CodeProject: NT Security Classes for .NET. Free source code and programming help

Announcements

	Windows 7 Comp Win a laptop!
	Monthly Competition

Articles

Desktop Development

Web Development

Enterprise Systems

Content Management Server

Microsoft BizTalk Server

SQL Reporting Services

Platforms, Frameworks & Libraries

Windows Communication Foundation

Windows Presentation Foundation

Windows Workflow Foundation

Cryptography & Security

Threads, Processes & IPC

WinHelp / HTMLHelp

Uncategorised Quick Answers

Graphics / Design

Expression

Usability

Development Lifecycle

Debug Tips

Design and Architecture

Uncategorised Technical Blogs

Services

Code-signing Certificates

Job Board

CodeProject VS2008 Addin

Feature Zones

Product Showcase

Code Signing Resources

WhitePapers / Webcasts

ASP.NET Web Hosting

Advanced Search
Add to IE Search

Discuss

Report

40 votes for this article.

Popularity: 7.07 Rating: 4.41 out of 5

Introduction

This class library allows access to the Win32 security calls in a .NET friendly way. It encapsulates the concepts of a user, a securable object (like a file, named pipe, directory, etc.), and permissions. This library was written in Managed C++ to simplify the amount of work needed to link to existing Win32 libraries. However, since it exposes all of its functionality via .NET, it can be used from any .NET compliant language, including C# and Visual Basic. The project was written and compiled with Visual Studio 2002.

NOTE: There is a library written by some Microsoft guys on GotDotNet that does much of the same thing and more. It can be found at http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=e6098575-dda0-48b8-9abf-e0705af065d9.

This article outlines the primary objects in the library and their use in manipulating security objects.

Documentation

WindowsUser class

This class represents a single Windows identity (SID). It can be created by specifying either a username ("DOMAIN\user" format) or the string representation of a SID ("S-1-5-xxxx-xxx..."). You can also get the identity of the current user using the static property CurrentUser.

There are a number of predefined identities that exist as static members of a child class called WellKnownIdentities. Once you have an identity, you can get the following properties:

AccountName: string name of the account
Domain: string name of the account's domain
FullName: string in the form of "Domain\AccountName"
SidString: string representation of the SID

SecuredObject class

This class represents an object which can have a security descriptor. It can be created by specifying the name of the resource along with its type or by passing a handle (as an IntPtr) to the resource.

Once you have the object, you can update the permissions, audit information, owner and group.

PermissionsList

This class encapsulates actions on the ACL. It allows granting, revoking, changing, and denying access levels to different users. Derived from AccessList, which is a collection class for AccessEntry.

AuditingList

This class encapsulates actions on the auditing list of an object. It allows getting and setting audit success and failure rights. Derived from AccessList, which is a collection class for AccessEntry.

AccessEntry

This class encapsulates the Access Control Entry or ACE. You can set the user (trustee) and the associated rights and inheritance.

Example

This code shows the library in action. It assumes you have aliased the Microsoft.Win32.Security namespace (using in C#, Imports in VB).

// Get the current user and print their information

WindowsUser user = WindowsUser.CurrentUser;
Console.WriteLine("{0} ({1})", user.FullName, user.SidString);

// Get the current user from their token

WindowsUser duser = new WindowsUser(
  System.Security.Principal.WindowsIdentity.GetCurrent().Token);
Console.WriteLine(duser.FullName);

// Compare users

if (user == duser)
   Console.WriteLine("Same");
else
   Console.WriteLine("Different");

// Get a well-known user

user = WindowsUser.WellKnownIdentities.World;
Console.WriteLine(user.FullName);

// Get a user by name from a specific server (usually a domain controller)

WindowsUser kuser = new WindowsUser("user2", @"\\MYPDC");
Console.WriteLine(kuser.FullName);

// Get a user by name

user = new WindowsUser("DOMAIN\\user3");
Console.WriteLine(user.FullName);

// Get a user by SID

user = new WindowsUser("S-1-5-21-21782756-1035017279-1439700725-1111");
Console.WriteLine(user.FullName);

// Get security for C:\ directory

SecuredObject sec = new SecuredObject("C:\\", SecuredObjectType.FileObject);
DumpObject(sec);

// Set some various permissions on the directory
sec.Permissions.SetAccess(kuser, AccessRights.FileRead,
   AceInheritanceFlags.ContainerInherit|AceInheritanceFlags.ObjectInherit);
sec.Permissions.GrantAccess(kuser, AccessRights.FileExecute,
   AceInheritanceFlags.ContainerInherit|AceInheritanceFlags.ObjectInherit);
sec.Permissions.DenyAccess(kuser, AccessRights.FileWriteUnsync,
   AceInheritanceFlags.ContainerInherit|AceInheritanceFlags.ObjectInherit);
WindowsUser owner = sec.Owner;
sec.Owner = duser;
sec.Auditing.SetAuditFailure(duser, AccessRights.FileReadUnsync,
   AceInheritanceFlags.ContainerInherit|AceInheritanceFlags.ObjectInherit);
DumpObject(sec);

// Revoke some access
sec.Permissions.RevokeAccess(kuser);
sec.Owner = owner;
DumpObject(sec) ;

// Reset the security on the directory
sec.Permissions.Clear();
sec.Permissions.InheritFromParent = true;
DumpObject(sec);

// Write the DACL using the Microsoft style
Console.WriteLine(sec.ToString());

The following function shows how to enumerate the permissions on a security object.

static void DumpObject(SecuredObject sec)
{
   Console.WriteLine("Security description:");
   Console.WriteLine("=====================");
   Console.WriteLine("Owner: {0}\nGroup: {1}", 
     sec.Owner.FullName, sec.Group.FullName);
   Console.WriteLine("Permissions:");
   foreach (AccessEntry ace in sec.Permissions)
      Console.WriteLine(String.Format("  {0} : {1} : {2}", 
         ace.Trustee.FullName,
         ace.Inheritance, ace.Rights));
   Console.WriteLine("Auditing:");
   foreach (AccessEntry ace in sec.Auditing)
      Console.WriteLine(String.Format("  {0} : {1} : {2}", 
         ace.Trustee.FullName,
         ace.Inheritance, ace.Rights));
}

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

David Hall

Member

I have been a Windows software developer since 1991. Most of what I create fills the need for some aspect of bigger projects that I consult on.

Occupation:	Architect
Location:	United States

Other popular .NET Framework articles:

The 30 Minute Regex Tutorial
Learn how to use regular expressions in 30 minutes with Expresso.
Strings UNDOCUMENTED
Detailed looked at the implementation of strings in .NET
Expresso - A Tool for Building and Testing Regular Expressions
For learning, building, and debugging .NET Framework regular expressions
Unraveling the Mysteries of .NET 2.0 Configuration
Learn how to utilize the powerful new .NET 2.0 configuration features to simplify and centralize your configuration code.
Simple Windows Service Sample
A simple application to show how to create a Windows service.

Article Top

You must Sign In to use this message board.

FAQ
Noise Tolerance Layout Per page

Msgs 1 to 25 of 102 (Total in Forum: 102) (Refresh)

FirstPrevNext

Memoryleak?

mackenb

3:41 13 Oct '09

Thanks for the great work! There seems to be a memory leak (windows handle not closed) if you call so.Permissions.GetEffectiveRights(Me.WinUser) on an SecuredObject so. Regards, Georg
Sign In·View Thread·PermaLink

Win32Helper Fails on comparing two null sids.

Member 3829427

2:32 11 Aug '09

I've used this for setting permissions on shares. Doing this it fails in the UnsafeSetNamedSecurityInfo method in the Win32helper.cs file with a null pointer exception.

The error is due to a operator overload in the Sid class (Sid.cs). The overload operator calls a method called UnsafeEqualsSids which starts like this:

private static unsafe bool UnsafeEqualsSids(Sid s1, Sid s2)
{
if (object.ReferenceEquals(s1, null) || object.ReferenceEquals(s2, null))
{
  return false;
}

This method fails if both sids are null. The following code inserts another tests which checks if both sids are null and then return true instead of false.

private static unsafe bool UnsafeEqualsSids(Sid s1, Sid s2)
{
if (object.ReferenceEquals(s1, null) && object.ReferenceEquals(s2, null))
{
  return true;
}
if (object.ReferenceEquals(s1, null) || object.ReferenceEquals(s2, null))
{
  return false;
}

How to setup mmsseclib for usage

Juergen Loewner

21:43 21 Aug '07

Hi folks I am a sporadic Dot Net developer and haven't worked for about half a year with VS2005.

So forgive me my question:
To use the mmsseclib.dll do I have to use regasm?
Anything else to do before I can use mmsseclib (using mmsseclib)?

BTW: I want to use mmsseclib to give a web server on the fly the rights for a certain directory so that it can create a text file in it, when needed.

Any experiences how to do that/an example?

Best
JL

Re: How to setup mmsseclib for usage

Juergen Loewner

8:12 22 Aug '07

My feeling is that this section of codeproject is dead. As since march 2006 no answeres are visible. Maybe the author passed away. R.I.P.
Sign In·View Thread·PermaLink

Console frontend à la (X)Cacls

LiQuick

3:31 28 Mar '07

There are still some console freaks like me (system administrators) out there that have used MS tools like (X)Cacls to automate several tasks. But due to several problems with (X)Cacls I had to resort to manual labour Sigh

. But here it is!! A great library of David Hall! Have created a shell around it to make it more coworker friendly:->. You can find it on LiQuick.net. When all bugs are out, I'll try to write an add-on article to this page. Code of the console can be requested for by e-Mail.

Compiler problem

wakkoedu

2:27 6 Dec '06

Hi there,

I'm tring to compile the TestSec.cs using C# compiler, but no matter what I do, I allways get the same error:

The type or namespace name 'mmsseclib' could not be found (are you missing a using directive or an assembly reference?)

But the refence was there. I had copy the mmsseclib.dll to the same folder of TestSec.cs, access the command prompt, go to path of the TestSec.cs and mmsseclib.dll and type:

csc /target:exe /r:mmsseclib.dll TestSec.cs

How I can reference the dll to compile the program? Confused

Eduardo
tw latin america

David, can I use your dll in the commercial product?

Dmitry V.Trus

6:07 23 Nov '06

David, can I use your nice and straightforward dll in the commercial product? What I shall do for that? Dmitry.
Sign In·View Thread·PermaLink	2.00/5 (1 vote)

launchPermission on component

superk

1:44 10 May '06

Hi,
I have an asp application that needs to launch PowerPoint.
At installation, i would like to give the "ASPNET" account the ability to launch and execute
Powerpoint.
I tried with the following code below but It just allows this account to "read" the registry key.

Do you have any idea or where to modify to allow "Execution" from "ASPNET" account ?
Thanks.
Karim

WindowsUser kuser = new WindowsUser("ASPNET");
Console.WriteLine(kuser.FullName);
SecuredObject sec =null
string 	skey=@"Software\Classes\AppID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}";
IntPtr hKey;
int rc = Win32.RegOpenKey(Win32.HKEY_LOCAL_MACHINE,skey, out hKey);
if (rc == 0)
 {
   sec = new SecuredObject(hKey, SecuredObjectType.RegistryKey);
   DumpObject(sec);
   sec.Permissions.SetAccess(kuser, AccessRights.GenericExecute,AceInheritanceFlags.ContainerInherit|AceInheritanceFlags.ObjectInherit);
   // below is some tests
  //sec.Permissions.SetAccess(kuser, AccessRights.KeyAllAccess, AceInheritanceFlags.ContainerInherit|AceInheritanceFlags.ObjectInherit);
  //sec.Permissions.SetAccess(kuser, AccessRights.FileFullControl, AceInheritanceFlags.ContainerInherit|AceInheritanceFlags.ObjectInherit);
  DumpObject(sec);
  Win32.RegCloseKey(hKey);
 }

exception question

ah_zen

2:30 11 Mar '06

Hi there, I kept getting the following exception while attempting to load an existing user.

System.ComponentModel.Win32Exception: No mapping between account names and security IDs was done at Microsoft.Win32.Security.WindowsUser.Load(String accountName, String system) at Microsoft.Win32.Security.WindowsUser..ctor(String accountName) at RegStudent.RegisterStudent.CreateUserAccount(String username, String password, String subjectCode, String firstName, String surname, String studentDir, String virtualDir, String adminUser, String adminPass)

can anyone tell me why this is so? or what can cause this exception to occur. Many thanks

Regards

1.50/5 (2 votes)

Re: exception question

MrBonus

1:46 1 Aug '06

I had the ecxact same problem, it can be different things, but what you want to do first is to make sure the username and password matches up.

"if run from command line"
try to not enter username and password when you run the command line, then you will get a form, asking you for username and password, if you can enter username and password here, and the service installs correct, then you know that the username and password matches up. If not, then you need to figure out how to write it, it could be like this

.\administrator 'localmachine
MyDomain\administrator 'network

"Usefull solution"
I tried to print out the username and password after I putted them on my ServiceProcessInstaller.

System.Diagnostics.EventLog.WriteEntry("ServiceTest", "User:""" & Me.processInstaller.Username & """ Password:""" & Me.processInstaller.Password & """", EventLogEntryType.Warning)

If the username and password arent set properly here, you will get the Win32Exception.

My problem, was I had switched the username and password Smile

MrBonus

5.00/5 (1 vote)

VB 2005 issue

lmwinbur

19:11 13 Feb '06

First off, I have to say this is awesome code. I've been searching for something to set ntfs without having to shell out for a while now and this does everything I need and more. Couldn't have been simpler. I am however having an issue using the dll in 2005. When the object is used in code I get the following error:

'mmsseclib.dll' is attempting managed execution inside OS Loader lock. Do not attempt to run managed code inside a DllMain or image initialization function since doing so can cause the application to hang.

This issue is only with 2005 and it works fine in 2003. I tried doing a simple conversion of the source to 2005 to see if that cleared the error, but the 2005 compiler threw another error compiling the dll:

Error 1 error C2872: 'FILETIME' : ambiguous symbol C:\Program Files\Microsoft Visual Studio 8\VC\PlatformSDK\include\lmaccess.h 1390
Has anyone tried this component in .Net 2.0? Any help would be greatly appreciated...

Thanks,
Landon.

5.00/5 (1 vote)

Re: VB 2005 issue

bbosak

11:11 23 Mar '06

I had the same problem when trying to compile. Switch "FILETIME" to "System::Runtime::InteropServices::FILETIME" and it should compile for you in VS 2005.
Sign In·View Thread·PermaLink	2.00/5 (1 vote)

Re: VB 2005 issue

OliProject

4:27 18 Apr '07

following this link http://www.be-st.it/Blog/tabid/79/EntryID/2/Default.aspx try to set this [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework] MDA = 0 Good luck )) oli
Sign In·View Thread·PermaLink

Re: VB 2005 issue

Member 2945790

9:04 31 Dec '08

I had the same issue and replaced: System::Runtime::InteropServices::ComTypes::FILETIME with FILETIME in lmaccess.h Mike
Sign In·View Thread·PermaLink

On NT4.0 SP6 Machine

k_udct

0:22 3 Jun '05

I installed this dll on to our Project and it works for me on XP and 2000. Afterwards there was a requirement for us to install our Project on Win NT 4.0 Sp6 application. It is crashing at this mmsseclib.dll saying advapi32.dll(system32) is giving probem.

Unless i build this dll on NT machine, I will not able to fix my problem. Since Visual Studio.NET cannot be installed on Windows NT SP6.0, Can you suggest some way around for me to build this application on Visual Studio 6.0 VC++ 6.0., so that i can add this dll on NT.

Thanks in advance,

KK

KK

Re: On NT4.0 SP6 Machine

David Hall

6:27 6 Jun '05

I'm not sure it will compile without a bunch of work. It may be easier to look through the code and find any functions referenced from advapi32 that do not work under NT4 and then change that code. - David
Sign In·View Thread·PermaLink

Re: On NT4.0 SP6 Machine

k_udct

4:54 8 Jun '05

David, Thanks for the Reply. Can you suggest me any dll/code which works similar to your mmseclib.dll written in VisualC++ 6.0, I need similar functionality for me, but i need it visual C++6.0 so that i can build on NT and use on my project. Thanks in Advance. KK
Sign In·View Thread·PermaLink

Re: On NT4.0 SP6 Machine

David Hall

5:43 8 Jun '05

The ATL library has much of this functionality, but I'm not sure if it was added in the 6.0 product. That is the only other source I am aware of.
Sign In·View Thread·PermaLink

Error while assigning SecurityObject

VikramSaraf

22:07 30 May '05

Somebody help me correct this error. I get "Object reference not to instance of an object" and sometimes "System.OutOfMemoryException" error at the same statement.

Following is the code snippet for your reference:

private void grantRights(string grantType)
{
try
{
//Store the path of the Selected Directory
//Get the path from the type propery of the treeview control
String dirPath = @"C:\InetPub\WWWRoot\AD";

//Initialise AccessRight to 0 (none)
AccessRights rights=0;

//Get the access rights choosen by the user
//Full Control
if(grantType=="Full Control") rights = AccessRights.FileFullControl;

//Write
if(grantType=="Write") rights = AccessRights.FileWrite;

//Read Only
if(grantType=="Read Only") rights = AccessRights.FileRead;

//Create WindowUser instance to provide the Access Rights
WindowsUser user = new WindowsUser ("amol","active");

//Create SecuredObject instance to denote the selected Directory
SecuredObject sec = new SecuredObject(dirPath, SecuredObjectType.FileObject); //I SOMETIMES get above mentioned error here

//Set the rights or permissions
sec.Permissions.SetAccess(user, rights, AceInheritanceFlags.ContainerInherit|AceInheritanceFlags.ObjectInherit);
}
}
//Show success message
HandleSuccess(grantType + " Permission was given for the selected users.");
}
catch(Exception ex)
{
//Show error
HandleException(ex.Message);
}
}

The above mentioned error does not occur every time I run the code. It occurs sometimes. At other times the code works fine. I dont understand why this happens.

I am working on Active Directories. I have to provide access rights for particular users for the directories in IIS 6.0 Web Server.

I am using ASP .Net and C#, Visual Studio .Net 2003, Microsoft .Net Framework 1.1.

Please provide a solution for this as early as possible. Your help will be highly appreciated.

-Vikram Saraf

Re: Error while assigning SecurityObject

David Hall

6:30 6 Jun '05

My guess is that this is a failure to access "dirPath" potentially due to access or network problems.
Sign In·View Thread·PermaLink

Named pipe help

erictaneda

9:45 26 Dec '04

Hi, I have not been able to figure out how to create a SecuredObject for a named pipe. I tried: SecuredObject sec = new SecuredObject("\\\\.\\pipe\\namedpipename",SecuredObjectType.FileObject); but I get a "The parameter is incorrect" exception. Any suggestions?
Sign In·View Thread·PermaLink	2.00/5 (1 vote)

Question about enums.h

John Rusk

17:36 29 Nov '04

David,

Thanks for posting this code, it's very useful.

I have taken over a long-running project that uses your code. Unfortunately, the original developer on this project is no longer available to answer questions. I have noticed that "our" version of the source code differs slightly from yours, and I'm wondering which is right.

In "ours", AceInheritanceFlags is of type Int16 and contains SUB_CONTAINERS_AND_OBJECTS_INHERIT. In the version currently on Code Project, AceInheritanceFlags is of type Byte, and does not contain SUB_CONTAINERS_AND_OBJECTS_INHERIT.

I'm not sure whether our version is out of date, or if the differences are bug fixes made by my predecessor. Given my description above, are you able to tell me which is correct?

Many thanks,

John

Re: Question about enums.h

David Hall

5:51 30 Nov '04

I checked and that enum is still a byte and I do not have that item. It must be from your predecessor. I'm guessing that he changed to a short since that will show up in VB.NET without manipulation and that flag is a combination of some others to make it easier to code.
Sign In·View Thread·PermaLink

Re: Question about enums.h

John Rusk

9:32 30 Nov '04

Thanks David.
Sign In·View Thread·PermaLink

Adds special permissions not regula permissions

patel_o

5:54 19 Nov '04

Below is my code (written in vb.net)
'*******************************************************************************************
‘Call the setPermission procedure
setPermission(”C:\Inetpub\www\MyWebsite”, “JOP\ASPNET”)
‘And the actual method
Sub setPermission(ByRef vPath As String, ByVal UserName As String)
Dim user As WindowsUser = New WindowsUser(UserName)
Dim sec As SecuredObject = New SecuredObject(vPath, SecuredObjectType.FileObject)
sec.Permissions.GrantAccess(user, AccessRights.FileExecute, AceInheritanceFlags.ContainerInherit)
End Sub
'*******************************************************************************************

Tthe code works perfectly find, but when I check Security properties on the folder, I find that ASP.Net account has “Special Permissions” in stead of normal Read, Write and Execute permissions. I am not sure if anyway I can add Regular Read, Write and Execute permissions using the above code, as users get access denied error message when they try to upload files to the folder.

Last Visit: 15:34 8 Nov '09 Last Update: 15:34 8 Nov '09

12 3 4 5 Next »

General News Question Answer Joke Rant Admin

PermaLink | Privacy | Terms of Use
Last Updated: 19 Feb 2004
Editor: Nishant Sivakumar