// Based on code from the following: // https://learn.microsoft.com/en-us/windows/win32/secauthz/creating-a-security-descriptor-for-a-new-object-in-c-- #include #include #define WIN32_NO_STATUS #define _INC_WINDOWS #define COM_NO_WINDOWS_H #include #include #include #include START_TEST(regtest) { DWORD dwRes, dwDisposition; PACL pACL = NULL; PSECURITY_DESCRIPTOR pSD = NULL; PSID pEveryoneSID = NULL, pAdminSID = NULL; SID_IDENTIFIER_AUTHORITY SIDAuthWorld = {SECURITY_WORLD_SID_AUTHORITY}; SID_IDENTIFIER_AUTHORITY SIDAuthNT = {SECURITY_NT_AUTHORITY}; EXPLICIT_ACCESS ea[2]; SECURITY_ATTRIBUTES sa; LONG lRes; BOOL bRes; HKEY hkSub = NULL; // Create a well-known SID for the Everyone group. bRes = AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pEveryoneSID); ok(bRes == TRUE, "AllocateAndInitializeSid Error %ld\n", GetLastError()); if (bRes != TRUE) goto Cleanup; // Initialize an EXPLICIT_ACCESS structure for an ACE. // The ACE will allow Everyone read access to the key. ZeroMemory(&ea, 2 * sizeof(EXPLICIT_ACCESS)); ea[0].grfAccessPermissions = KEY_READ; ea[0].grfAccessMode = SET_ACCESS; ea[0].grfInheritance= NO_INHERITANCE; ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID; ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP; ea[0].Trustee.ptstrName = (LPTSTR) pEveryoneSID; // Create a SID for the BUILTIN\Administrators group. bRes = AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &pAdminSID); ok(bRes == TRUE, "AllocateAndInitializeSid Error %ld\n", GetLastError()); if (bRes != TRUE) goto Cleanup; // Initialize an EXPLICIT_ACCESS structure for an ACE. // The ACE will allow the Administrators group full access to the key. ea[1].grfAccessPermissions = KEY_ALL_ACCESS; ea[1].grfAccessMode = SET_ACCESS; ea[1].grfInheritance= NO_INHERITANCE; ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID; ea[1].Trustee.TrusteeType = TRUSTEE_IS_GROUP; ea[1].Trustee.ptstrName = (LPTSTR) pAdminSID; // Create a new ACL that contains the new ACEs. dwRes = SetEntriesInAcl(2, ea, NULL, &pACL); ok(dwRes == ERROR_SUCCESS, "SetEntriesInAcl Error %ld\n", GetLastError()); if (dwRes != ERROR_SUCCESS) goto Cleanup; // Initialize a security descriptor. pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH); ok(pSD != NULL, "LocalAlloc Error %ld\n", GetLastError()); if (pSD == NULL) goto Cleanup; bRes = InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION); ok(bRes == TRUE, "InitializeSecurityDescriptor Error %ld\n", GetLastError()); if (!bRes) goto Cleanup; // Add the ACL to the security descriptor. bRes = SetSecurityDescriptorDacl(pSD, TRUE, // bDaclPresent flag pACL, FALSE); // not a default DACL ok(bRes == TRUE, "SetSecurityDescriptorDacl Error %ld\n", GetLastError()); if (!bRes) goto Cleanup; // Initialize a security attributes structure. sa.nLength = 0; sa.lpSecurityDescriptor = pSD; sa.bInheritHandle = FALSE; // Use the security attributes to set the security descriptor // when you create a key. lRes = RegCreateKeyExW(HKEY_CURRENT_USER, L"mykey", 0, L"", 0, KEY_READ | KEY_WRITE, &sa, &hkSub, &dwDisposition); ok(lRes == ERROR_SUCCESS, "RegCreateKeyExW returned '%ld', expected 0", lRes); Cleanup: if (pEveryoneSID) FreeSid(pEveryoneSID); if (pAdminSID) FreeSid(pAdminSID); if (pACL) LocalFree(pACL); if (pSD) LocalFree(pSD); return; }