Windows Access Control List (ACL) Example 25

 

 

 

 

 

Searching for a SID in an Access Token Program Example 2

 

The following program example is another working sample which is a smaller than the previous one. Notice the functions used in this program and compared to the previous program example.

Create a new empty Win32 console application project. Give a suitable project name and change the project location if needed.

 

Searching for a SID in an Access Token Program Example 2: Creating new VC++ project - Win32 console mode application

 

Then, add the source file and give it a suitable name.

 

Searching for a SID in an Access Token Program Example 2: Adding C++ source file to the existing project

 

Next, add the following source code.

 

#include <windows.h>

#include <stdio.h>

 

/*

This routine returns TRUE if the caller's process is a member of the

Administrators local group. Caller is NOT expected

to be impersonating anyone and is expected to be able

to open its own process and process token.

 

Arguments: None.

Return Value:

   TRUE - Caller has Administrators local group.

   FALSE - Caller does not have Administrators local group.

*/

BOOL IsUserAdminGrp(void)

{

      BOOL check = FALSE;

      SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;

      PSID AdministratorsGroup;

     

      check = AllocateAndInitializeSid(

            &NtAuthority,

            2,

            SECURITY_BUILTIN_DOMAIN_RID,

            DOMAIN_ALIAS_RID_ADMINS,

            0, 0, 0, 0, 0, 0,

            &AdministratorsGroup);

     

      // if TRUE

      if(check)

      {

            wprintf(L"SID was allocated and initialized...\n");

            // Determines whether a specified security identifier (SID) is enabled in an access token.

            if(!CheckTokenMembership(

                  NULL, // uses the impersonation token of the calling thread.

                              // If the thread is not impersonating, the function duplicates

                              // the thread's primary token to create an impersonation token

                  AdministratorsGroup,    // Pointer to a SID structure

                  &check                              // Result of the SID

                  ))

            {

                  wprintf(L"CheckTokenMembership() failed, error %u\n", GetLastError());

            }

            else

            {

                  wprintf(L"CheckTokenMembership() is OK!\n");

                  // If the SID (the 2nd parameter) is present and has the SE_GROUP_ENABLED attribute,

                  // check (3rd parameter) returns TRUE; otherwise, it returns FALSE.

                  if(check == TRUE)

                        wprintf(L"Yes, you are an Administrators group!\n");

                  else

                        wprintf(L"No, you are not an Administrators group!\n");

            }

            FreeSid(AdministratorsGroup);

      }

      else

            wprintf(L"AllocateAndInitializeSid() failed, error %u\n", GetLastError());

     

      return(check);

}

 

int wmain(int argc, WCHAR **argv)

{

       BOOL bRetVal = IsUserAdminGrp();

      

         if(!bRetVal)

               wprintf(L"IsUserAdminGrp() failed, error %u\n", GetLastError());

         else

               wprintf(L"IsUserAdminGrp() is OK!\n");

 

       return 0;

}

 

Build and run the project. The following screenshot is a sample output.

 

Searching for a SID in an Access Token Program Example 2: Sample console output with the SID checking

 

 

 

 

< Windows ACL Example 24 | Windows Access Control List (ACL) Main | Win32 Programming | Windows ACL Example 26 >