Click here to Skip to main content
12,690,140 members (33,305 online)
Click here to Skip to main content


126 bookmarked

The Windows Access Control Model Part 3

, 1 Jul 2005
In the third part of this series, we will take a tour of the new access control classes coming in .NET v2.0.
using System;
using System.Runtime.InteropServices;
using System.Security.AccessControl;
using System.Security.Principal;
using System.Collections.Generic;
using System.Text;

namespace AccessToken
	class AccessCheckWrap
		/* Generic mask mappings aren't yet supported for .NET framework, so we'll put it here. */
		internal struct GENERIC_MAPPING
			internal uint GenericRead;
			internal uint GenericWrite;
			internal uint GenericExecute;
			internal uint GenericAll;

			CallingConvention = System.Runtime.InteropServices.CallingConvention.StdCall)]
		internal static extern void MapGenericMask(ref uint AccessMask, ref GENERIC_MAPPING GenericMapping);

		/* C# doesn't support struct initializers for class members here, so I use this workaround function */
		internal static GENERIC_MAPPING RegGeneric()
			GENERIC_MAPPING genericMapping = new GENERIC_MAPPING();
			genericMapping.GenericRead = (uint)(System.Security.AccessControl.RegistryRights.ReadKey);
			genericMapping.GenericWrite = (uint)(System.Security.AccessControl.RegistryRights.WriteKey);
			genericMapping.GenericExecute = (uint)(System.Security.AccessControl.RegistryRights.ExecuteKey);
			genericMapping.GenericAll = (uint)(System.Security.AccessControl.RegistryRights.FullControl);
			return genericMapping;

		protected struct LUID_AND_ATTRIBUTES
			public Int64 Luid;
			public int Attributes;

		private const Int32 ANYSIZE_ARRAY = 1;

		protected struct PRIVILEGE_SET
			public uint PrivilegeCount;
			public uint Control;
			[MarshalAs(UnmanagedType.ByValArray, SizeConst = ANYSIZE_ARRAY)]
			public LUID_AND_ATTRIBUTES[] Privilege;

		/* Wrapper class for the AccessCheck API. */
		[DllImport("advapi32", SetLastError=true)]
		protected static extern bool AccessCheck(
			byte [] pSecurityDescriptor,
			IntPtr ClientToken,
			uint DesiredAccess,
			[In] ref GENERIC_MAPPING GenericMapping,
			IntPtr PrivilegeSet,
			ref uint PrivilegeSetLength,
			out uint GrantedAccess,
			out bool AccessStatus);

		/// <summary>
		/// This function provides a managed wrapper over the AccessCheck API, minus the rubbish
		/// (And AccessCheck does have a lot of useless parameters).
		/// </summary>
		/// <param name="regKey">The security descriptor of the registry key.</param>
		/// <param name="DesiredAccess">The rights you want to the object.</param>
		/// <returns>true if access is allowed, false for access denied. May except with a Win32Exception.</returns>
		public static bool DoRegistryAccessCheck(RegistrySecurity regKey, uint DesiredAccess)
			using (ManagedTokenHandle procHandle = AccessToken.GetAccessToken(TokenAccessLevels.Duplicate))
			using (AccessToken procToken = new AccessToken(procHandle.HandleInternal))
			using (ManagedTokenHandle userToken = procToken.CreateImpersonationToken(TokenImpersonationLevel.Impersonation))
				uint PrivilegeSetLength = 0, GrantedAccess = 0;
				bool AccessStatus = false;
				IntPtr PrivilegeSet = IntPtr.Zero;
				byte [] RawForm = regKey.GetSecurityDescriptorBinaryForm();

				GENERIC_MAPPING genericRegMapping =	RegGeneric();
				MapGenericMask(ref DesiredAccess, ref genericRegMapping);

				/* The first call to AccessCheck is designed to fail. */
				AccessCheck(RawForm, userToken.HandleInternal, DesiredAccess, ref genericRegMapping,
					PrivilegeSet, ref PrivilegeSetLength, out GrantedAccess, out AccessStatus);

				PrivilegeSet = Marshal.AllocHGlobal(Convert.ToInt32(PrivilegeSetLength));

				if (!AccessCheck(RawForm, userToken.HandleInternal, DesiredAccess, ref genericRegMapping, PrivilegeSet,
					ref PrivilegeSetLength, out GrantedAccess, out AccessStatus))
					throw new System.ComponentModel.Win32Exception();
				/* AccessStatus should be true, and GrantedAccess should be equal to DesiredAccess */
				if (AccessStatus == true && DesiredAccess == GrantedAccess)
					return true;
				else return false;

		/// <summary>
		/// Unlike DoRegistryAccessCheck, this function doesn't Pinvoke to the Advapi32 AccessCheck functions.
		/// Instead, it makes the access check itself, using its own algorithm.
		/// </summary>
		/// <param name="regKey">the security descriptor for the registry key</param>
		/// <param name="DesiredAccess">What you want to do with the registry key (RegistryRight cast as uint)</param>
		/// <returns>true for access approved, false for access denied</returns>
		public static bool DoManualAccess(RegistrySecurity regKey, uint DesiredAccess)
			/* returns false if the user is likely to get Access denied. */
			if(regKey == null)
			{/* Success any NULL DACLs */
				return true;

			if(regKey.GetOwner(typeof(SecurityIdentifier)) == WindowsIdentity.GetCurrent().User)
			{/* The owner has ChangePermissions | ReadControl */
				DesiredAccess &= ~((uint)RegistryRights.ChangePermissions | (uint)RegistryRights.ReadPermissions);
			/** BUGBUG: If there is a deny ACE that is present in our token, it's not checked properly against
			*	deny SIDs. As a result, access may be granted rather than denied.
			*	For AccCheckFrm and DACLForm, we are saved because we open up the registry key later, and that
			*	Will fail as expected.
			foreach (RegistryAccessRule Entry in
				regKey.GetAccessRules(true, true, typeof(SecurityIdentifier)))
				WindowsPrincipal userSID = new WindowsPrincipal(WindowsIdentity.GetCurrent());

				/* Remap generic rights. */
				uint accessMask = (uint)(Entry.RegistryRights);
				GENERIC_MAPPING genericReg = RegGeneric();
				MapGenericMask(ref accessMask, ref genericReg);

				/* IsInRole handles most of the Group stuff for us. */
				if (userSID.IsInRole((SecurityIdentifier)(Entry.IdentityReference)))
					/* This right applies to us. */
					if ((accessMask & DesiredAccess) != 0)
					{/* This right holds our desired Registry permission. If its allow, true, otherwise false */
						if (Entry.AccessControlType == AccessControlType.Deny)
						{/* Some rights are disallowed. You're gonna get an error 5 */
							return false;
						{/* NAND out the Access flags from DesiredAccess. */
							DesiredAccess &= ~(accessMask);
			/* At the end, DesiredAccess should be 0 */
			if (DesiredAccess == 0) return true;
			return false;

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.


This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


About the Author

Web Developer
United States United States
Mr. Shah is a reclusive C++/C# developer lurking somewhere in the depths of the city of London. He learnt physics at Kings' College London and obtained a Master in Science there. Having earned an MCAD, he teeters on the brink of transitioning from C++ to C#, unsure of which language to jump to. Fortunately, he also knows how to use .NET interop to merge code between the two languages (which means he won't have to make the choice anytime soon).

His interests (apart from programming) are walking, football (the real one!), philosophy, history, retro-gaming, strategy gaming, and any good game in general.

He maintains a website / blog / FAQ / junk at, where he places the best answers he's written to the questions you've asked. If you can find him, maybe you can hire Mr. Shah to help you with anything C++[/CLI]/C#/.NET related Smile | :) .

You may also be interested in...

| Advertise | Privacy | Terms of Use | Mobile
Web01 | 2.8.170117.1 | Last Updated 1 Jul 2005
Article Copyright 2005 by oshah
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid