unsafe bool HasTcbPrivilege()
{
if (!PInvoke.LookupPrivilegeValue(null, "SeTcbPrivilege", out var tcbPrivilege))
{
return(false);
}
if (!PInvoke.OpenProcessToken(PInvoke.GetCurrentProcess(), Native.TOKEN_QUERY, out var processToken))
{
return(false);
}
try
{
var privilegeSet = new PRIVILEGE_SET()
{
PrivilegeCount = 1,
};
privilegeSet.Privilege[0].Luid = tcbPrivilege;
if (!PInvoke.PrivilegeCheck(new CloseHandleSafeHandle(processToken), ref privilegeSet, out var checkResult) || checkResult == 0)
{
return(false);
}
return(true);
}
finally
{
PInvoke.CloseHandle(new HANDLE(processToken));
}
}
/// <summary>
/// Checks if the given privilege is enabled. This does not tell you whether or not it
/// is possible to get a privilege- most held privileges are not enabled by default.
/// </summary>
public static bool IsPrivilegeEnabled(SafeTokenHandle token, Privileges privilege)
{
LUID luid = LookupPrivilegeValue(privilege.ToString());
var luidAttributes = new LUID_AND_ATTRIBUTES
{
Luid = luid,
Attributes = (uint)PrivilegeAttributes.SE_PRIVILEGE_ENABLED
};
var set = new PRIVILEGE_SET
{
Control = PRIVILEGE_SET_ALL_NECESSARY,
PrivilegeCount = 1,
Privilege = new[] { luidAttributes }
};
bool result;
if (!Direct.PrivilegeCheck(token, ref set, out result))
{
throw ErrorHelper.GetIoExceptionForLastError(privilege.ToString());
}
return(result);
}
/// <summary>
/// Checks if the given privilege is enabled. This does not tell you whether or not it
/// is possible to get a privilege- most held privileges are not enabled by default.
/// </summary>
internal static bool IsPrivilegeEnabled(SafeCloseHandle token, Privileges privilege)
{
LUID luid = LookupPrivilegeValue(privilege.ToString());
var luidAttributes = new LUID_AND_ATTRIBUTES
{
Luid = luid,
Attributes = SE_PRIVILEGE_ENABLED
};
var set = new PRIVILEGE_SET
{
Control = PRIVILEGE_SET_ALL_NECESSARY,
PrivilegeCount = 1,
Privilege = new[] { luidAttributes }
};
bool result;
if (!Private.PrivilegeCheck(token, ref set, out result))
{
int error = Marshal.GetLastWin32Error();
throw GetIoExceptionForError(error, privilege.ToString());
}
return(result);
}
// Now I will create functions that use the above definitions, so we can use them directly from PowerShell :P
public static bool IsPrivilegeEnabled(string Privilege)
{
bool ret;
LUID luid = new LUID();
IntPtr hProcess = GetCurrentProcess();
IntPtr hToken;
if (hProcess == IntPtr.Zero)
{
return(false);
}
if (!OpenProcessToken(hProcess, TOKEN_QUERY, out hToken))
{
return(false);
}
if (!LookupPrivilegeValue(null, Privilege, out luid))
{
return(false);
}
PRIVILEGE_SET privs = new PRIVILEGE_SET {
Privilege = new LUID_AND_ATTRIBUTES[1], Control = PRIVILEGE_SET.PRIVILEGE_SET_ALL_NECESSARY, PrivilegeCount = 1
};
privs.Privilege[0].Luid = luid;
privs.Privilege[0].Attributes = LUID_AND_ATTRIBUTES.SE_PRIVILEGE_ENABLED;
if (!PrivilegeCheck(hToken, ref privs, out ret))
{
return(false);
}
return(ret);
}
internal static extern bool AccessCheck(
SecurityDescriptor securityDescriptor,
IntPtr clientToken,
int desiredAccess,
GENERIC_MAPPING genericMapping,
PRIVILEGE_SET privilegeSet,
ref int privilegeSetLength,
out int grandtedAccess,
[MarshalAs(UnmanagedType.Bool)] out bool accessStatus);
internal static extern bool AccessCheck(
[In] byte[] securityDescriptor,
[In] SafeCloseHandle clientToken,
[In] int desiredAccess,
[In] GENERIC_MAPPING genericMapping,
out PRIVILEGE_SET privilegeSet,
[In, Out] ref uint privilegeSetLength,
out uint grantedAccess,
out bool accessStatus);
public static extern bool AccessCheck
(
IntPtr pSecurityDescriptor,
IntPtr ClientToken,
uint DesiredAccess,
ref GENERIC_MAPPING GenericMapping,
ref PRIVILEGE_SET PrivilegeSet,
ref int PrivilegeSetLength,
out uint GrantedAccess,
out bool AccessStatus
);
public static FileSystemRights GetEffectivePermissions(
WindowsIdentity clientIdentity,
FileSecurity securityDescriptor)
{
bool isAccessAllowed = false;
byte[] binaryForm = securityDescriptor.GetSecurityDescriptorBinaryForm();
SafeCloseHandle newToken = null;
SafeCloseHandle token = new SafeCloseHandle(clientIdentity.Token, false);
try
{
if (IsPrimaryToken(token) &&
!DuplicateTokenEx(
token,
TokenAccessLevels.Query,
IntPtr.Zero,
SecurityImpersonationLevel.Identification,
TokenType.TokenImpersonation,
out newToken))
{
int err = Marshal.GetLastWin32Error();
CloseInvalidOutSafeHandle(newToken);
throw new Win32Exception(err, "DuplicateTokenExFailed");
}
GENERIC_MAPPING genericMapping = new GENERIC_MAPPING();
PRIVILEGE_SET structPrivilegeSet = new PRIVILEGE_SET();
uint privilegeSetLength = (uint)Marshal.SizeOf(structPrivilegeSet);
uint grantedAccess = 0;
if (!AccessCheck(
binaryForm,
newToken ?? token,
0x2000000,
genericMapping,
out structPrivilegeSet,
ref privilegeSetLength,
out grantedAccess,
out isAccessAllowed))
{
throw new Win32Exception(Marshal.GetLastWin32Error(), "AccessCheckFailed");
}
return((FileSystemRights)grantedAccess);
}
finally
{
if (newToken != null)
{
newToken.Dispose();
}
}
}
public void AccessCheckByTypeResultListTest()
{
using (var pSD = AdvApi32Tests.GetSD(AdvApi32Tests.fn, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION | SECURITY_INFORMATION.OWNER_SECURITY_INFORMATION | SECURITY_INFORMATION.GROUP_SECURITY_INFORMATION))
using (var hTok = SafeHTOKEN.FromProcess(GetCurrentProcess(), TokenAccess.TOKEN_IMPERSONATE | TokenAccess.TOKEN_DUPLICATE | TokenAccess.TOKEN_READ).Duplicate(SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation))
{
var ps = PRIVILEGE_SET.InitializeWithCapacity(100);
var psSz = ps.SizeInBytes;
var gm = GENERIC_MAPPING.GenericFileMapping;
ACCESS_MASK accessMask = ACCESS_MASK.GENERIC_READ;
MapGenericMask(ref accessMask, gm);
var otl = new[] { new OBJECT_TYPE_LIST(ObjectTypeListLevel.ACCESS_OBJECT_GUID) };
var access = new uint[otl.Length];
var status = new uint[otl.Length];
Assert.That(AccessCheckByTypeResultList(pSD, default, hTok, accessMask, otl, (uint)otl.Length, gm, ps, ref psSz, access, status), ResultIs.Successful);
public void AccessCheckTest()
{
using (var pSD = GetSD(fn, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION | SECURITY_INFORMATION.OWNER_SECURITY_INFORMATION | SECURITY_INFORMATION.GROUP_SECURITY_INFORMATION))
using (var hTok = SafeHTOKEN.FromProcess(GetCurrentProcess(), TokenAccess.TOKEN_IMPERSONATE | TokenAccess.TOKEN_DUPLICATE | TokenAccess.TOKEN_READ).Duplicate(SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation))
{
var ps = PRIVILEGE_SET.InitializeWithCapacity(10);
var psSz = ps.SizeInBytes;
var gm = GENERIC_MAPPING.GenericFileMapping;
var accessMask = (uint)Kernel32.FileAccess.GENERIC_READ;
MapGenericMask(ref accessMask, gm);
var b = AccessCheck(pSD, hTok, accessMask, gm, ref ps, ref psSz, out var access, out var status);
if (!b)
{
TestContext.WriteLine($"AccessCheck failed: {Win32Error.GetLastError()}");
}
Assert.That(b, Is.True);
TestContext.WriteLine($"Access={(Kernel32.FileAccess)access}; Status={status}");
}
}
private static int CheckSeDebugPrivilege(out bool isDebugEnabled)
{
isDebugEnabled = false;
if (!OpenProcessToken(GetCurrentProcess(), 0x8 /*TOKEN_QUERY*/, out IntPtr tokenHandle))
{
return(Marshal.GetLastWin32Error());
}
LUID luidDebugPrivilege = default;
if (!LookupPrivilegeValue(null, "SeDebugPrivilege", ref luidDebugPrivilege))
{
return(Marshal.GetLastWin32Error());
}
PRIVILEGE_SET requiredPrivileges = new PRIVILEGE_SET
{
PrivilegeCount = 1,
Control = 1 /* PRIVILEGE_SET_ALL_NECESSARY */,
Privilege = new LUID_AND_ATTRIBUTES[1],
};
requiredPrivileges.Privilege[0].Luid = luidDebugPrivilege;
requiredPrivileges.Privilege[0].Attributes = 2 /* SE_PRIVILEGE_ENABLED */;
if (!PrivilegeCheck(tokenHandle, ref requiredPrivileges, out bool bResult))
{
return(Marshal.GetLastWin32Error());
}
// bResult == true => SeDebugPrivilege is on; otherwise it's off
isDebugEnabled = bResult;
CloseHandle(tokenHandle);
return(0);
}
/// <summary>
/// Checks if the given privilege is enabled. This does not tell you whether or not it
/// is possible to get a privilege- most held privileges are not enabled by default.
/// </summary>
public unsafe static bool IsPrivilegeEnabled(AccessToken token, Privilege privilege)
{
LUID luid = LookupPrivilegeValue(privilege);
var luidAttributes = new LUID_AND_ATTRIBUTES {
Luid = luid
};
var set = new PRIVILEGE_SET
{
Control = PRIVILEGE_SET_ALL_NECESSARY,
PrivilegeCount = 1,
Privilege = new LUID_AND_ATTRIBUTES {
Luid = luid
}
};
if (!Imports.PrivilegeCheck(token, &set, out BOOL result))
{
throw Errors.GetIoExceptionForLastError(privilege.ToString());
}
return(result);
}
public static extern bool ObjectPrivilegeAuditAlarmA([In][MarshalAs(UnmanagedType.LPStr)] string SubsystemName, [In] IntPtr HandleId, [In] IntPtr ClientToken, uint DesiredAccess, [In] ref PRIVILEGE_SET Privileges, [MarshalAs(UnmanagedType.Bool)] bool AccessGranted);
FileAttributes dwFileAttributes); // _In_ DWORD
/// <summary>
/// Enable the privilege specified by the privilegeName. If the specified privilege is already enabled, return true
/// with the oldPrivilegeState.PrivilegeCount set to 0. Otherwise, enable the specified privilege, and the old privilege
/// state will be saved in oldPrivilegeState.
/// </summary>
/// <param name="privilegeName"></param>
/// <param name="oldPrivilegeState"></param>
/// <returns></returns>
internal static bool EnableTokenPrivilege(string privilegeName, ref TOKEN_PRIVILEGE oldPrivilegeState)
{
bool success = false;
TOKEN_PRIVILEGE newPrivilegeState = new TOKEN_PRIVILEGE();
// Check if the caller has the specified privilege or not
if (LookupPrivilegeValue(null, privilegeName, ref newPrivilegeState.Privilege.Luid))
{
// Get the pseudo handler of the current process
IntPtr processHandler = GetCurrentProcess();
if (processHandler != IntPtr.Zero)
{
// Get the handler of the current process's access token
IntPtr tokenHandler = IntPtr.Zero;
if (OpenProcessToken(processHandler, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, out tokenHandler))
{
// Check if the specified privilege is already enabled
PRIVILEGE_SET requiredPrivilege = new PRIVILEGE_SET();
requiredPrivilege.Privilege.Luid = newPrivilegeState.Privilege.Luid;
requiredPrivilege.PrivilegeCount = 1;
// PRIVILEGE_SET_ALL_NECESSARY is defined as 1
requiredPrivilege.Control = 1;
bool privilegeEnabled = false;
if (PrivilegeCheck(tokenHandler, ref requiredPrivilege, out privilegeEnabled) && privilegeEnabled)
{
// The specified privilege is already enabled
oldPrivilegeState.PrivilegeCount = 0;
success = true;
}
else
{
// The specified privilege is not enabled yet. Enable it.
newPrivilegeState.PrivilegeCount = 1;
newPrivilegeState.Privilege.Attributes = SE_PRIVILEGE_ENABLED;
int bufferSize = ClrFacade.SizeOf<TOKEN_PRIVILEGE>();
int returnSize = 0;
// enable the specified privilege
if (AdjustTokenPrivileges(tokenHandler, false, ref newPrivilegeState, bufferSize, out oldPrivilegeState, ref returnSize))
{
// AdjustTokenPrivileges returns true does not mean all specified privileges have been successfully enabled
int retCode = Marshal.GetLastWin32Error();
if (retCode == ERROR_SUCCESS)
{
success = true;
}
else if (retCode == 1300)
{
// 1300 - Not all privileges referenced are assigned to the caller. This means the specified privilege is not
// assigned to the current user. For example, suppose the role of current caller is "User", then privilege "SeRemoteShutdownPrivilege"
// is not assigned to the role. In this case, we just return true and leave the call to "Win32Shutdown" to decide
// whether the permission is granted or not.
// Set oldPrivilegeState.PrivilegeCount to 0 to avoid the privilege restore later (PrivilegeCount - how many privileges are modified)
oldPrivilegeState.PrivilegeCount = 0;
success = true;
}
}
}
}
// Close the token handler and the process handler
if (tokenHandler != IntPtr.Zero)
{
CloseHandle(tokenHandler);
}
CloseHandle(processHandler);
}
}
return success;
}
////////////////////////////////////////////////////////////////////////////////
// Prints the tokens privileges // Taken from NetSPI's TokenVader project
////////////////////////////////////////////////////////////////////////////////
public static void EnumerateTokenPrivileges()
{
IntPtr hToken = IntPtr.Zero;
OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, ref hToken);
UInt32 TokenInfLength;
GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out TokenInfLength);
if (TokenInfLength < 0 || TokenInfLength > Int32.MaxValue)
{
GetWin32Error("GetTokenInformation - 1 " + TokenInfLength);
return;
}
IntPtr lpTokenInformation = Marshal.AllocHGlobal((Int32)TokenInfLength);
////////////////////////////////////////////////////////////////////////////////
if (!GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenPrivileges, lpTokenInformation, TokenInfLength, out TokenInfLength))
{
GetWin32Error("GetTokenInformation - 2 " + TokenInfLength);
return;
}
TOKEN_PRIVILEGES_ARRAY tokenPrivileges = (TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(lpTokenInformation, typeof(TOKEN_PRIVILEGES_ARRAY));
Marshal.FreeHGlobal(lpTokenInformation);
Console.WriteLine("[*] Enumerated {0} Privileges", tokenPrivileges.PrivilegeCount);
Console.WriteLine();
Console.WriteLine("{0,-45}{1,-30}", "Privilege Name", "Enabled");
Console.WriteLine("{0,-45}{1,-30}", "==============", "=======");
////////////////////////////////////////////////////////////////////////////////
for (Int32 i = 0; i < tokenPrivileges.PrivilegeCount; i++)
{
StringBuilder lpName = new StringBuilder();
Int32 cchName = 0;
IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(tokenPrivileges.Privileges[i]));
Marshal.StructureToPtr(tokenPrivileges.Privileges[i].Luid, lpLuid, true);
LookupPrivilegeName(null, lpLuid, null, ref cchName);
if (cchName <= 0 || cchName > Int32.MaxValue)
{
GetWin32Error("LookupPrivilegeName Pass 1");
Marshal.FreeHGlobal(lpLuid);
continue;
}
lpName.EnsureCapacity(cchName + 1);
if (!LookupPrivilegeName(null, lpLuid, lpName, ref cchName))
{
GetWin32Error("LookupPrivilegeName Pass 2");
Marshal.FreeHGlobal(lpLuid);
continue;
}
PRIVILEGE_SET privilegeSet = new PRIVILEGE_SET
{
PrivilegeCount = 1,
Control = PRIVILEGE_SET_ALL_NECESSARY,
Privilege = new LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] }
};
Int32 pfResult = 0;
if (!PrivilegeCheck(hToken, ref privilegeSet, out pfResult))
{
GetWin32Error("PrivilegeCheck");
Marshal.FreeHGlobal(lpLuid);
continue;
}
Console.WriteLine("{0,-45}{1,-30}", lpName.ToString(), Convert.ToBoolean(pfResult));
Marshal.FreeHGlobal(lpLuid);
}
Console.WriteLine();
}
public static extern Boolean PrivilegeCheck(IntPtr ClientToken, ref PRIVILEGE_SET RequiredPrivileges, out Int32 pfResult);
internal static extern bool PrivilegeCheck(
SafeCloseHandle ClientToken,
ref PRIVILEGE_SET RequiredPrivileges,
[MarshalAs(UnmanagedType.Bool)] out bool pfResult);
/// <summary>
/// To check if path can be accessed or not
/// </summary>
/// <param name="path">string value - the patch whose access is being checked</param>
/// <returns>true if alllowed else false</returns>
public static bool AccessAllowed(string path)
{
bool accessAllowed = false;
int lastError;
IntPtr fileSD = IntPtr.Zero;
IntPtr token = IntPtr.Zero;
try
{
// Get the size of the security descriptor for the directory.
int sdLength = 0;
if (!GetFileSecurity(path, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION, fileSD, 0, out sdLength))
{
lastError = Marshal.GetLastWin32Error();
if (lastError != ERROR_INSUFFICIENT_BUFFER)
{
return(accessAllowed);
}
fileSD = Marshal.AllocHGlobal(sdLength);
// Get the security descriptor for the directory.
if (!GetFileSecurity(path, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION, fileSD, sdLength, out sdLength))
{
lastError = Marshal.GetLastWin32Error();
return(accessAllowed);
}
// We will check to see if the user has read/write access.
GENERIC_MAPPING genericMapping = new GENERIC_MAPPING();
PRIVILEGE_SET privSet = new PRIVILEGE_SET();
uint grantedAccess = 0;
genericMapping.GenericRead = 0x01;
genericMapping.GenericWrite = 0x02;
genericMapping.GenericExecute = 0;
genericMapping.GenericAll = 0x03;
uint desiredAccess = 3;
privSet.Control = 0;
privSet.PrivilegeCount = 0;
int privLen = Marshal.SizeOf(privSet);
// Impersonate the current user.
if (!ImpersonateSelf(SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation))
{
lastError = Marshal.GetLastWin32Error();
return(accessAllowed);
}
try
{
// Get the users token.
if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, true, ref token))
{
lastError = Marshal.GetLastWin32Error();
return(accessAllowed);
}
// Check the access for this user.
if (!AccessCheck(fileSD, token, desiredAccess, ref genericMapping, ref privSet, ref privLen, ref grantedAccess, ref accessAllowed))
{
lastError = Marshal.GetLastWin32Error();
}
}
finally
{
RevertToSelf();
}
}
}
finally
{
if (fileSD != IntPtr.Zero)
{
Marshal.FreeHGlobal(fileSD);
}
if (!token.Equals(IntPtr.Zero))
{
CloseHandle(token);
token = IntPtr.Zero;
}
}
return(accessAllowed);
}
public static extern bool PrivilegedServiceAuditAlarmW([In][MarshalAs(UnmanagedType.LPWStr)] string SubsystemName, [In][MarshalAs(UnmanagedType.LPWStr)] string ServiceName, [In] IntPtr ClientToken, [In] ref PRIVILEGE_SET Privileges, [MarshalAs(UnmanagedType.Bool)] bool AccessGranted);
FileAttributes dwFileAttributes); // _In_ DWORD
/// <summary>
/// Enable the privilege specified by the privilegeName. If the specified privilege is already enabled, return true
/// with the oldPrivilegeState.PrivilegeCount set to 0. Otherwise, enable the specified privilege, and the old privilege
/// state will be saved in oldPrivilegeState.
/// </summary>
/// <param name="privilegeName"></param>
/// <param name="oldPrivilegeState"></param>
/// <returns></returns>
internal static bool EnableTokenPrivilege(string privilegeName, ref TOKEN_PRIVILEGE oldPrivilegeState)
{
bool success = false;
TOKEN_PRIVILEGE newPrivilegeState = new TOKEN_PRIVILEGE();
// Check if the caller has the specified privilege or not
if (LookupPrivilegeValue(null, privilegeName, ref newPrivilegeState.Privilege.Luid))
{
// Get the pseudo handler of the current process
IntPtr processHandler = GetCurrentProcess();
if (processHandler != IntPtr.Zero)
{
// Get the handler of the current process's access token
IntPtr tokenHandler = IntPtr.Zero;
if (OpenProcessToken(processHandler, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, out tokenHandler))
{
// Check if the specified privilege is already enabled
PRIVILEGE_SET requiredPrivilege = new PRIVILEGE_SET();
requiredPrivilege.Privilege.Luid = newPrivilegeState.Privilege.Luid;
requiredPrivilege.PrivilegeCount = 1;
// PRIVILEGE_SET_ALL_NECESSARY is defined as 1
requiredPrivilege.Control = 1;
bool privilegeEnabled = false;
if (PrivilegeCheck(tokenHandler, ref requiredPrivilege, out privilegeEnabled) && privilegeEnabled)
{
// The specified privilege is already enabled
oldPrivilegeState.PrivilegeCount = 0;
success = true;
}
else
{
// The specified privilege is not enabled yet. Enable it.
newPrivilegeState.PrivilegeCount = 1;
newPrivilegeState.Privilege.Attributes = SE_PRIVILEGE_ENABLED;
int bufferSize = ClrFacade.SizeOf <TOKEN_PRIVILEGE>();
int returnSize = 0;
// enable the specified privilege
if (AdjustTokenPrivileges(tokenHandler, false, ref newPrivilegeState, bufferSize, out oldPrivilegeState, ref returnSize))
{
// AdjustTokenPrivileges returns true does not mean all specified privileges have been successfully enabled
int retCode = Marshal.GetLastWin32Error();
if (retCode == ERROR_SUCCESS)
{
success = true;
}
else if (retCode == 1300)
{
// 1300 - Not all privileges referenced are assigned to the caller. This means the specified privilege is not
// assigned to the current user. For example, suppose the role of current caller is "User", then privilege "SeRemoteShutdownPrivilege"
// is not assigned to the role. In this case, we just return true and leave the call to "Win32Shutdown" to decide
// whether the permission is granted or not.
// Set oldPrivilegeState.PrivilegeCount to 0 to avoid the privilege restore later (PrivilegeCount - how many privileges are modified)
oldPrivilegeState.PrivilegeCount = 0;
success = true;
}
}
}
}
// Close the token handler and the process handler
if (tokenHandler != IntPtr.Zero)
{
CloseHandle(tokenHandler);
}
CloseHandle(processHandler);
}
}
return(success);
}
public static extern bool PrivilegeCheck(IntPtr ClientToken, ref PRIVILEGE_SET RequiredPrivileges, ref bool pfResult);
public static bool AccessAllowed(string path)
{
bool accessAllowed = false;
int lastError;
IntPtr fileSD = IntPtr.Zero;
IntPtr token = IntPtr.Zero;
try
{
int sdLength = 0;
if (!GetFileSecurity(path, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION, fileSD, 0, out sdLength))
{
lastError = Marshal.GetLastWin32Error();
if (lastError != ERROR_INSUFFICIENT_BUFFER)
{
return accessAllowed;
}
fileSD = Marshal.AllocHGlobal(sdLength);
if (!GetFileSecurity(path, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION, fileSD, sdLength, out sdLength))
{
lastError = Marshal.GetLastWin32Error();
return accessAllowed;
}
GENERIC_MAPPING genericMapping = new GENERIC_MAPPING();
PRIVILEGE_SET privSet = new PRIVILEGE_SET();
uint grantedAccess = 0;
genericMapping.GenericRead = 0x01;
genericMapping.GenericWrite = 0x02;
genericMapping.GenericExecute = 0;
genericMapping.GenericAll = 0x03;
uint desiredAccess = 3;
privSet.Control = 0;
privSet.PrivilegeCount = 0;
int privLen = Marshal.SizeOf(privSet);
if (!ImpersonateSelf(SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation))
{
lastError = Marshal.GetLastWin32Error();
return accessAllowed;
}
try
{
if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, true, ref token))
{
lastError = Marshal.GetLastWin32Error();
return accessAllowed;
}
if (!AccessCheck(fileSD, token, desiredAccess, ref genericMapping, ref privSet, ref privLen, ref grantedAccess, ref accessAllowed))
{
lastError = Marshal.GetLastWin32Error();
}
}
finally
{
RevertToSelf();
}
}
}
finally
{
if (fileSD != IntPtr.Zero)
{
Marshal.FreeHGlobal(fileSD);
}
if (!token.Equals(IntPtr.Zero))
{
CloseHandle(token);
token = IntPtr.Zero;
}
}
return accessAllowed;
}
static extern bool AccessCheck(IntPtr pSecurityDescriptor, IntPtr ClientToken, uint DesiredAccess, ref GENERIC_MAPPING GenericMapping, ref PRIVILEGE_SET PrivilegeSet, ref int PrivilegeSetLength, ref uint GrantedAccess, ref bool AccessStatus);
public static extern bool PrivilegeCheck(IntPtr ClientToken, ref PRIVILEGE_SET RequiredPrivileges, ref bool pfResult);
/// <summary>
/// Checks if the given privilege is enabled. This does not tell you whether or not it
/// is possible to get a privilege- most held privileges are not enabled by default.
/// </summary>
internal static bool IsPrivilegeEnabled(SafeCloseHandle token, Privileges privilege)
{
LUID luid = LookupPrivilegeValue(privilege.ToString());
var luidAttributes = new LUID_AND_ATTRIBUTES
{
Luid = luid,
Attributes = SE_PRIVILEGE_ENABLED
};
var set = new PRIVILEGE_SET
{
Control = PRIVILEGE_SET_ALL_NECESSARY,
PrivilegeCount = 1,
Privilege = new[] { luidAttributes }
};
bool result;
if (!Private.PrivilegeCheck(token, ref set, out result))
{
int error = Marshal.GetLastWin32Error();
throw GetIoExceptionForError(error, privilege.ToString());
}
return result;
}
private static extern bool PrivilegeCheck(IntPtr clientToken, ref PRIVILEGE_SET requiredPrivileges, out bool pfResult);
internal static extern bool PrivilegeCheck(IntPtr tokenHandler, ref PRIVILEGE_SET requiredPrivileges, out bool pfResult);
internal static extern bool PrivilegeCheck(
SafeCloseHandle ClientToken,
ref PRIVILEGE_SET RequiredPrivileges,
[MarshalAs(UnmanagedType.Bool)] out bool pfResult);
internal static extern bool PrivilegeCheck(IntPtr tokenHandler, ref PRIVILEGE_SET requiredPrivileges, out bool pfResult);
public static extern bool PrivilegeCheck([In] IntPtr ClientToken, ref PRIVILEGE_SET RequiredPrivileges, [Out] out int pfResult);