Need help with getting security descriptor for registry key using GetSecurityInfo(...)
184 views
Skip to first unread message
Trevor Maggs
Sep 13, 2018, 5:05:48 AM9/13/18
to Java Native Access
I am trying to work out how to read the security descriptor of a Windows registry key using the Advapi32.GetSecurityInfo() method. After invoking this method, I get the error message com.sun.jna.platform.win32.Win32Exception: Access is denied. Anyone can please tell me why I have got it wrong?
Below is the snippet.
HKEYByReference phkKey = new HKEYByReference();
PointerByReference ppsidOwner = new PointerByReference();
PointerByReference ppsidGroup = new PointerByReference();
PointerByReference ppDacl = new PointerByReference();
PointerByReference ppSacl = new PointerByReference();
PointerByReference ppSecurityDescriptor = new PointerByReference();
String keypath = "SYSTEM\\CurrentControlSet\\Control\\Lsa";
int rc = Advapi32.INSTANCE.RegOpenKeyEx(WinReg.HKEY_LOCAL_MACHINE, keypath, 0, WinNT.KEY_READ, phkKey);
if (rc == W32Errors.ERROR_SUCCESS)
{
try
{
int infoType = WinNT.SACL_SECURITY_INFORMATION;
rc = Advapi32.INSTANCE.GetSecurityInfo(phkKey.getValue(), SE_OBJECT_TYPE.SE_REGISTRY_KEY, infoType, ppsidOwner, ppsidGroup, ppDacl, ppSacl, ppSecurityDescriptor);
if (rc != W32Errors.ERROR_SUCCESS && rc != W32Errors.ERROR_INSUFFICIENT_BUFFER)
{
// CAPTURED ERROR HERE IS ERROR_ACCESS_DENIED <== WHY?
throw new Win32Exception(rc);
}
System.out.println(ppSecurityDescriptor.getValue());
}
finally
{
rc = Advapi32.INSTANCE.RegCloseKey(phkKey.getValue());
if (rc != W32Errors.ERROR_SUCCESS)
{
throw new Win32Exception(rc);
}
Kernel32Util.freeLocalMemory(ppSecurityDescriptor.getValue());
}
}
else
{
throw new Win32Exception(rc);
}
I looked at https://github.com/java-native-access/jna/blob/master/contrib/platform/test/com/sun/jna/platform/win32/Advapi32Test.java but it is not enough to give me the idea.
Thanks.
Thanks.
Trevor
Matthias Bläsing
Sep 13, 2018, 6:37:58 AM9/13/18
to jna-...@googlegroups.com
Hi Trevos,
please have a look at the MSDN documentation:
To read the SACL from the security descriptor, the calling process
must have been granted ACCESS_SYSTEM_SECURITY access when the handle
was opened. The proper way to get this access is to enable the
SE_SECURITY_NAME privilege in the caller's current token, open the
handle for ACCESS_SYSTEM_SECURITY access, and then disable the
privilege. For information about the security implications of
enabling privileges, see Running with Special Privileges.
https://docs.microsoft.com/en-us/windows/desktop/api/aclapi/nf-aclapi-getsecurityinfo
HTH
Matthias
> --
> You received this message because you are subscribed to the Google
> Groups "Java Native Access" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to jna-users+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
please have a look at the MSDN documentation:
To read the SACL from the security descriptor, the calling process
must have been granted ACCESS_SYSTEM_SECURITY access when the handle
was opened. The proper way to get this access is to enable the
SE_SECURITY_NAME privilege in the caller's current token, open the
handle for ACCESS_SYSTEM_SECURITY access, and then disable the
privilege. For information about the security implications of
enabling privileges, see Running with Special Privileges.
https://docs.microsoft.com/en-us/windows/desktop/api/aclapi/nf-aclapi-getsecurityinfo
HTH
Matthias
> You received this message because you are subscribed to the Google
> Groups "Java Native Access" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to jna-users+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Trevor Maggs
Sep 13, 2018, 7:19:17 AM9/13/18
to Java Native Access
Hi Matthias,
Thanks for the reference.
Are you saying the same example can be found in the testGetSetSecurityInfoForFileWithSACL() method in https://github.com/java-native-access/jna/blob/master/contrib/platform/test/com/sun/jna/platform/win32/Advapi32Test.java?
Regards,
Trevor
Matthias Bläsing
Sep 13, 2018, 1:57:44 PM9/13/18
to jna-...@googlegroups.com
Hi Trevor,
Am Donnerstag, den 13.09.2018, 04:19 -0700 schrieb Trevor Maggs:
>
> Are you saying the same example can be found in the
> testGetSetSecurityInfoForFileWithSACL() method in
> https://github.com/java-native-
> access/jna/blob/master/contrib/platform/test/com/sun/jna/platform/win
> 32/Advapi32Test.java?
I have no experience in that code, so it would be speculation, but it
looks correct (I see priviledge adjustment).
Greetings
Matthias
Am Donnerstag, den 13.09.2018, 04:19 -0700 schrieb Trevor Maggs:
>
> Are you saying the same example can be found in the
> testGetSetSecurityInfoForFileWithSACL() method in
> https://github.com/java-native-
> access/jna/blob/master/contrib/platform/test/com/sun/jna/platform/win
> 32/Advapi32Test.java?
looks correct (I see priviledge adjustment).
Greetings
Matthias
Trevor Maggs
Sep 16, 2018, 5:57:58 AM9/16/18
to Java Native Access
Greetings Matthias,
No worries. I will figure out to make it work. Assuming the code with the example privilege code works for me, do you know how to extract information from the returned pointer to ppSecurityDescriptor?
I do know the structure from the MSDN site (https://docs.microsoft.com/en-gb/windows/desktop/api/winnt/ns-winnt-_security_descriptor) is
typedef struct _SECURITY_DESCRIPTOR {
BYTE Revision;
BYTE Sbz1;
SECURITY_DESCRIPTOR_CONTROL Control;
PSID Owner;
PSID Group;
PACL Sacl;
PACL Dacl;
} SECURITY_DESCRIPTOR, *PISECURITY_DESCRIPTOR;
It seems complex because of these last 4 pointers with variable sizes? If you know there are example codes elsewhere to help me get some ideas, could you please point to them if possible? It would be appreciated. Thank you.
Cheers.
Trevor
Matthias Bläsing
Sep 16, 2018, 3:25:44 PM9/16/18
to jna-...@googlegroups.com
Hi Trevor,
Am Sonntag, den 16.09.2018, 02:57 -0700 schrieb Trevor Maggs:
> Assuming the code with
> the example privilege code works for me, do you know how to extract
> information from the returned pointer to ppSecurityDescriptor?
as a general advise: When dealing with the Win32 API, use the MSDN
(Microsoft Docs). In this case:
https://docs.microsoft.com/en-us/windows/desktop/api/winnt/ns-winnt-_security_descriptor
You can deal with the structure directly, but it is not bound in JNA
and the docs say:
Because the internal format of a security descriptor can vary, we
recommend that applications not modify the SECURITY_DESCRIPTOR
structure directly. For creating and manipulating a security
descriptor, use the functions listed in See Also.
I just had a quick look, but at least parts of these are already bound.
Greetings
Matthias
Am Sonntag, den 16.09.2018, 02:57 -0700 schrieb Trevor Maggs:
> Assuming the code with
> the example privilege code works for me, do you know how to extract
> information from the returned pointer to ppSecurityDescriptor?
(Microsoft Docs). In this case:
https://docs.microsoft.com/en-us/windows/desktop/api/winnt/ns-winnt-_security_descriptor
You can deal with the structure directly, but it is not bound in JNA
and the docs say:
Because the internal format of a security descriptor can vary, we
recommend that applications not modify the SECURITY_DESCRIPTOR
structure directly. For creating and manipulating a security
descriptor, use the functions listed in See Also.
I just had a quick look, but at least parts of these are already bound.
Greetings
Matthias
Trevor Maggs
Sep 28, 2018, 5:34:30 AM9/28/18
to Java Native Access
Hi Matthias,
Thanks for your response the other day. I was trying to work on getting information from the Security Descriptor from Windows as simple as possible. Unfortunately, it is not that simple since several C++ native functions are involved to reach the information I want.
I have decided it would be much easier if I created a simple DLL file where all the works are done natively in C++ first and then dump all the relevant information in an array of C struct(s). Once all information is in place in DLL, then call JNA to fetch the information from that C array? Would it work?
For example, I am thinking of creating the following C code:
typedef struct
{
TCHAR* Owner;
TCHAR* Name;
BYTE AceType;
BYTE AceFlags;
DWORD AceMask;
} VALUEACE;
int n = 4;
VALUEACE *jnaStruct = new VALUEACE[n];
Then assign values (whatever) to each item in the array.
The above code is just an example I am hoping to create for JNA to read.
My question, is it possible to obtain an array of struct(s) in JNA and then iterate through it in Java easily? Do you have any suggestion or just point to some example codes that might help me to get the solution?
Thanks in advance.
Trevor
Matthias Bläsing
Sep 30, 2018, 11:32:25 AM9/30/18
to jna-...@googlegroups.com
Hi Trevor,
Am Freitag, den 28.09.2018, 02:34 -0700 schrieb Trevor Maggs:
>
> Thanks for your response the other day. I was trying to work on
> getting information from the Security Descriptor from Windows as
> simple as possible. Unfortunately, it is not that simple since
> several C++ native functions are involved to reach the information I
> want.
>
You want to have a deeper look at the unittests in Advapi32Test. These
demonstrate accessing the DACL and SACLs. Attached to this email you
find a sample, that opens the key (HKEY_CURRENT_USER/Demo) and outputs
the ACLs. I added auditing to that key to get a good sample. The
output:
----------- DACL ---------------
S-1-5-21-3178902164-3053647283-518304804-1001: true
S-1-5-18: true
S-1-5-32-544: true
S-1-5-12: true
----------- SACL ---------------
2 - -62 - 20
S-1-1-0
The ACEs of the DACL are expected to be ACCESS_ALLOWED_ACE. The ACEs of
the SACL can be any type, only ACEs of type SYSTEM_AUDIT_ACE are
decoded.
>
> [Plan: create native library to extract ACL information]
By I would not go down that road - from my POV it looks as if
everything you need is already bound.
Greetings
Matthias
Am Freitag, den 28.09.2018, 02:34 -0700 schrieb Trevor Maggs:
>
> Thanks for your response the other day. I was trying to work on
> getting information from the Security Descriptor from Windows as
> simple as possible. Unfortunately, it is not that simple since
> several C++ native functions are involved to reach the information I
> want.
>
demonstrate accessing the DACL and SACLs. Attached to this email you
find a sample, that opens the key (HKEY_CURRENT_USER/Demo) and outputs
the ACLs. I added auditing to that key to get a good sample. The
output:
----------- DACL ---------------
S-1-5-21-3178902164-3053647283-518304804-1001: true
S-1-5-18: true
S-1-5-32-544: true
S-1-5-12: true
----------- SACL ---------------
2 - -62 - 20
S-1-1-0
The ACEs of the DACL are expected to be ACCESS_ALLOWED_ACE. The ACEs of
the SACL can be any type, only ACEs of type SYSTEM_AUDIT_ACE are
decoded.
>
> [Plan: create native library to extract ACL information]
>
> int n = 4;
> VALUEACE *jnaStruct = new VALUEACE[n];
>
> Then assign values (whatever) to each item in the array.
>
>
> The above code is just an example I am hoping to create for JNA to
> read.
>
> My question, is it possible to obtain an array of struct(s) in JNA
> and then iterate through it in Java easily? Do you have any
> suggestion or just point to some example codes that might help me to
> get the solution?
https://java-native-access.github.io/jna/4.5.2/javadoc/com/sun/jna/Structure.html#toArray-int-
> int n = 4;
> VALUEACE *jnaStruct = new VALUEACE[n];
>
> Then assign values (whatever) to each item in the array.
>
>
> The above code is just an example I am hoping to create for JNA to
> read.
>
> My question, is it possible to obtain an array of struct(s) in JNA
> and then iterate through it in Java easily? Do you have any
> suggestion or just point to some example codes that might help me to
> get the solution?
By I would not go down that road - from my POV it looks as if
everything you need is already bound.
Greetings
Matthias
Trevor Maggs
Oct 3, 2018, 5:08:24 PM10/3/18
to Java Native Access
Many thanks Matthias for your input ideas. I will test and improve to meet my coding requirement. I will let you know if I have more questions to ask regarding this interface.
Greetings,
Trevor
Reply all
Reply to author
Forward
0 new messages