public void AccountLSAResetAll()
{
try {
Console.WriteLine("# remove lsa policies from user: "******"AccountLSAResetAll('" + AccountName + "') failed.", err);
if (InstallMode == InstallMode.Install)
{
throw err;
}
else
{
DisplayError(err);
}
}
}
/// <summary>
/// Delete LSA private data.
/// </summary>
/// <param name="system_name">The system containing the LSA instance.</param>
/// <param name="keyname">The name of the key.</param>
/// <param name="throw_on_error">True to throw on error.</param>
/// <returns>The NT status code.</returns>
public static NtStatus LsaDeletePrivateData(string system_name, string keyname, bool throw_on_error)
{
using (var policy = LsaPolicy.Open(system_name, LsaPolicyAccessRights.MaximumAllowed, throw_on_error))
{
if (!policy.IsSuccess)
{
return(policy.Status);
}
return(policy.Result.StorePrivateData(keyname, null, throw_on_error));
}
}
public static NtResult <SidName> LookupInternetName(Sid sid, bool throw_on_error)
{
using (var policy = LsaPolicy.Open(LsaPolicyAccessRights.LookupNames, throw_on_error))
{
if (!policy.IsSuccess)
{
return(policy.Cast <SidName>());
}
return(policy.Result.LookupSids2(new Sid[] { sid }, LsaLookupOptionFlags.PreferInternetNames, throw_on_error).Map(e => e.First()));
}
}
protected override void ProcessRecord()
{
using (var policy = new LsaPolicy(this.ComputerName, LsaPolicyAccessMask.ViewLocalInformation))
{
var policyInfo = new LsaPolicyInformation()
{
DnsDomain = policy.QueryDnsDomainInformation(),
Domain = policy.QueryAccountDomainInformation(),
LocalDomain = policy.QueryLocalAccountDomainInformation(),
MachineAccountSid = policy.QueryMachineAccountInformation()
};
this.WriteObject(policyInfo);
}
}
public void LsaPolicy_QueryLocalAccountDomainInformation()
{
try
{
using (var policy = new LsaPolicy(LsaPolicyAccessMask.ViewLocalInformation))
{
var result = policy.QueryLocalAccountDomainInformation();
}
}
catch (UnauthorizedAccessException e)
{
// This is expected.
throw new AssertInconclusiveException("LSA-related tests require admin rights.", e);
}
}
public void LsaPolicy_LsaRetrievePrivateData_NonExisting()
{
try
{
using (var policy = new LsaPolicy(LsaPolicyAccessMask.GetPrivateInformation))
{
policy.RetrievePrivateData("bflmpsvz");
}
}
catch (UnauthorizedAccessException e)
{
// This is expected.
throw new AssertInconclusiveException("LSA-related tests require admin rights.", e);
}
}
protected override void ProcessRecord()
{
using (var policy = new LsaPolicy(this.ComputerName, LsaPolicyAccessMask.ViewLocalInformation | LsaPolicyAccessMask.TrustAdmin))
{
var newInfo = new LsaDnsDomainInformation()
{
DnsDomainName = this.DnsDomainName,
DnsForestName = this.DnsForestName,
Guid = this.DomainGuid,
Name = this.DomainName,
Sid = this.DomainSid
};
policy.SetDnsDomainInformation(newInfo);
}
}
/// <summary>
/// Retrieve LSA private data.
/// </summary>
/// <param name="system_name">The system containing the LSA instance.</param>
/// <param name="keyname">The name of the key.</param>
/// <param name="throw_on_error">True to throw on error.</param>
/// <returns>The private data as bytes.</returns>
public static NtResult <byte[]> LsaRetrievePrivateData(string system_name, string keyname, bool throw_on_error)
{
if (keyname is null)
{
throw new ArgumentNullException(nameof(keyname));
}
using (var policy = LsaPolicy.Open(system_name, Policy.LsaPolicyAccessRights.GetPrivateInformation, throw_on_error))
{
if (!policy.IsSuccess)
{
return(policy.Cast <byte[]>());
}
return(policy.Result.RetrievePrivateData(keyname, throw_on_error));
}
}
public bool IsUserHasLogonAsServicePrivilege(string domain, string userName)
{
Trace.Entering();
ArgUtil.NotNullOrEmpty(userName, nameof(userName));
bool userHasPermission = false;
using (LsaPolicy lsaPolicy = new LsaPolicy())
{
IntPtr rightsPtr;
uint count;
uint result = LsaEnumerateAccountRights(lsaPolicy.Handle, GetSidBinaryFromWindows(domain, userName), out rightsPtr, out count);
try
{
if (result == 0)
{
IntPtr incrementPtr = rightsPtr;
for (int i = 0; i < count; i++)
{
LSA_UNICODE_STRING nativeRightString = Marshal.PtrToStructure <LSA_UNICODE_STRING>(incrementPtr);
string rightString = Marshal.PtrToStringUni(nativeRightString.Buffer);
Trace.Verbose($"Account {userName} has '{rightString}' right.");
if (string.Equals(rightString, s_logonAsServiceName, StringComparison.OrdinalIgnoreCase))
{
userHasPermission = true;
}
incrementPtr += Marshal.SizeOf(nativeRightString);
}
}
else
{
Trace.Error($"Can't enumerate account rights, return code {result}.");
}
}
finally
{
result = LsaFreeMemory(rightsPtr);
if (result != 0)
{
Trace.Error(StringUtil.Format("Failed to free memory from LsaEnumerateAccountRights. Return code : {0} ", result));
}
}
}
return(userHasPermission);
}
/// <summary>
/// Store LSA private data.
/// </summary>
/// <param name="system_name">The system containing the LSA instance.</param>
/// <param name="keyname">The name of the key.</param>
/// <param name="data">The data to store.</param>
/// <param name="throw_on_error">True to throw on error.</param>
/// <returns>The NT status code.</returns>
public static NtStatus LsaStorePrivateData(string system_name, string keyname, byte[] data, bool throw_on_error)
{
if (data is null)
{
throw new ArgumentNullException(nameof(data));
}
using (var policy = LsaPolicy.Open(system_name, LsaPolicyAccessRights.CreateSecret, throw_on_error))
{
if (!policy.IsSuccess)
{
return(policy.Status);
}
return(policy.Result.StorePrivateData(keyname, data, throw_on_error));
}
}
public bool GrantUserLogonAsServicePrivilage(string domain, string userName)
{
Trace.Entering();
ArgUtil.NotNullOrEmpty(userName, nameof(userName));
using (LsaPolicy lsaPolicy = new LsaPolicy())
{
// STATUS_SUCCESS == 0
uint result = LsaAddAccountRights(lsaPolicy.Handle, GetSidBinaryFromWindows(domain, userName), LogonAsServiceRights, 1);
if (result == 0)
{
Trace.Info($"Successfully grant logon as service privilage to account '{userName}'");
return(true);
}
else
{
Trace.Info($"Fail to grant logon as service privilage to account '{userName}', error code {result}.");
return(false);
}
}
}
public void LsaPolicy_SetDnsDomainInformation()
{
try
{
using (var policy = new LsaPolicy(LsaPolicyAccessMask.ViewLocalInformation | LsaPolicyAccessMask.TrustAdmin))
{
// Retrieve domain info
var info = policy.QueryDnsDomainInformation();
// Now try to set it to the same value.
// BE CAREFUL WHEN TESTING THIS!!!
policy.SetDnsDomainInformation(info);
}
}
catch (UnauthorizedAccessException e)
{
// This is expected.
throw new AssertInconclusiveException("LSA-related tests require admin rights.", e);
}
}
public void AccountLSASetServiceLogonRigh()
{
try {
Console.WriteLine("# Set lsa policies SeServiceLogonRight on user: "******"SeServiceLogonRight");
}
catch (Exception err) {
err = new InstallerException("AccountLSASetServiceLogonRigh('" + AccountName + "') failed.", err);
if (InstallMode == InstallMode.Install)
{
throw err;
}
else
{
DisplayError(err);
}
}
}
public bool CheckUserHasLogonAsServicePrivilege(string domain, string userName)
{
Trace.Entering();
ArgUtil.NotNullOrEmpty(userName, nameof(userName));
bool userHasPermission = false;
using (LsaPolicy lsaPolicy = new LsaPolicy())
{
IntPtr rightsPtr;
uint count;
uint result = LsaEnumerateAccountRights(lsaPolicy.Handle, GetSidBinaryFromWindows(domain, userName), out rightsPtr, out count);
try
{
if (result == 0)
{
IntPtr incrementPtr = rightsPtr;
for (int i = 0; i < count; i++)
{
LSA_UNICODE_STRING nativeRightString = Marshal.PtrToStructure<LSA_UNICODE_STRING>(incrementPtr);
string rightString = Marshal.PtrToStringAnsi(nativeRightString.Buffer);
if (string.Equals(rightString, s_logonAsServiceName, StringComparison.OrdinalIgnoreCase))
{
userHasPermission = true;
}
incrementPtr += Marshal.SizeOf(nativeRightString);
}
}
}
finally
{
result = LsaFreeMemory(rightsPtr);
if (result != 0)
{
Trace.Error(StringUtil.Format("Failed to free memory from LsaEnumerateAccountRights. Return code : {0} ", result));
}
}
}
return userHasPermission;
}
