credentials, such as passing name, domain, and password to the LogonUser function, then this member will /// contain the ID of the logon session that created it. If the token resulted from network authentication, such as a call to /// AcceptSecurityContext, or a call to LogonUser with dwLogonType set to LOGON32_LOGON_NETWORK or /// LOGON32_LOGON_NETWORK_CLEARTEXT, then this member will be zero. ///

public LUID OriginatingLogonSession; } ///

/// The TOKEN_OWNER structure contains the default owner security identifier (SID) that will be applied to newly created objects. ///

[StructLayout(LayoutKind.Sequential)] [PInvokeData("WinNT.h", MSDNShortId = "aa379628")] public struct TOKEN_OWNER { ///

/// A pointer to a SID structure representing a user who will become the owner of any objects created by a process using this /// access token. The SID must be one of the user or group SIDs already in the token. ///

public PSID Owner; } ///

The TOKEN_PRIMARY_GROUP structure specifies a group security identifier (SID) for an access token.

[StructLayout(LayoutKind.Sequential)] [PInvokeData("WinNT.h", MSDNShortId = "aa379629")] public struct TOKEN_PRIMARY_GROUP { ///

/// A pointer to a SID structure representing a group that will become the primary group of any objects created by a process /// using this access token. The SID must be one of the group SIDs already in the token. ///

public PSID PrimaryGroup; } ///

The TOKEN_PRIVILEGES structure contains information about a set of privileges for an access token.

// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_privileges typedef struct _TOKEN_PRIVILEGES { DWORD // PrivilegeCount; LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY]; } TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES; [PInvokeData("winnt.h", MSDNShortId = "c9016511-740f-44f3-92ed-17cc518c6612")] [StructLayout(LayoutKind.Sequential)] [VanaraMarshaler(typeof(SafeAnysizeStructMarshaler), nameof(PrivilegeCount))] public struct TOKEN_PRIVILEGES { ///

This must be set to the number of entries in the Privileges array.

public uint PrivilegeCount; ///

/// /// Specifies an array of LUID_AND_ATTRIBUTES structures. Each structure contains the LUID and attributes of a privilege. To get /// the name of the privilege associated with a LUID, call the LookupPrivilegeName function, passing the address of the /// LUID as the value of the lpLuid parameter. /// /// /// Important The constant ANYSIZE_ARRAY is defined as 1 in the public header Winnt.h. To create this array with /// more than one element, you must allocate sufficient memory for the structure to take into account additional elements. /// /// The attributes of a privilege can be a combination of the following values. /// /// /// Value /// Meaning /// /// /// SE_PRIVILEGE_ENABLED /// The privilege is enabled. /// /// /// SE_PRIVILEGE_ENABLED_BY_DEFAULT /// The privilege is enabled by default. /// /// /// SE_PRIVILEGE_REMOVED /// Used to remove a privilege. For details, see AdjustTokenPrivileges. /// /// /// SE_PRIVILEGE_USED_FOR_ACCESS /// /// The privilege was used to gain access to an object or service. This flag is used to identify the relevant privileges in a set /// passed by a client application that may contain unnecessary privileges. /// /// /// ///

[MarshalAs(UnmanagedType.ByValArray)] public LUID_AND_ATTRIBUTES[] Privileges; ///

Initializes a new instance of the structure with a single LUID_AND_ATTRIBUTES value.

/// The LUID value. /// The attribute value. public TOKEN_PRIVILEGES(LUID luid, PrivilegeAttributes attribute) { PrivilegeCount = 1; Privileges = new[] { new LUID_AND_ATTRIBUTES(luid, attribute) }; } ///

Initializes a new instance of the structure from a list of privileges.

/// The values. public TOKEN_PRIVILEGES(LUID_AND_ATTRIBUTES[] values) { PrivilegeCount = (uint)(values?.Length ?? 0); Privileges = (LUID_AND_ATTRIBUTES[])values?.Clone() ?? new LUID_AND_ATTRIBUTES[0]; } } ///

The TOKEN_SOURCE structure identifies the source of an access token.

[StructLayout(LayoutKind.Sequential)] [PInvokeData("WinNT.h", MSDNShortId = "aa379631")] public struct TOKEN_SOURCE { private const int TOKEN_SOURCE_LENGTH = 8; ///

/// Specifies an 8-byte character string used to identify the source of an access token. This is used to distinguish between such /// sources as Session Manager, LAN Manager, and RPC Server. A string, rather than a constant, is used to identify the source so /// users and developers can make extensions to the system, such as by adding other networks, that act as the source of access tokens. ///

[MarshalAs(UnmanagedType.ByValArray, SizeConst = TOKEN_SOURCE_LENGTH)] public char[] SourceName; ///

/// Specifies a locally unique identifier (LUID) provided by the source component named by the SourceName member. This value aids /// the source component in relating context blocks, such as session-control structures, to the token. This value is typically, /// but not necessarily, an LUID. ///

public LUID SourceIdentifier; } ///

/// The TOKEN_STATISTICS structure contains information about an access token. An application can retrieve this information by /// calling the GetTokenInformation function. ///

[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] [PInvokeData("WinNT.h", MSDNShortId = "aa379632")] public struct TOKEN_STATISTICS { ///

Specifies a locally unique identifier (LUID) that identifies this instance of the token object.

public LUID TokenId; ///

/// Specifies an LUID assigned to the session this token represents. There can be many tokens representing a single logon session. ///

public LUID AuthenticationId; ///

Specifies the time at which this token expires. Expiration times for access tokens are not currently supported.

public long ExpirationTime; ///

Specifies a TOKEN_TYPE enumeration type indicating whether the token is a primary or impersonation token.

public TOKEN_TYPE TokenType; ///

/// Specifies a SECURITY_IMPERSONATION_LEVEL enumeration type indicating the impersonation level of the token. This member is /// valid only if the TokenType is TokenImpersonation. ///

public SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; ///

Specifies the amount, in bytes, of memory allocated for storing default protection and a primary group identifier.

public uint DynamicCharged; ///

/// Specifies the portion of memory allocated for storing default protection and a primary group identifier not already in use. /// This value is returned as a count of free bytes. ///

public uint DynamicAvailable; ///

Specifies the number of supplemental group security identifiers (SIDs) included in the token.

public uint GroupCount; ///

Specifies the number of privileges included in the token.

public uint PrivilegeCount; ///

/// Specifies an LUID that changes each time the token is modified. An application can use this value as a test of whether a /// security context has changed since it was last used. ///

public LUID ModifiedId; } ///

The TOKEN_USER structure identifies the user associated with an access token.

[StructLayout(LayoutKind.Sequential)] public struct TOKEN_USER { ///

/// Specifies a SID_AND_ATTRIBUTES structure representing the user associated with the access token. There are currently no /// attributes defined for user security identifiers (SIDs). ///

public SID_AND_ATTRIBUTES User; } ///

Known SID authorities.

public static class KnownSIDAuthority { ///

The application package authority

public static readonly PSID_IDENTIFIER_AUTHORITY SECURITY_APP_PACKAGE_AUTHORITY = new byte[] { 0, 0, 0, 0, 0, 15 }; ///

The authentication authority

public static readonly PSID_IDENTIFIER_AUTHORITY SECURITY_AUTHENTICATION_AUTHORITY = new byte[] { 0, 0, 0, 0, 0, 18 }; ///

The identifier authority for the creator owner.

public static readonly PSID_IDENTIFIER_AUTHORITY SECURITY_CREATOR_SID_AUTHORITY = new byte[] { 0, 0, 0, 0, 0, 3 }; ///

The identifier authority for locally connected users.

public static readonly PSID_IDENTIFIER_AUTHORITY SECURITY_LOCAL_SID_AUTHORITY = new byte[] { 0, 0, 0, 0, 0, 2 }; ///

The mandatory label authority

public static readonly PSID_IDENTIFIER_AUTHORITY SECURITY_MANDATORY_LABEL_AUTHORITY = new byte[] { 0, 0, 0, 0, 0, 16 }; ///

The non-unique identifier authority.

public static readonly PSID_IDENTIFIER_AUTHORITY SECURITY_NON_UNIQUE_AUTHORITY = new byte[] { 0, 0, 0, 0, 0, 4 }; ///

The Windows security authority

public static readonly PSID_IDENTIFIER_AUTHORITY SECURITY_NT_AUTHORITY = new byte[] { 0, 0, 0, 0, 0, 5 }; ///

The identifier authority with no members.

public static readonly PSID_IDENTIFIER_AUTHORITY SECURITY_NULL_SID_AUTHORITY = new byte[] { 0, 0, 0, 0, 0, 0 }; ///

The process trust authority

public static readonly PSID_IDENTIFIER_AUTHORITY SECURITY_PROCESS_TRUST_AUTHORITY = new byte[] { 0, 0, 0, 0, 0, 19 }; ///

The security resource manager authority

public static readonly PSID_IDENTIFIER_AUTHORITY SECURITY_RESOURCE_MANAGER_AUTHORITY = new byte[] { 0, 0, 0, 0, 0, 9 }; ///

The scoped policy identifier authority

public static readonly PSID_IDENTIFIER_AUTHORITY SECURITY_SCOPED_POLICY_ID_AUTHORITY = new byte[] { 0, 0, 0, 0, 0, 17 }; ///

The identifier authority all users.

public static readonly PSID_IDENTIFIER_AUTHORITY SECURITY_WORLD_SID_AUTHORITY = new byte[] { 0, 0, 0, 0, 0, 1 }; } ///

Known RIDs

public static class KnownSIDRelativeID { ///

public const int SECURITY_APP_PACKAGE_BASE_RID = 0x00000002; ///

public const int SECURITY_CAPABILITY_APP_RID = 0x00000040; ///

public const int SECURITY_CAPABILITY_BASE_RID = 0x00000003; ///

The security creator group rid

public const int SECURITY_CREATOR_GROUP_RID = 0x00000001; ///

The security creator group server rid

public const int SECURITY_CREATOR_GROUP_SERVER_RID = 0x00000003; ///

The security creator owner rid

public const int SECURITY_CREATOR_OWNER_RID = 0x00000000; ///

The security creator owner rights rid

public const int SECURITY_CREATOR_OWNER_RIGHTS_RID = 0x00000004; ///

The security creator owner server rid

public const int SECURITY_CREATOR_OWNER_SERVER_RID = 0x00000002; ///

The security local logon rid

public const int SECURITY_LOCAL_LOGON_RID = 0x00000001; ///

The security local rid

public const int SECURITY_LOCAL_RID = 0x00000000; ///

High integrity.

public const int SECURITY_MANDATORY_HIGH_RID = 0x00003000; ///

Low integrity.

public const int SECURITY_MANDATORY_LOW_RID = 0x00001000; ///

Medium-high integrity.

public const int SECURITY_MANDATORY_MEDIUM_PLUS_RID = SECURITY_MANDATORY_MEDIUM_RID + 0x100; ///

Medium integrity.

public const int SECURITY_MANDATORY_MEDIUM_RID = 0x00002000; ///

Protected process.

public const int SECURITY_MANDATORY_PROTECTED_PROCESS_RID = 0x00005000; ///

System integrity.

public const int SECURITY_MANDATORY_SYSTEM_RID = 0x00004000; ///

Untrusted.

public const int SECURITY_MANDATORY_UNTRUSTED_RID = 0x00000000; ///

The security null rid

public const int SECURITY_NULL_RID = 0x00000000; ///

The security world rid

public const int SECURITY_WORLD_RID = 0x00000000; } ///

/// The PRIVILEGE_SET structure specifies a set of privileges. It is also used to indicate which, if any, privileges are held by a /// user or group requesting access to an object. ///

[StructLayout(LayoutKind.Sequential)] public class PRIVILEGE_SET { ///

Specifies the number of privileges in the privilege set.

public uint PrivilegeCount; ///

/// Specifies a control flag related to the privileges. The PRIVILEGE_SET_ALL_NECESSARY control flag is currently defined. It /// indicates that all of the specified privileges must be held by the process requesting access. If this flag is not set, the /// presence of any privileges in the user's access token grants the access. ///

public PrivilegeSetControl Control; ///

Specifies an array of LUID_AND_ATTRIBUTES structures describing the set's privileges.

[MarshalAs(UnmanagedType.ByValArray, SizeConst = 1)] public LUID_AND_ATTRIBUTES[] Privilege; ///

Initializes a new instance of the class with a single LUID_AND_ATTRIBUTES value.

/// The control flag. See . /// The LUID value. /// The attribute value. public PRIVILEGE_SET(PrivilegeSetControl control, LUID luid, PrivilegeAttributes attribute) { PrivilegeCount = 1; Control = control; Privilege = new[] { new LUID_AND_ATTRIBUTES(luid, attribute) }; } ///

Initializes a new instance of the class.

/// The control flag. See . /// A list of privileges to assign to the structure. public PRIVILEGE_SET(PrivilegeSetControl control, LUID_AND_ATTRIBUTES[] privileges) { PrivilegeCount = (uint)(privileges?.Length ?? 0); Control = control; Privilege = (LUID_AND_ATTRIBUTES[])privileges?.Clone() ?? new LUID_AND_ATTRIBUTES[0]; } ///

Initializes a new instance of the class.

internal PRIVILEGE_SET() : this(PrivilegeSetControl.PRIVILEGE_SET_ALL_NECESSARY, null) { } ///

Initializes a new instance of the class from a pointer to allocated memory.

internal PRIVILEGE_SET(IntPtr ptr) { if (ptr == IntPtr.Zero) return; var sz = Marshal.SizeOf(typeof(uint)); PrivilegeCount = (uint)Marshal.ReadInt32(ptr); Control = (PrivilegeSetControl)Marshal.ReadInt32(ptr, sz); Privilege = PrivilegeCount > 0 ? ptr.ToArray((int)PrivilegeCount, sz * 2) : new LUID_AND_ATTRIBUTES[0]; } ///

Gets the size in bytes of this instance.

/// The size in bytes. public uint SizeInBytes => (uint)Marshal.SizeOf(typeof(uint)) * 2 + (uint)(Marshal.SizeOf(typeof(LUID_AND_ATTRIBUTES)) * (PrivilegeCount == 0 ? 1 : PrivilegeCount)); ///

Returns a that represents this instance.

/// A that represents this instance. public override string ToString() => $"Count:{PrivilegeCount}"; ///

Initializes a new PRIVILEGE_SET the with capacity to hold the specified number of privileges.

/// The privilege count to allocate. /// A PRIVILEGE_SET instance with sufficient capacity for marshaling. public static PRIVILEGE_SET InitializeWithCapacity(int privilegeCount = 1) => new PRIVILEGE_SET() { PrivilegeCount = (uint)privilegeCount }; internal class Marshaler : ICustomMarshaler { public static ICustomMarshaler GetInstance(string _) => new Marshaler(); public void CleanUpManagedData(object ManagedObj) { } public void CleanUpNativeData(IntPtr pNativeData) => Marshal.FreeCoTaskMem(pNativeData); public int GetNativeDataSize() => -1; public IntPtr MarshalManagedToNative(object ManagedObj) { if (!(ManagedObj is PRIVILEGE_SET ps)) return IntPtr.Zero; var ptr = Marshal.AllocCoTaskMem((int)ps.SizeInBytes); if (ps.Privilege?.Length != ps.PrivilegeCount) ptr.FillMemory(0, (int)ps.SizeInBytes); Marshal.WriteInt32(ptr, (int)ps.PrivilegeCount); Marshal.WriteInt32(ptr, Marshal.SizeOf(typeof(int)), (int)ps.Control); ptr.Write(ps.Privilege, Marshal.SizeOf(typeof(int)) * 2); return ptr; } public object MarshalNativeToManaged(IntPtr pNativeData) => new PRIVILEGE_SET(pNativeData); } } ///

/// The SID_IDENTIFIER_AUTHORITY structure represents the top-level authority of a security identifier (SID). ///

/// /// The identifier authority value identifies the agency that issued the SID. The following identifier authorities are predefined. /// /// /// Identifier authority /// Value /// /// /// SECURITY_NULL_SID_AUTHORITY /// 0 /// /// /// SECURITY_WORLD_SID_AUTHORITY /// 1 /// /// /// SECURITY_LOCAL_SID_AUTHORITY /// 2 /// /// /// SECURITY_CREATOR_SID_AUTHORITY /// 3 /// /// /// SECURITY_NON_UNIQUE_AUTHORITY /// 4 /// /// /// SECURITY_NT_AUTHORITY /// 5 /// /// /// SECURITY_RESOURCE_MANAGER_AUTHORITY /// 9 /// /// /// A SID must contain a top-level authority and at least one relative identifier (RID) value. /// // https://docs.microsoft.com/en-us/windows/desktop/api/winnt/ns-winnt-_sid_identifier_authority typedef struct // _SID_IDENTIFIER_AUTHORITY { BYTE Value[6]; } SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY; [PInvokeData("winnt.h", MSDNShortId = "450a6d2d-d2e4-4098-90af-a8024ddcfcb5")] [StructLayout(LayoutKind.Sequential, Pack = 1)] public class PSID_IDENTIFIER_AUTHORITY { ///

An array of 6 bytes specifying a SID's top-level authority.

[MarshalAs(UnmanagedType.ByValArray, SizeConst = 6)] public byte[] Value = new byte[6]; ///

Initializes a new instance of the struct.

/// The value. /// value public PSID_IDENTIFIER_AUTHORITY(byte[] value) { if (value == null || value.Length != 6) throw new ArgumentOutOfRangeException(nameof(value)); Array.Copy(value, Value, 6); } ///

Initializes a new instance of the struct.

/// The value. public PSID_IDENTIFIER_AUTHORITY(long value) { LongValue = value; } internal PSID_IDENTIFIER_AUTHORITY(IntPtr existingPtr) { if (existingPtr == IntPtr.Zero) Value = existingPtr.ToArray(6); } private PSID_IDENTIFIER_AUTHORITY() { } ///

Gets or sets the long value.

/// The long value. public long LongValue { get { long nAuthority = 0; for (var i = 0; i <= 5; i++) nAuthority |= (long)Value[i] << (8 * i); return nAuthority; } set { var bsia = BitConverter.GetBytes(value); for (var i = 0; i <= 5; i++) Value[i] = bsia[5 - i]; } } ///

Performs an implicit conversion from byte[] to .

/// The bytes. /// The result of the conversion. public static implicit operator PSID_IDENTIFIER_AUTHORITY(byte[] bytes) => new PSID_IDENTIFIER_AUTHORITY(bytes); ///

Performs an implicit conversion from to .

/// The sia. /// The result of the conversion. public static implicit operator PSID_IDENTIFIER_AUTHORITY(SID_IDENTIFIER_AUTHORITY sia) => new PSID_IDENTIFIER_AUTHORITY(sia.Value); ///

Implements the operator !=.

/// The first handle. /// The second handle. /// The result of the operator. public static bool operator !=(PSID_IDENTIFIER_AUTHORITY h1, PSID_IDENTIFIER_AUTHORITY h2) => !(h1 == h2); ///

Implements the operator ==.

/// The first handle. /// The second handle. /// The result of the operator. public static bool operator ==(PSID_IDENTIFIER_AUTHORITY h1, PSID_IDENTIFIER_AUTHORITY h2) => h1.Equals(h2); /// public override bool Equals(object obj) => obj is PSID_IDENTIFIER_AUTHORITY h ? h.LongValue == h.LongValue : false; /// public override int GetHashCode() => LongValue.GetHashCode(); } ///

A SafeHandle for access control lists. If owned, will call LocalFree on the pointer when disposed.

[DebuggerDisplay("{DebugString}")] public class SafePACL : SafeMemoryHandle, ISecurityObject { ///

The null value for a SafePACL.

public static readonly SafePACL Null = new SafePACL(); ///

Initializes a new instance of the class.

public SafePACL() : base(IntPtr.Zero, 0, true) { } ///

/// Initializes a new instance of the class from an existing pointer, copying its content if owning. ///

/// The access control list pointer. public SafePACL(PACL pAcl) : this(IsValidAcl(pAcl) ? (int)pAcl.BytesAllocated() : throw new ArgumentException("Invalid ACL.", nameof(pAcl))) { ((IntPtr)pAcl).CopyTo(handle, Size); } ///

Initializes a new instance of the class to an empty memory buffer.

/// The size of the uninitialized access control list. /// ACL revision. public SafePACL(int size, uint revision = ACL_REVISION) : base(size) { if (size % 4 != 0) throw new ArgumentOutOfRangeException(nameof(size), "ACL structures must be DWORD aligned. This value must be a multiple of 4."); InitializeAcl(handle, (uint)size, revision); } ///

Initializes a new instance of the class.

/// An array of bytes that contain an existing access control list. public SafePACL(byte[] bytes) : this(bytes?.Length ?? 0) { if (bytes is null) return; Marshal.Copy(bytes, 0, handle, bytes.Length); } ///

Determines whether the components of this access control list are valid.

public bool IsValidAcl => IsValidAcl(handle); ///

Gets the revision number for the ACL.

/// The revision. public uint Revision => IsValidAcl && GetAclInformation(handle, out ACL_REVISION_INFORMATION ri) ? ri.AclRevision : 0U; /// public override SizeT Size { get => base.Size; set { // Make sure divisible by 4. value = ((value + 3) >> 2) << 2; // Setup newly allocated ACL var newHandle = mm.AllocMem(value); if (!InitializeAcl(newHandle, value, Revision)) Win32Error.ThrowLastError(); if (!GetAce(handle, 0, out var pace)) Win32Error.ThrowLastError(); if (!AddAce(newHandle, Revision, 0, (IntPtr)pace, ((PACL)handle).Length() - (uint)Marshal.SizeOf(typeof(ACL)))) Win32Error.ThrowLastError(); // Update SafeHandle with new ACL and destroy old var oldHandle = handle; SetHandle(newHandle); sz = value; mm.FreeMem(oldHandle); } } ///

Gets the number of ACEs held by this ACL.

/// The ace count. public int AceCount => (int)((PACL)handle).AceCount(); ///

/// Gets the length, in bytes, of a structurally valid access control list. The length includes the length of all associated structures. ///

public uint Length => ((PACL)handle).Length(); internal string DebugString => IsInvalid ? "NULL" : $"Aces:{AceCount}, Size:{Length}"; ///

Performs an explicit conversion from to .

/// The safe access control list. /// The result of the conversion. public static implicit operator PACL(SafePACL sd) => sd.DangerousGetHandle(); } ///

Contains information about an event record returned by the ReadEventLog function.

/// /// /// The defined members are followed by the replacement strings for the message identified by the event identifier, the binary /// information, some pad bytes to make sure the full entry is on a DWORD boundary, and finally the length of the log entry /// again. Because the strings and the binary information can be of any length, no structure members are defined to reference them. /// The declaration of this structure in Winnt.h describes these members as follows: /// /// /// The source name is a variable-length string that specifies the name of the event source. The computer name is the name of the /// computer that generated the event. It may be followed with some padding bytes so that the user SID is aligned on a DWORD /// boundary. The user SID identifies the active user at the time this event was logged. If UserSidLength is zero, this field /// may be empty. /// /// /// The event identifier together with source name and a language identifier identify a string that describes the event in more /// detail. The strings are used as replacement strings and are merged into the message string to make a complete message. The /// message strings are contained in a message file specified in the source entry in the registry. To obtain the appropriate message /// string from the message file, load the message file with the LoadLibrary function and use the FormatMessage function. /// /// /// The binary information is information that is specific to the event. It could be the contents of the processor registers when a /// device driver got an error, a dump of an invalid packet that was received from the network, a dump of all the structures in a /// program (when the data area was detected to be corrupt), and so on. This information should be useful to the writer of the device /// driver or the application in tracking down bugs or unauthorized breaks into the application. /// /// [PInvokeData("winnt.h", MSDNShortId = "669b182a-bc81-4386-9815-6ffa09e2e743")] public class SafePEVENTLOGRECORD : SafeMemoryHandle { ///

Initializes a new instance of the class.

/// The bytes to allocate. public SafePEVENTLOGRECORD(int bytesToAllocate = 512) : base(bytesToAllocate) { } private SafePEVENTLOGRECORD() { } ///

Reserved.

public uint ClosingRecordNumber => handle.ToStructure(Size, 32); ///

Gets the name of the computer that generated the event.

public string ComputerName { get { var offset = 56 + (Source.Length + 1) * 2; return StringHelper.GetString(handle.Offset(offset), CharSet.Unicode, Size - offset); } } ///

/// Gets the event-specific information within this event log record, in bytes. This information could be something specific (a /// disk driver might log the number of retries, for example), followed by binary information specific to the event being logged /// and to the source that generated the entry. ///

public byte[] Data => handle.ToArray(DataLength, DataOffset, Size); ///

/// The category for this event. The meaning of this value depends on the event source. For more information, see Event Categories. ///

public ushort EventCategory => handle.ToStructure(Size, 28); ///

public uint EventID => handle.ToStructure(Size, 20); ///

public EVENTLOG_TYPE EventType => handle.ToStructure(Size, 24); ///

/// The number of strings present in the log (at the position indicated by StringOffset). These strings are merged into /// the message before it is displayed to the user. ///

public ushort NumStrings => handle.ToStructure(Size, 26); ///

public uint RecordNumber => handle.ToStructure(Size, 8); ///

Gets a string that specifies the name of the event source.

public string Source => StringHelper.GetString(handle.Offset(56), CharSet.Unicode, Size - 56); ///

Gets the description strings within this event log record.

public string[] Strings => NumStrings == 0 ? new string[0] : handle.ToStringEnum(CharSet.Unicode, StringOffset, Size).ToArray(); ///

Gets the value at which this entry was submitted.

public DateTime TimeGenerated => new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc) + TimeSpan.FromSeconds(handle.ToStructure(Size, 12)); ///

Gets the value at which this entry was written.

public DateTime TimeWritten => new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc) + TimeSpan.FromSeconds(handle.ToStructure(Size, 16)); ///

Gets the security identifier (SID) within this event log record.

public SafePSID UserSid => UserSidLength == 0 ? SafePSID.Null : new SafePSID(handle.ToArray(UserSidLength, UserSidOffset, Size)); ///

The size of the event-specific data (at the position indicated by DataOffset), in bytes.

private int DataLength => handle.ToStructure(Size, 48); ///

private int DataOffset => handle.ToStructure(Size, 52); ///

The offset of the description strings within this event log record.

private int StringOffset => handle.ToStructure(Size, 36); ///

The size of the UserSid member, in bytes. This value can be zero if no security identifier was provided.

private int UserSidLength => handle.ToStructure(Size, 40); ///

/// The offset of the security identifier (SID) within this event log record. To obtain the user name for this SID, use the /// LookupAccountSid function. ///

private int UserSidOffset => handle.ToStructure(Size, 44); } ///

A SafeHandle for security descriptors. If owned, will call LocalFree on the pointer when disposed.

public class SafePSECURITY_DESCRIPTOR : SafeMemoryHandle, IEquatable, IEquatable, IEquatable, ISecurityObject { ///

The null value for a SafeSecurityDescriptor.

public static readonly SafePSECURITY_DESCRIPTOR Null = new SafePSECURITY_DESCRIPTOR(); private const SECURITY_INFORMATION defSecInfo = SECURITY_INFORMATION.DACL_SECURITY_INFORMATION | SECURITY_INFORMATION.SACL_SECURITY_INFORMATION | SECURITY_INFORMATION.OWNER_SECURITY_INFORMATION | SECURITY_INFORMATION.GROUP_SECURITY_INFORMATION; ///

Initializes a new instance of the class.

public SafePSECURITY_DESCRIPTOR() : base(IntPtr.Zero, 0, true) { } ///

Initializes a new instance of the class from an existing pointer.

/// The security descriptor pointer. /// if set to true indicates that this pointer should be freed when disposed. public SafePSECURITY_DESCRIPTOR(PSECURITY_DESCRIPTOR pSecurityDescriptor, bool own = true) : base(IntPtr.Zero, 0, own) { if (pSecurityDescriptor.IsSelfRelative()) { sz = (int)pSecurityDescriptor.Length(); SetHandle((IntPtr)pSecurityDescriptor); } else if (own) { var newSz = 0U; if (!MakeSelfRelativeSD(pSecurityDescriptor, Null, ref newSz) && newSz == 0) Win32Error.ThrowLastError(); Size = newSz; InitializeSecurityDescriptor(this, SECURITY_DESCRIPTOR_REVISION); if (!MakeSelfRelativeSD(pSecurityDescriptor, this, ref newSz)) Win32Error.ThrowLastError(); } else throw new InvalidOperationException("The supplied security descriptor is in absolute format and can only be copied if this class has ownership of the memory."); } ///

Initializes a new instance of the class to an empty memory buffer.

/// The size of the uninitialized security descriptor. public SafePSECURITY_DESCRIPTOR(int size) : base(size) => InitializeSecurityDescriptor(this, SECURITY_DESCRIPTOR_REVISION); ///

Initializes a new instance of the class.

/// An array of bytes that contain an existing security descriptor. public SafePSECURITY_DESCRIPTOR(byte[] bytes) : this(bytes?.Length ?? 0) { if (bytes is null) return; Marshal.Copy(bytes, 0, handle, bytes.Length); } ///

Initializes a new instance of the class with an SDDL string.

/// An SDDL value representing the security descriptor. public SafePSECURITY_DESCRIPTOR(string sddl) { if (!ConvertStringSecurityDescriptorToSecurityDescriptor(sddl, SDDL_REVISION.SDDL_REVISION_1, out var sd, out var sdsz)) Win32Error.ThrowLastError(); handle = sd.DangerousGetHandle(); sz = (int)sdsz; sd.SetHandleAsInvalid(); } ///

Determines whether the components of this security descriptor are valid.

public bool IsValidSecurityDescriptor => IsValidSecurityDescriptor(handle); ///

Gets or sets the size in bytes of the security descriptor.

/// The size in bytes of the security descriptor. public override SizeT Size { get { if (sz == 0 && Length > 0) sz = Length; return base.Size; } set => base.Size = value; } ///

Determines whether the format of this security descriptor is self-relative.

public bool IsSelfRelative => ((PSECURITY_DESCRIPTOR)handle).IsSelfRelative(); ///

/// Gets the length, in bytes, of a structurally valid security descriptor. The length includes the length of all associated structures. ///

public uint Length => ((PSECURITY_DESCRIPTOR)handle).Length(); ///

Performs an explicit conversion from to .

/// The safe security descriptor. /// The result of the conversion. public static implicit operator PSECURITY_DESCRIPTOR(SafePSECURITY_DESCRIPTOR sd) => sd.DangerousGetHandle(); ///

Implements the operator !=.

/// The first value. /// The second value. /// The result of the operator. public static bool operator !=(SafePSECURITY_DESCRIPTOR psd1, SafePSECURITY_DESCRIPTOR psd2) => !(psd1 == psd2); ///

Implements the operator ==.

/// The first value. /// The second value. /// The result of the operator. public static bool operator ==(SafePSECURITY_DESCRIPTOR psd1, SafePSECURITY_DESCRIPTOR psd2) { if (ReferenceEquals(psd1, psd2)) return true; if (Equals(null, psd1) || Equals(null, psd2)) return false; return psd1.Equals(psd2); } ///

Indicates whether the current object is equal to another object of the same type.

/// An object to compare with this object. /// true if the current object is equal to the parameter; otherwise, false. public bool Equals(SafePSECURITY_DESCRIPTOR other) => Equals(other.DangerousGetHandle()); ///

Indicates whether the current object is equal to another object of the same type.

/// An object to compare with this object. /// true if the current object is equal to the parameter; otherwise, false. public bool Equals(PSECURITY_DESCRIPTOR other) => Equals(other.DangerousGetHandle()); ///

Indicates whether the current object is equal to another object of the same type.

/// An object to compare with this object. /// true if the current object is equal to the parameter; otherwise, false. public bool Equals(IntPtr other) { if (GetSecurityDescriptorLength(handle) != GetSecurityDescriptorLength(other)) return false; var s1 = ConvertSecurityDescriptorToStringSecurityDescriptor(handle, defSecInfo); var s2 = ConvertSecurityDescriptorToStringSecurityDescriptor(other, defSecInfo); return string.CompareOrdinal(s1, s2) == 0; } ///

Determines whether the specified is equal to the current .

/// The object to compare with the current object. /// /// true if the specified is equal to the current ; otherwise, false. /// public override bool Equals(object obj) { if (obj is SafePSECURITY_DESCRIPTOR psid2) return Equals(psid2); if (obj is PSECURITY_DESCRIPTOR psidh) return Equals(psidh); if (obj is IntPtr ptr) return Equals(ptr); return false; } ///

Gets the binary form of this SafePSECURITY_DESCRIPTOR.

/// An array of bytes containing the entire security descriptor. public byte[] GetBinaryForm() => GetBytes(0, (int)Length); ///

Returns a hash code for this instance.

/// A hash code for this instance, suitable for use in hashing algorithms and data structures like a hash table. public override int GetHashCode() => ToString().GetHashCode(); ///

/// The MakeAbsoluteSD function creates a security descriptor in absolute format by using a security descriptor in /// self-relative format as a template. ///

/// /// A tuple containing the following: /// /// /// pAbsoluteSecurityDescriptor /// /// The main body of an absolute-format security descriptor. This information is formatted as a SECURITY_DESCRIPTOR structure. /// /// /// /// pDacl /// /// The discretionary access control list (DACL) of the absolute-format security descriptor. The main body of the absolute-format /// security descriptor references this pointer. /// /// /// /// pSacl /// /// The system access control list (SACL) of the absolute-format security descriptor. The main body of the absolute-format /// security descriptor references this pointer. /// /// /// /// pOwner /// /// The security identifier (SID) of the owner of the absolute-format security descriptor. The main body of the absolute-format /// security descriptor references this pointer. /// /// /// /// pPrimaryGroup /// /// The absolute-format security descriptor's primary group. The main body of the absolute-format security descriptor references /// this pointer. /// /// /// /// /// /// /// A security descriptor in absolute format contains pointers to the information it contains, rather than the information /// itself. A security descriptor in self-relative format contains the information in a contiguous block of memory. In a /// self-relative security descriptor, a SECURITY_DESCRIPTOR structure always starts the information, but the security /// descriptor's other components can follow the structure in any order. Instead of using memory addresses, the components of the /// self-relative security descriptor are identified by offsets from the beginning of the security descriptor. This format is /// useful when a security descriptor must be stored on a floppy disk or transmitted by means of a communications protocol. /// /// /// A server that copies secured objects to various media can use the MakeAbsoluteSD function to create an absolute /// security descriptor from a self-relative security descriptor and the MakeSelfRelativeSD function to create a self-relative /// security descriptor from an absolute security descriptor. /// /// public (SafePSECURITY_DESCRIPTOR pAbsoluteSecurityDescriptor, SafePACL pDacl, SafePACL pSacl, SafePSID pOwner, SafePSID pPrimaryGroup) MakeAbsolute() { uint cSD = 0, cOwn = 0, cGrp = 0, cDacl = 0, cSacl = 0; if (!MakeAbsoluteSD(this, Null, ref cSD, SafePACL.Null, ref cDacl, SafePACL.Null, ref cSacl, SafePSID.Null, ref cOwn, SafePSID.Null, ref cGrp)) { var err = Win32Error.GetLastError(); if (err != Win32Error.ERROR_INSUFFICIENT_BUFFER) throw err.GetException(); } var pSD = new SafePSECURITY_DESCRIPTOR((int)cSD); var pDacl = new SafePACL((int)cDacl); var pSacl = new SafePACL((int)cSacl); var pOwn = new SafePSID((int)cOwn); var pGrp = new SafePSID((int)cGrp); if (!MakeAbsoluteSD(this, pSD, ref cSD, pDacl, ref cDacl, pSacl, ref cSacl, pOwn, ref cOwn, pGrp, ref cGrp)) Win32Error.ThrowLastError(); return (pSD, pDacl, pSacl, pOwn, pGrp); } ///

Returns a that represents this instance.

/// A that represents this instance. public override string ToString() => ConvertSecurityDescriptorToStringSecurityDescriptor(handle, defSecInfo); } } ///

Extension methods for PACE, PACL and PSECURITY_DESCRIPTOR.

public static class WinNTExtensions { ///

Gets the number of ACEs held by an ACL.

/// The pointer to the ACL structure to query. /// The ace count. public static uint AceCount(this PACL pACL) => AdvApi32.IsValidAcl(pACL) && AdvApi32.GetAclInformation(pACL, out AdvApi32.ACL_SIZE_INFORMATION si) ? si.AceCount : 0; ///

Gets the total number of bytes allocated to the ACL.

/// The pointer to the ACL structure to query. /// The total of the free and used bytes in the ACL. public static uint BytesAllocated(this PACL pACL) => AdvApi32.IsValidAcl(pACL) && AdvApi32.GetAclInformation(pACL, out AdvApi32.ACL_SIZE_INFORMATION si) ? si.AclBytesFree + si.AclBytesInUse : 0; ///

Gets the Flags for an ACE, if defined.

/// A pointer to an ACE. /// The Flags value, if this is an object ACE, otherwise . /// pAce public static ObjectAceFlags? GetFlags(this PACE pAce) { if (pAce.IsNull) throw new ArgumentNullException(nameof(pAce)); return !pAce.IsObjectAce() ? null : (ObjectAceFlags?)pAce.DangerousGetHandle().ToStructure().Flags; } ///

Gets the header for an ACE.

/// A pointer to an ACE. /// The value. /// pAce public static AdvApi32.ACE_HEADER GetHeader(this PACE pAce) => !pAce.IsNull ? pAce.DangerousGetHandle().ToStructure() : throw new ArgumentNullException(nameof(pAce)); ///

Gets the InheritedObjectType for an ACE, if defined.

/// A pointer to an ACE. /// The InheritedObjectType value, if this is an object ACE, otherwise . /// pAce public static Guid? GetInheritedObjectType(this PACE pAce) { if (pAce.IsNull) throw new ArgumentNullException(nameof(pAce)); return !pAce.IsObjectAce() ? null : (Guid?)pAce.DangerousGetHandle().ToStructure().InheritedObjectType; } ///

Gets the mask for an ACE.

/// A pointer to an ACE. /// The ACCESS_MASK value. /// pAce public static uint GetMask(this PACE pAce) => !pAce.IsNull ? pAce.DangerousGetHandle().ToStructure().Mask : throw new ArgumentNullException(nameof(pAce)); ///

Gets the ObjectType for an ACE, if defined.

/// A pointer to an ACE. /// The ObjectType value, if this is an object ACE, otherwise . /// pAce public static Guid? GetObjectType(this PACE pAce) { if (pAce.IsNull) throw new ArgumentNullException(nameof(pAce)); return !pAce.IsObjectAce() ? null : (Guid?)pAce.DangerousGetHandle().ToStructure().ObjectType; } ///

Gets the SID for an ACE.

/// A pointer to an ACE. /// The SID value. /// pAce public static AdvApi32.SafePSID GetSid(this PACE pAce) { if (pAce.IsNull) throw new ArgumentNullException(nameof(pAce)); var offset = Marshal.SizeOf(typeof(AdvApi32.ACE_HEADER)) + sizeof(uint); if (pAce.IsObjectAce()) offset += sizeof(uint) + Marshal.SizeOf(typeof(Guid)) * 2; unsafe { return AdvApi32.SafePSID.CreateFromPtr((IntPtr)((byte*)pAce.DangerousGetHandle() + offset)); } } ///

Determines if a ACE is an object ACE.

/// A pointer to an ACE. /// if is this is an object ACE; otherwise, . /// pAce /// pAce - Unknown ACE type. public static bool IsObjectAce(this PACE pAce) { if (pAce.IsNull) throw new ArgumentNullException(nameof(pAce)); var aceType = (byte)GetHeader(pAce).AceType; if (aceType > 0x15) throw new ArgumentOutOfRangeException(nameof(pAce), "Unknown ACE type."); return (aceType >= 0x5 && aceType <= 0x8) || aceType == 0xB || aceType == 0xC || aceType == 0xF || aceType == 0x10; } ///

Determines whether the security descriptor is self-relative.

/// The pointer to the SECURITY_DESCRIPTOR structure to query. /// true if it is self-relative; otherwise, false. public static bool IsSelfRelative(this PSECURITY_DESCRIPTOR pSD) => AdvApi32.GetSecurityDescriptorControl(pSD, out var ctrl, out _) ? ctrl.IsFlagSet(AdvApi32.SECURITY_DESCRIPTOR_CONTROL.SE_SELF_RELATIVE) : throw Win32Error.GetLastError().GetException(); ///

Validates an access control list (ACL).

/// The pointer to the ACL structure to query. /// true if the ACL is valid; otherwise, false. public static bool IsValidAcl(this PACL pAcl) => AdvApi32.IsValidAcl(pAcl); ///

Determines whether the components of a security descriptor are valid.

/// The pointer to the SECURITY_DESCRIPTOR structure to query. /// /// true if the components of the security descriptor are valid. If any of the components of the security descriptor are not /// valid, the return value is false. /// public static bool IsValidSecurityDescriptor(this PSECURITY_DESCRIPTOR pSD) => AdvApi32.IsValidSecurityDescriptor(pSD); ///

Gets the size, in bytes, of an ACE.

/// The pointer to the ACE structure to query. /// The size, in bytes, of the ACE. public static uint Length(this PACE pAce) { unsafe { var p = (AdvApi32.ACE_HEADER*)(void*)pAce.DangerousGetHandle(); return p == null ? 0U : p->AceSize; } } ///

Gets the size, in bytes, of an ACL. If the ACL is not valid, 0 is returned.

/// The pointer to the ACL structure to query. /// The size, in bytes, of an ACL. If the ACL is not valid, 0 is returned. public static uint Length(this PACL pACL) => AdvApi32.IsValidAcl(pACL) && AdvApi32.GetAclInformation(pACL, out AdvApi32.ACL_SIZE_INFORMATION si) ? si.AclBytesInUse : 0; ///

Gets the size, in bytes, of a security descriptor. If it is not valid, 0 is returned.

/// The pointer to the SECURITY_DESCRIPTOR structure to query. /// The size, in bytes, of a security descriptor. If it is not valid, 0 is returned. public static uint Length(this PSECURITY_DESCRIPTOR pSD) => AdvApi32.IsValidSecurityDescriptor(pSD) ? AdvApi32.GetSecurityDescriptorLength(pSD) : 0U; } }