zorldo

Goofing around with Ebiten
git clone git://bsandro.tech/zorldo
Log | Files | Refs | README

security_windows.go (53493B)


      1 // Copyright 2012 The Go Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style
      3 // license that can be found in the LICENSE file.
      4 
      5 package windows
      6 
      7 import (
      8 	"syscall"
      9 	"unsafe"
     10 
     11 	"golang.org/x/sys/internal/unsafeheader"
     12 )
     13 
     14 const (
     15 	NameUnknown          = 0
     16 	NameFullyQualifiedDN = 1
     17 	NameSamCompatible    = 2
     18 	NameDisplay          = 3
     19 	NameUniqueId         = 6
     20 	NameCanonical        = 7
     21 	NameUserPrincipal    = 8
     22 	NameCanonicalEx      = 9
     23 	NameServicePrincipal = 10
     24 	NameDnsDomain        = 12
     25 )
     26 
     27 // This function returns 1 byte BOOLEAN rather than the 4 byte BOOL.
     28 // http://blogs.msdn.com/b/drnick/archive/2007/12/19/windows-and-upn-format-credentials.aspx
     29 //sys	TranslateName(accName *uint16, accNameFormat uint32, desiredNameFormat uint32, translatedName *uint16, nSize *uint32) (err error) [failretval&0xff==0] = secur32.TranslateNameW
     30 //sys	GetUserNameEx(nameFormat uint32, nameBuffre *uint16, nSize *uint32) (err error) [failretval&0xff==0] = secur32.GetUserNameExW
     31 
     32 // TranslateAccountName converts a directory service
     33 // object name from one format to another.
     34 func TranslateAccountName(username string, from, to uint32, initSize int) (string, error) {
     35 	u, e := UTF16PtrFromString(username)
     36 	if e != nil {
     37 		return "", e
     38 	}
     39 	n := uint32(50)
     40 	for {
     41 		b := make([]uint16, n)
     42 		e = TranslateName(u, from, to, &b[0], &n)
     43 		if e == nil {
     44 			return UTF16ToString(b[:n]), nil
     45 		}
     46 		if e != ERROR_INSUFFICIENT_BUFFER {
     47 			return "", e
     48 		}
     49 		if n <= uint32(len(b)) {
     50 			return "", e
     51 		}
     52 	}
     53 }
     54 
     55 const (
     56 	// do not reorder
     57 	NetSetupUnknownStatus = iota
     58 	NetSetupUnjoined
     59 	NetSetupWorkgroupName
     60 	NetSetupDomainName
     61 )
     62 
     63 type UserInfo10 struct {
     64 	Name       *uint16
     65 	Comment    *uint16
     66 	UsrComment *uint16
     67 	FullName   *uint16
     68 }
     69 
     70 //sys	NetUserGetInfo(serverName *uint16, userName *uint16, level uint32, buf **byte) (neterr error) = netapi32.NetUserGetInfo
     71 //sys	NetGetJoinInformation(server *uint16, name **uint16, bufType *uint32) (neterr error) = netapi32.NetGetJoinInformation
     72 //sys	NetApiBufferFree(buf *byte) (neterr error) = netapi32.NetApiBufferFree
     73 
     74 const (
     75 	// do not reorder
     76 	SidTypeUser = 1 + iota
     77 	SidTypeGroup
     78 	SidTypeDomain
     79 	SidTypeAlias
     80 	SidTypeWellKnownGroup
     81 	SidTypeDeletedAccount
     82 	SidTypeInvalid
     83 	SidTypeUnknown
     84 	SidTypeComputer
     85 	SidTypeLabel
     86 )
     87 
     88 type SidIdentifierAuthority struct {
     89 	Value [6]byte
     90 }
     91 
     92 var (
     93 	SECURITY_NULL_SID_AUTHORITY        = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 0}}
     94 	SECURITY_WORLD_SID_AUTHORITY       = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 1}}
     95 	SECURITY_LOCAL_SID_AUTHORITY       = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 2}}
     96 	SECURITY_CREATOR_SID_AUTHORITY     = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 3}}
     97 	SECURITY_NON_UNIQUE_AUTHORITY      = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 4}}
     98 	SECURITY_NT_AUTHORITY              = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 5}}
     99 	SECURITY_MANDATORY_LABEL_AUTHORITY = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 16}}
    100 )
    101 
    102 const (
    103 	SECURITY_NULL_RID                   = 0
    104 	SECURITY_WORLD_RID                  = 0
    105 	SECURITY_LOCAL_RID                  = 0
    106 	SECURITY_CREATOR_OWNER_RID          = 0
    107 	SECURITY_CREATOR_GROUP_RID          = 1
    108 	SECURITY_DIALUP_RID                 = 1
    109 	SECURITY_NETWORK_RID                = 2
    110 	SECURITY_BATCH_RID                  = 3
    111 	SECURITY_INTERACTIVE_RID            = 4
    112 	SECURITY_LOGON_IDS_RID              = 5
    113 	SECURITY_SERVICE_RID                = 6
    114 	SECURITY_LOCAL_SYSTEM_RID           = 18
    115 	SECURITY_BUILTIN_DOMAIN_RID         = 32
    116 	SECURITY_PRINCIPAL_SELF_RID         = 10
    117 	SECURITY_CREATOR_OWNER_SERVER_RID   = 0x2
    118 	SECURITY_CREATOR_GROUP_SERVER_RID   = 0x3
    119 	SECURITY_LOGON_IDS_RID_COUNT        = 0x3
    120 	SECURITY_ANONYMOUS_LOGON_RID        = 0x7
    121 	SECURITY_PROXY_RID                  = 0x8
    122 	SECURITY_ENTERPRISE_CONTROLLERS_RID = 0x9
    123 	SECURITY_SERVER_LOGON_RID           = SECURITY_ENTERPRISE_CONTROLLERS_RID
    124 	SECURITY_AUTHENTICATED_USER_RID     = 0xb
    125 	SECURITY_RESTRICTED_CODE_RID        = 0xc
    126 	SECURITY_NT_NON_UNIQUE_RID          = 0x15
    127 )
    128 
    129 // Predefined domain-relative RIDs for local groups.
    130 // See https://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85).aspx
    131 const (
    132 	DOMAIN_ALIAS_RID_ADMINS                         = 0x220
    133 	DOMAIN_ALIAS_RID_USERS                          = 0x221
    134 	DOMAIN_ALIAS_RID_GUESTS                         = 0x222
    135 	DOMAIN_ALIAS_RID_POWER_USERS                    = 0x223
    136 	DOMAIN_ALIAS_RID_ACCOUNT_OPS                    = 0x224
    137 	DOMAIN_ALIAS_RID_SYSTEM_OPS                     = 0x225
    138 	DOMAIN_ALIAS_RID_PRINT_OPS                      = 0x226
    139 	DOMAIN_ALIAS_RID_BACKUP_OPS                     = 0x227
    140 	DOMAIN_ALIAS_RID_REPLICATOR                     = 0x228
    141 	DOMAIN_ALIAS_RID_RAS_SERVERS                    = 0x229
    142 	DOMAIN_ALIAS_RID_PREW2KCOMPACCESS               = 0x22a
    143 	DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS           = 0x22b
    144 	DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS      = 0x22c
    145 	DOMAIN_ALIAS_RID_INCOMING_FOREST_TRUST_BUILDERS = 0x22d
    146 	DOMAIN_ALIAS_RID_MONITORING_USERS               = 0x22e
    147 	DOMAIN_ALIAS_RID_LOGGING_USERS                  = 0x22f
    148 	DOMAIN_ALIAS_RID_AUTHORIZATIONACCESS            = 0x230
    149 	DOMAIN_ALIAS_RID_TS_LICENSE_SERVERS             = 0x231
    150 	DOMAIN_ALIAS_RID_DCOM_USERS                     = 0x232
    151 	DOMAIN_ALIAS_RID_IUSERS                         = 0x238
    152 	DOMAIN_ALIAS_RID_CRYPTO_OPERATORS               = 0x239
    153 	DOMAIN_ALIAS_RID_CACHEABLE_PRINCIPALS_GROUP     = 0x23b
    154 	DOMAIN_ALIAS_RID_NON_CACHEABLE_PRINCIPALS_GROUP = 0x23c
    155 	DOMAIN_ALIAS_RID_EVENT_LOG_READERS_GROUP        = 0x23d
    156 	DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP      = 0x23e
    157 )
    158 
    159 //sys	LookupAccountSid(systemName *uint16, sid *SID, name *uint16, nameLen *uint32, refdDomainName *uint16, refdDomainNameLen *uint32, use *uint32) (err error) = advapi32.LookupAccountSidW
    160 //sys	LookupAccountName(systemName *uint16, accountName *uint16, sid *SID, sidLen *uint32, refdDomainName *uint16, refdDomainNameLen *uint32, use *uint32) (err error) = advapi32.LookupAccountNameW
    161 //sys	ConvertSidToStringSid(sid *SID, stringSid **uint16) (err error) = advapi32.ConvertSidToStringSidW
    162 //sys	ConvertStringSidToSid(stringSid *uint16, sid **SID) (err error) = advapi32.ConvertStringSidToSidW
    163 //sys	GetLengthSid(sid *SID) (len uint32) = advapi32.GetLengthSid
    164 //sys	CopySid(destSidLen uint32, destSid *SID, srcSid *SID) (err error) = advapi32.CopySid
    165 //sys	AllocateAndInitializeSid(identAuth *SidIdentifierAuthority, subAuth byte, subAuth0 uint32, subAuth1 uint32, subAuth2 uint32, subAuth3 uint32, subAuth4 uint32, subAuth5 uint32, subAuth6 uint32, subAuth7 uint32, sid **SID) (err error) = advapi32.AllocateAndInitializeSid
    166 //sys	createWellKnownSid(sidType WELL_KNOWN_SID_TYPE, domainSid *SID, sid *SID, sizeSid *uint32) (err error) = advapi32.CreateWellKnownSid
    167 //sys	isWellKnownSid(sid *SID, sidType WELL_KNOWN_SID_TYPE) (isWellKnown bool) = advapi32.IsWellKnownSid
    168 //sys	FreeSid(sid *SID) (err error) [failretval!=0] = advapi32.FreeSid
    169 //sys	EqualSid(sid1 *SID, sid2 *SID) (isEqual bool) = advapi32.EqualSid
    170 //sys	getSidIdentifierAuthority(sid *SID) (authority *SidIdentifierAuthority) = advapi32.GetSidIdentifierAuthority
    171 //sys	getSidSubAuthorityCount(sid *SID) (count *uint8) = advapi32.GetSidSubAuthorityCount
    172 //sys	getSidSubAuthority(sid *SID, index uint32) (subAuthority *uint32) = advapi32.GetSidSubAuthority
    173 //sys	isValidSid(sid *SID) (isValid bool) = advapi32.IsValidSid
    174 
    175 // The security identifier (SID) structure is a variable-length
    176 // structure used to uniquely identify users or groups.
    177 type SID struct{}
    178 
    179 // StringToSid converts a string-format security identifier
    180 // SID into a valid, functional SID.
    181 func StringToSid(s string) (*SID, error) {
    182 	var sid *SID
    183 	p, e := UTF16PtrFromString(s)
    184 	if e != nil {
    185 		return nil, e
    186 	}
    187 	e = ConvertStringSidToSid(p, &sid)
    188 	if e != nil {
    189 		return nil, e
    190 	}
    191 	defer LocalFree((Handle)(unsafe.Pointer(sid)))
    192 	return sid.Copy()
    193 }
    194 
    195 // LookupSID retrieves a security identifier SID for the account
    196 // and the name of the domain on which the account was found.
    197 // System specify target computer to search.
    198 func LookupSID(system, account string) (sid *SID, domain string, accType uint32, err error) {
    199 	if len(account) == 0 {
    200 		return nil, "", 0, syscall.EINVAL
    201 	}
    202 	acc, e := UTF16PtrFromString(account)
    203 	if e != nil {
    204 		return nil, "", 0, e
    205 	}
    206 	var sys *uint16
    207 	if len(system) > 0 {
    208 		sys, e = UTF16PtrFromString(system)
    209 		if e != nil {
    210 			return nil, "", 0, e
    211 		}
    212 	}
    213 	n := uint32(50)
    214 	dn := uint32(50)
    215 	for {
    216 		b := make([]byte, n)
    217 		db := make([]uint16, dn)
    218 		sid = (*SID)(unsafe.Pointer(&b[0]))
    219 		e = LookupAccountName(sys, acc, sid, &n, &db[0], &dn, &accType)
    220 		if e == nil {
    221 			return sid, UTF16ToString(db), accType, nil
    222 		}
    223 		if e != ERROR_INSUFFICIENT_BUFFER {
    224 			return nil, "", 0, e
    225 		}
    226 		if n <= uint32(len(b)) {
    227 			return nil, "", 0, e
    228 		}
    229 	}
    230 }
    231 
    232 // String converts SID to a string format suitable for display, storage, or transmission.
    233 func (sid *SID) String() string {
    234 	var s *uint16
    235 	e := ConvertSidToStringSid(sid, &s)
    236 	if e != nil {
    237 		return ""
    238 	}
    239 	defer LocalFree((Handle)(unsafe.Pointer(s)))
    240 	return UTF16ToString((*[256]uint16)(unsafe.Pointer(s))[:])
    241 }
    242 
    243 // Len returns the length, in bytes, of a valid security identifier SID.
    244 func (sid *SID) Len() int {
    245 	return int(GetLengthSid(sid))
    246 }
    247 
    248 // Copy creates a duplicate of security identifier SID.
    249 func (sid *SID) Copy() (*SID, error) {
    250 	b := make([]byte, sid.Len())
    251 	sid2 := (*SID)(unsafe.Pointer(&b[0]))
    252 	e := CopySid(uint32(len(b)), sid2, sid)
    253 	if e != nil {
    254 		return nil, e
    255 	}
    256 	return sid2, nil
    257 }
    258 
    259 // IdentifierAuthority returns the identifier authority of the SID.
    260 func (sid *SID) IdentifierAuthority() SidIdentifierAuthority {
    261 	return *getSidIdentifierAuthority(sid)
    262 }
    263 
    264 // SubAuthorityCount returns the number of sub-authorities in the SID.
    265 func (sid *SID) SubAuthorityCount() uint8 {
    266 	return *getSidSubAuthorityCount(sid)
    267 }
    268 
    269 // SubAuthority returns the sub-authority of the SID as specified by
    270 // the index, which must be less than sid.SubAuthorityCount().
    271 func (sid *SID) SubAuthority(idx uint32) uint32 {
    272 	if idx >= uint32(sid.SubAuthorityCount()) {
    273 		panic("sub-authority index out of range")
    274 	}
    275 	return *getSidSubAuthority(sid, idx)
    276 }
    277 
    278 // IsValid returns whether the SID has a valid revision and length.
    279 func (sid *SID) IsValid() bool {
    280 	return isValidSid(sid)
    281 }
    282 
    283 // Equals compares two SIDs for equality.
    284 func (sid *SID) Equals(sid2 *SID) bool {
    285 	return EqualSid(sid, sid2)
    286 }
    287 
    288 // IsWellKnown determines whether the SID matches the well-known sidType.
    289 func (sid *SID) IsWellKnown(sidType WELL_KNOWN_SID_TYPE) bool {
    290 	return isWellKnownSid(sid, sidType)
    291 }
    292 
    293 // LookupAccount retrieves the name of the account for this SID
    294 // and the name of the first domain on which this SID is found.
    295 // System specify target computer to search for.
    296 func (sid *SID) LookupAccount(system string) (account, domain string, accType uint32, err error) {
    297 	var sys *uint16
    298 	if len(system) > 0 {
    299 		sys, err = UTF16PtrFromString(system)
    300 		if err != nil {
    301 			return "", "", 0, err
    302 		}
    303 	}
    304 	n := uint32(50)
    305 	dn := uint32(50)
    306 	for {
    307 		b := make([]uint16, n)
    308 		db := make([]uint16, dn)
    309 		e := LookupAccountSid(sys, sid, &b[0], &n, &db[0], &dn, &accType)
    310 		if e == nil {
    311 			return UTF16ToString(b), UTF16ToString(db), accType, nil
    312 		}
    313 		if e != ERROR_INSUFFICIENT_BUFFER {
    314 			return "", "", 0, e
    315 		}
    316 		if n <= uint32(len(b)) {
    317 			return "", "", 0, e
    318 		}
    319 	}
    320 }
    321 
    322 // Various types of pre-specified SIDs that can be synthesized and compared at runtime.
    323 type WELL_KNOWN_SID_TYPE uint32
    324 
    325 const (
    326 	WinNullSid                                    = 0
    327 	WinWorldSid                                   = 1
    328 	WinLocalSid                                   = 2
    329 	WinCreatorOwnerSid                            = 3
    330 	WinCreatorGroupSid                            = 4
    331 	WinCreatorOwnerServerSid                      = 5
    332 	WinCreatorGroupServerSid                      = 6
    333 	WinNtAuthoritySid                             = 7
    334 	WinDialupSid                                  = 8
    335 	WinNetworkSid                                 = 9
    336 	WinBatchSid                                   = 10
    337 	WinInteractiveSid                             = 11
    338 	WinServiceSid                                 = 12
    339 	WinAnonymousSid                               = 13
    340 	WinProxySid                                   = 14
    341 	WinEnterpriseControllersSid                   = 15
    342 	WinSelfSid                                    = 16
    343 	WinAuthenticatedUserSid                       = 17
    344 	WinRestrictedCodeSid                          = 18
    345 	WinTerminalServerSid                          = 19
    346 	WinRemoteLogonIdSid                           = 20
    347 	WinLogonIdsSid                                = 21
    348 	WinLocalSystemSid                             = 22
    349 	WinLocalServiceSid                            = 23
    350 	WinNetworkServiceSid                          = 24
    351 	WinBuiltinDomainSid                           = 25
    352 	WinBuiltinAdministratorsSid                   = 26
    353 	WinBuiltinUsersSid                            = 27
    354 	WinBuiltinGuestsSid                           = 28
    355 	WinBuiltinPowerUsersSid                       = 29
    356 	WinBuiltinAccountOperatorsSid                 = 30
    357 	WinBuiltinSystemOperatorsSid                  = 31
    358 	WinBuiltinPrintOperatorsSid                   = 32
    359 	WinBuiltinBackupOperatorsSid                  = 33
    360 	WinBuiltinReplicatorSid                       = 34
    361 	WinBuiltinPreWindows2000CompatibleAccessSid   = 35
    362 	WinBuiltinRemoteDesktopUsersSid               = 36
    363 	WinBuiltinNetworkConfigurationOperatorsSid    = 37
    364 	WinAccountAdministratorSid                    = 38
    365 	WinAccountGuestSid                            = 39
    366 	WinAccountKrbtgtSid                           = 40
    367 	WinAccountDomainAdminsSid                     = 41
    368 	WinAccountDomainUsersSid                      = 42
    369 	WinAccountDomainGuestsSid                     = 43
    370 	WinAccountComputersSid                        = 44
    371 	WinAccountControllersSid                      = 45
    372 	WinAccountCertAdminsSid                       = 46
    373 	WinAccountSchemaAdminsSid                     = 47
    374 	WinAccountEnterpriseAdminsSid                 = 48
    375 	WinAccountPolicyAdminsSid                     = 49
    376 	WinAccountRasAndIasServersSid                 = 50
    377 	WinNTLMAuthenticationSid                      = 51
    378 	WinDigestAuthenticationSid                    = 52
    379 	WinSChannelAuthenticationSid                  = 53
    380 	WinThisOrganizationSid                        = 54
    381 	WinOtherOrganizationSid                       = 55
    382 	WinBuiltinIncomingForestTrustBuildersSid      = 56
    383 	WinBuiltinPerfMonitoringUsersSid              = 57
    384 	WinBuiltinPerfLoggingUsersSid                 = 58
    385 	WinBuiltinAuthorizationAccessSid              = 59
    386 	WinBuiltinTerminalServerLicenseServersSid     = 60
    387 	WinBuiltinDCOMUsersSid                        = 61
    388 	WinBuiltinIUsersSid                           = 62
    389 	WinIUserSid                                   = 63
    390 	WinBuiltinCryptoOperatorsSid                  = 64
    391 	WinUntrustedLabelSid                          = 65
    392 	WinLowLabelSid                                = 66
    393 	WinMediumLabelSid                             = 67
    394 	WinHighLabelSid                               = 68
    395 	WinSystemLabelSid                             = 69
    396 	WinWriteRestrictedCodeSid                     = 70
    397 	WinCreatorOwnerRightsSid                      = 71
    398 	WinCacheablePrincipalsGroupSid                = 72
    399 	WinNonCacheablePrincipalsGroupSid             = 73
    400 	WinEnterpriseReadonlyControllersSid           = 74
    401 	WinAccountReadonlyControllersSid              = 75
    402 	WinBuiltinEventLogReadersGroup                = 76
    403 	WinNewEnterpriseReadonlyControllersSid        = 77
    404 	WinBuiltinCertSvcDComAccessGroup              = 78
    405 	WinMediumPlusLabelSid                         = 79
    406 	WinLocalLogonSid                              = 80
    407 	WinConsoleLogonSid                            = 81
    408 	WinThisOrganizationCertificateSid             = 82
    409 	WinApplicationPackageAuthoritySid             = 83
    410 	WinBuiltinAnyPackageSid                       = 84
    411 	WinCapabilityInternetClientSid                = 85
    412 	WinCapabilityInternetClientServerSid          = 86
    413 	WinCapabilityPrivateNetworkClientServerSid    = 87
    414 	WinCapabilityPicturesLibrarySid               = 88
    415 	WinCapabilityVideosLibrarySid                 = 89
    416 	WinCapabilityMusicLibrarySid                  = 90
    417 	WinCapabilityDocumentsLibrarySid              = 91
    418 	WinCapabilitySharedUserCertificatesSid        = 92
    419 	WinCapabilityEnterpriseAuthenticationSid      = 93
    420 	WinCapabilityRemovableStorageSid              = 94
    421 	WinBuiltinRDSRemoteAccessServersSid           = 95
    422 	WinBuiltinRDSEndpointServersSid               = 96
    423 	WinBuiltinRDSManagementServersSid             = 97
    424 	WinUserModeDriversSid                         = 98
    425 	WinBuiltinHyperVAdminsSid                     = 99
    426 	WinAccountCloneableControllersSid             = 100
    427 	WinBuiltinAccessControlAssistanceOperatorsSid = 101
    428 	WinBuiltinRemoteManagementUsersSid            = 102
    429 	WinAuthenticationAuthorityAssertedSid         = 103
    430 	WinAuthenticationServiceAssertedSid           = 104
    431 	WinLocalAccountSid                            = 105
    432 	WinLocalAccountAndAdministratorSid            = 106
    433 	WinAccountProtectedUsersSid                   = 107
    434 	WinCapabilityAppointmentsSid                  = 108
    435 	WinCapabilityContactsSid                      = 109
    436 	WinAccountDefaultSystemManagedSid             = 110
    437 	WinBuiltinDefaultSystemManagedGroupSid        = 111
    438 	WinBuiltinStorageReplicaAdminsSid             = 112
    439 	WinAccountKeyAdminsSid                        = 113
    440 	WinAccountEnterpriseKeyAdminsSid              = 114
    441 	WinAuthenticationKeyTrustSid                  = 115
    442 	WinAuthenticationKeyPropertyMFASid            = 116
    443 	WinAuthenticationKeyPropertyAttestationSid    = 117
    444 	WinAuthenticationFreshKeyAuthSid              = 118
    445 	WinBuiltinDeviceOwnersSid                     = 119
    446 )
    447 
    448 // Creates a SID for a well-known predefined alias, generally using the constants of the form
    449 // Win*Sid, for the local machine.
    450 func CreateWellKnownSid(sidType WELL_KNOWN_SID_TYPE) (*SID, error) {
    451 	return CreateWellKnownDomainSid(sidType, nil)
    452 }
    453 
    454 // Creates a SID for a well-known predefined alias, generally using the constants of the form
    455 // Win*Sid, for the domain specified by the domainSid parameter.
    456 func CreateWellKnownDomainSid(sidType WELL_KNOWN_SID_TYPE, domainSid *SID) (*SID, error) {
    457 	n := uint32(50)
    458 	for {
    459 		b := make([]byte, n)
    460 		sid := (*SID)(unsafe.Pointer(&b[0]))
    461 		err := createWellKnownSid(sidType, domainSid, sid, &n)
    462 		if err == nil {
    463 			return sid, nil
    464 		}
    465 		if err != ERROR_INSUFFICIENT_BUFFER {
    466 			return nil, err
    467 		}
    468 		if n <= uint32(len(b)) {
    469 			return nil, err
    470 		}
    471 	}
    472 }
    473 
    474 const (
    475 	// do not reorder
    476 	TOKEN_ASSIGN_PRIMARY = 1 << iota
    477 	TOKEN_DUPLICATE
    478 	TOKEN_IMPERSONATE
    479 	TOKEN_QUERY
    480 	TOKEN_QUERY_SOURCE
    481 	TOKEN_ADJUST_PRIVILEGES
    482 	TOKEN_ADJUST_GROUPS
    483 	TOKEN_ADJUST_DEFAULT
    484 	TOKEN_ADJUST_SESSIONID
    485 
    486 	TOKEN_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED |
    487 		TOKEN_ASSIGN_PRIMARY |
    488 		TOKEN_DUPLICATE |
    489 		TOKEN_IMPERSONATE |
    490 		TOKEN_QUERY |
    491 		TOKEN_QUERY_SOURCE |
    492 		TOKEN_ADJUST_PRIVILEGES |
    493 		TOKEN_ADJUST_GROUPS |
    494 		TOKEN_ADJUST_DEFAULT |
    495 		TOKEN_ADJUST_SESSIONID
    496 	TOKEN_READ  = STANDARD_RIGHTS_READ | TOKEN_QUERY
    497 	TOKEN_WRITE = STANDARD_RIGHTS_WRITE |
    498 		TOKEN_ADJUST_PRIVILEGES |
    499 		TOKEN_ADJUST_GROUPS |
    500 		TOKEN_ADJUST_DEFAULT
    501 	TOKEN_EXECUTE = STANDARD_RIGHTS_EXECUTE
    502 )
    503 
    504 const (
    505 	// do not reorder
    506 	TokenUser = 1 + iota
    507 	TokenGroups
    508 	TokenPrivileges
    509 	TokenOwner
    510 	TokenPrimaryGroup
    511 	TokenDefaultDacl
    512 	TokenSource
    513 	TokenType
    514 	TokenImpersonationLevel
    515 	TokenStatistics
    516 	TokenRestrictedSids
    517 	TokenSessionId
    518 	TokenGroupsAndPrivileges
    519 	TokenSessionReference
    520 	TokenSandBoxInert
    521 	TokenAuditPolicy
    522 	TokenOrigin
    523 	TokenElevationType
    524 	TokenLinkedToken
    525 	TokenElevation
    526 	TokenHasRestrictions
    527 	TokenAccessInformation
    528 	TokenVirtualizationAllowed
    529 	TokenVirtualizationEnabled
    530 	TokenIntegrityLevel
    531 	TokenUIAccess
    532 	TokenMandatoryPolicy
    533 	TokenLogonSid
    534 	MaxTokenInfoClass
    535 )
    536 
    537 // Group attributes inside of Tokengroups.Groups[i].Attributes
    538 const (
    539 	SE_GROUP_MANDATORY          = 0x00000001
    540 	SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002
    541 	SE_GROUP_ENABLED            = 0x00000004
    542 	SE_GROUP_OWNER              = 0x00000008
    543 	SE_GROUP_USE_FOR_DENY_ONLY  = 0x00000010
    544 	SE_GROUP_INTEGRITY          = 0x00000020
    545 	SE_GROUP_INTEGRITY_ENABLED  = 0x00000040
    546 	SE_GROUP_LOGON_ID           = 0xC0000000
    547 	SE_GROUP_RESOURCE           = 0x20000000
    548 	SE_GROUP_VALID_ATTRIBUTES   = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED | SE_GROUP_OWNER | SE_GROUP_USE_FOR_DENY_ONLY | SE_GROUP_LOGON_ID | SE_GROUP_RESOURCE | SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED
    549 )
    550 
    551 // Privilege attributes
    552 const (
    553 	SE_PRIVILEGE_ENABLED_BY_DEFAULT = 0x00000001
    554 	SE_PRIVILEGE_ENABLED            = 0x00000002
    555 	SE_PRIVILEGE_REMOVED            = 0x00000004
    556 	SE_PRIVILEGE_USED_FOR_ACCESS    = 0x80000000
    557 	SE_PRIVILEGE_VALID_ATTRIBUTES   = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_REMOVED | SE_PRIVILEGE_USED_FOR_ACCESS
    558 )
    559 
    560 // Token types
    561 const (
    562 	TokenPrimary       = 1
    563 	TokenImpersonation = 2
    564 )
    565 
    566 // Impersonation levels
    567 const (
    568 	SecurityAnonymous      = 0
    569 	SecurityIdentification = 1
    570 	SecurityImpersonation  = 2
    571 	SecurityDelegation     = 3
    572 )
    573 
    574 type LUID struct {
    575 	LowPart  uint32
    576 	HighPart int32
    577 }
    578 
    579 type LUIDAndAttributes struct {
    580 	Luid       LUID
    581 	Attributes uint32
    582 }
    583 
    584 type SIDAndAttributes struct {
    585 	Sid        *SID
    586 	Attributes uint32
    587 }
    588 
    589 type Tokenuser struct {
    590 	User SIDAndAttributes
    591 }
    592 
    593 type Tokenprimarygroup struct {
    594 	PrimaryGroup *SID
    595 }
    596 
    597 type Tokengroups struct {
    598 	GroupCount uint32
    599 	Groups     [1]SIDAndAttributes // Use AllGroups() for iterating.
    600 }
    601 
    602 // AllGroups returns a slice that can be used to iterate over the groups in g.
    603 func (g *Tokengroups) AllGroups() []SIDAndAttributes {
    604 	return (*[(1 << 28) - 1]SIDAndAttributes)(unsafe.Pointer(&g.Groups[0]))[:g.GroupCount:g.GroupCount]
    605 }
    606 
    607 type Tokenprivileges struct {
    608 	PrivilegeCount uint32
    609 	Privileges     [1]LUIDAndAttributes // Use AllPrivileges() for iterating.
    610 }
    611 
    612 // AllPrivileges returns a slice that can be used to iterate over the privileges in p.
    613 func (p *Tokenprivileges) AllPrivileges() []LUIDAndAttributes {
    614 	return (*[(1 << 27) - 1]LUIDAndAttributes)(unsafe.Pointer(&p.Privileges[0]))[:p.PrivilegeCount:p.PrivilegeCount]
    615 }
    616 
    617 type Tokenmandatorylabel struct {
    618 	Label SIDAndAttributes
    619 }
    620 
    621 func (tml *Tokenmandatorylabel) Size() uint32 {
    622 	return uint32(unsafe.Sizeof(Tokenmandatorylabel{})) + GetLengthSid(tml.Label.Sid)
    623 }
    624 
    625 // Authorization Functions
    626 //sys	checkTokenMembership(tokenHandle Token, sidToCheck *SID, isMember *int32) (err error) = advapi32.CheckTokenMembership
    627 //sys	isTokenRestricted(tokenHandle Token) (ret bool, err error) [!failretval] = advapi32.IsTokenRestricted
    628 //sys	OpenProcessToken(process Handle, access uint32, token *Token) (err error) = advapi32.OpenProcessToken
    629 //sys	OpenThreadToken(thread Handle, access uint32, openAsSelf bool, token *Token) (err error) = advapi32.OpenThreadToken
    630 //sys	ImpersonateSelf(impersonationlevel uint32) (err error) = advapi32.ImpersonateSelf
    631 //sys	RevertToSelf() (err error) = advapi32.RevertToSelf
    632 //sys	SetThreadToken(thread *Handle, token Token) (err error) = advapi32.SetThreadToken
    633 //sys	LookupPrivilegeValue(systemname *uint16, name *uint16, luid *LUID) (err error) = advapi32.LookupPrivilegeValueW
    634 //sys	AdjustTokenPrivileges(token Token, disableAllPrivileges bool, newstate *Tokenprivileges, buflen uint32, prevstate *Tokenprivileges, returnlen *uint32) (err error) = advapi32.AdjustTokenPrivileges
    635 //sys	AdjustTokenGroups(token Token, resetToDefault bool, newstate *Tokengroups, buflen uint32, prevstate *Tokengroups, returnlen *uint32) (err error) = advapi32.AdjustTokenGroups
    636 //sys	GetTokenInformation(token Token, infoClass uint32, info *byte, infoLen uint32, returnedLen *uint32) (err error) = advapi32.GetTokenInformation
    637 //sys	SetTokenInformation(token Token, infoClass uint32, info *byte, infoLen uint32) (err error) = advapi32.SetTokenInformation
    638 //sys	DuplicateTokenEx(existingToken Token, desiredAccess uint32, tokenAttributes *SecurityAttributes, impersonationLevel uint32, tokenType uint32, newToken *Token) (err error) = advapi32.DuplicateTokenEx
    639 //sys	GetUserProfileDirectory(t Token, dir *uint16, dirLen *uint32) (err error) = userenv.GetUserProfileDirectoryW
    640 //sys	getSystemDirectory(dir *uint16, dirLen uint32) (len uint32, err error) = kernel32.GetSystemDirectoryW
    641 //sys	getWindowsDirectory(dir *uint16, dirLen uint32) (len uint32, err error) = kernel32.GetWindowsDirectoryW
    642 //sys	getSystemWindowsDirectory(dir *uint16, dirLen uint32) (len uint32, err error) = kernel32.GetSystemWindowsDirectoryW
    643 
    644 // An access token contains the security information for a logon session.
    645 // The system creates an access token when a user logs on, and every
    646 // process executed on behalf of the user has a copy of the token.
    647 // The token identifies the user, the user's groups, and the user's
    648 // privileges. The system uses the token to control access to securable
    649 // objects and to control the ability of the user to perform various
    650 // system-related operations on the local computer.
    651 type Token Handle
    652 
    653 // OpenCurrentProcessToken opens an access token associated with current
    654 // process with TOKEN_QUERY access. It is a real token that needs to be closed.
    655 //
    656 // Deprecated: Explicitly call OpenProcessToken(CurrentProcess(), ...)
    657 // with the desired access instead, or use GetCurrentProcessToken for a
    658 // TOKEN_QUERY token.
    659 func OpenCurrentProcessToken() (Token, error) {
    660 	var token Token
    661 	err := OpenProcessToken(CurrentProcess(), TOKEN_QUERY, &token)
    662 	return token, err
    663 }
    664 
    665 // GetCurrentProcessToken returns the access token associated with
    666 // the current process. It is a pseudo token that does not need
    667 // to be closed.
    668 func GetCurrentProcessToken() Token {
    669 	return Token(^uintptr(4 - 1))
    670 }
    671 
    672 // GetCurrentThreadToken return the access token associated with
    673 // the current thread. It is a pseudo token that does not need
    674 // to be closed.
    675 func GetCurrentThreadToken() Token {
    676 	return Token(^uintptr(5 - 1))
    677 }
    678 
    679 // GetCurrentThreadEffectiveToken returns the effective access token
    680 // associated with the current thread. It is a pseudo token that does
    681 // not need to be closed.
    682 func GetCurrentThreadEffectiveToken() Token {
    683 	return Token(^uintptr(6 - 1))
    684 }
    685 
    686 // Close releases access to access token.
    687 func (t Token) Close() error {
    688 	return CloseHandle(Handle(t))
    689 }
    690 
    691 // getInfo retrieves a specified type of information about an access token.
    692 func (t Token) getInfo(class uint32, initSize int) (unsafe.Pointer, error) {
    693 	n := uint32(initSize)
    694 	for {
    695 		b := make([]byte, n)
    696 		e := GetTokenInformation(t, class, &b[0], uint32(len(b)), &n)
    697 		if e == nil {
    698 			return unsafe.Pointer(&b[0]), nil
    699 		}
    700 		if e != ERROR_INSUFFICIENT_BUFFER {
    701 			return nil, e
    702 		}
    703 		if n <= uint32(len(b)) {
    704 			return nil, e
    705 		}
    706 	}
    707 }
    708 
    709 // GetTokenUser retrieves access token t user account information.
    710 func (t Token) GetTokenUser() (*Tokenuser, error) {
    711 	i, e := t.getInfo(TokenUser, 50)
    712 	if e != nil {
    713 		return nil, e
    714 	}
    715 	return (*Tokenuser)(i), nil
    716 }
    717 
    718 // GetTokenGroups retrieves group accounts associated with access token t.
    719 func (t Token) GetTokenGroups() (*Tokengroups, error) {
    720 	i, e := t.getInfo(TokenGroups, 50)
    721 	if e != nil {
    722 		return nil, e
    723 	}
    724 	return (*Tokengroups)(i), nil
    725 }
    726 
    727 // GetTokenPrimaryGroup retrieves access token t primary group information.
    728 // A pointer to a SID structure representing a group that will become
    729 // the primary group of any objects created by a process using this access token.
    730 func (t Token) GetTokenPrimaryGroup() (*Tokenprimarygroup, error) {
    731 	i, e := t.getInfo(TokenPrimaryGroup, 50)
    732 	if e != nil {
    733 		return nil, e
    734 	}
    735 	return (*Tokenprimarygroup)(i), nil
    736 }
    737 
    738 // GetUserProfileDirectory retrieves path to the
    739 // root directory of the access token t user's profile.
    740 func (t Token) GetUserProfileDirectory() (string, error) {
    741 	n := uint32(100)
    742 	for {
    743 		b := make([]uint16, n)
    744 		e := GetUserProfileDirectory(t, &b[0], &n)
    745 		if e == nil {
    746 			return UTF16ToString(b), nil
    747 		}
    748 		if e != ERROR_INSUFFICIENT_BUFFER {
    749 			return "", e
    750 		}
    751 		if n <= uint32(len(b)) {
    752 			return "", e
    753 		}
    754 	}
    755 }
    756 
    757 // IsElevated returns whether the current token is elevated from a UAC perspective.
    758 func (token Token) IsElevated() bool {
    759 	var isElevated uint32
    760 	var outLen uint32
    761 	err := GetTokenInformation(token, TokenElevation, (*byte)(unsafe.Pointer(&isElevated)), uint32(unsafe.Sizeof(isElevated)), &outLen)
    762 	if err != nil {
    763 		return false
    764 	}
    765 	return outLen == uint32(unsafe.Sizeof(isElevated)) && isElevated != 0
    766 }
    767 
    768 // GetLinkedToken returns the linked token, which may be an elevated UAC token.
    769 func (token Token) GetLinkedToken() (Token, error) {
    770 	var linkedToken Token
    771 	var outLen uint32
    772 	err := GetTokenInformation(token, TokenLinkedToken, (*byte)(unsafe.Pointer(&linkedToken)), uint32(unsafe.Sizeof(linkedToken)), &outLen)
    773 	if err != nil {
    774 		return Token(0), err
    775 	}
    776 	return linkedToken, nil
    777 }
    778 
    779 // GetSystemDirectory retrieves the path to current location of the system
    780 // directory, which is typically, though not always, `C:\Windows\System32`.
    781 func GetSystemDirectory() (string, error) {
    782 	n := uint32(MAX_PATH)
    783 	for {
    784 		b := make([]uint16, n)
    785 		l, e := getSystemDirectory(&b[0], n)
    786 		if e != nil {
    787 			return "", e
    788 		}
    789 		if l <= n {
    790 			return UTF16ToString(b[:l]), nil
    791 		}
    792 		n = l
    793 	}
    794 }
    795 
    796 // GetWindowsDirectory retrieves the path to current location of the Windows
    797 // directory, which is typically, though not always, `C:\Windows`. This may
    798 // be a private user directory in the case that the application is running
    799 // under a terminal server.
    800 func GetWindowsDirectory() (string, error) {
    801 	n := uint32(MAX_PATH)
    802 	for {
    803 		b := make([]uint16, n)
    804 		l, e := getWindowsDirectory(&b[0], n)
    805 		if e != nil {
    806 			return "", e
    807 		}
    808 		if l <= n {
    809 			return UTF16ToString(b[:l]), nil
    810 		}
    811 		n = l
    812 	}
    813 }
    814 
    815 // GetSystemWindowsDirectory retrieves the path to current location of the
    816 // Windows directory, which is typically, though not always, `C:\Windows`.
    817 func GetSystemWindowsDirectory() (string, error) {
    818 	n := uint32(MAX_PATH)
    819 	for {
    820 		b := make([]uint16, n)
    821 		l, e := getSystemWindowsDirectory(&b[0], n)
    822 		if e != nil {
    823 			return "", e
    824 		}
    825 		if l <= n {
    826 			return UTF16ToString(b[:l]), nil
    827 		}
    828 		n = l
    829 	}
    830 }
    831 
    832 // IsMember reports whether the access token t is a member of the provided SID.
    833 func (t Token) IsMember(sid *SID) (bool, error) {
    834 	var b int32
    835 	if e := checkTokenMembership(t, sid, &b); e != nil {
    836 		return false, e
    837 	}
    838 	return b != 0, nil
    839 }
    840 
    841 // IsRestricted reports whether the access token t is a restricted token.
    842 func (t Token) IsRestricted() (isRestricted bool, err error) {
    843 	isRestricted, err = isTokenRestricted(t)
    844 	if !isRestricted && err == syscall.EINVAL {
    845 		// If err is EINVAL, this returned ERROR_SUCCESS indicating a non-restricted token.
    846 		err = nil
    847 	}
    848 	return
    849 }
    850 
    851 const (
    852 	WTS_CONSOLE_CONNECT        = 0x1
    853 	WTS_CONSOLE_DISCONNECT     = 0x2
    854 	WTS_REMOTE_CONNECT         = 0x3
    855 	WTS_REMOTE_DISCONNECT      = 0x4
    856 	WTS_SESSION_LOGON          = 0x5
    857 	WTS_SESSION_LOGOFF         = 0x6
    858 	WTS_SESSION_LOCK           = 0x7
    859 	WTS_SESSION_UNLOCK         = 0x8
    860 	WTS_SESSION_REMOTE_CONTROL = 0x9
    861 	WTS_SESSION_CREATE         = 0xa
    862 	WTS_SESSION_TERMINATE      = 0xb
    863 )
    864 
    865 const (
    866 	WTSActive       = 0
    867 	WTSConnected    = 1
    868 	WTSConnectQuery = 2
    869 	WTSShadow       = 3
    870 	WTSDisconnected = 4
    871 	WTSIdle         = 5
    872 	WTSListen       = 6
    873 	WTSReset        = 7
    874 	WTSDown         = 8
    875 	WTSInit         = 9
    876 )
    877 
    878 type WTSSESSION_NOTIFICATION struct {
    879 	Size      uint32
    880 	SessionID uint32
    881 }
    882 
    883 type WTS_SESSION_INFO struct {
    884 	SessionID         uint32
    885 	WindowStationName *uint16
    886 	State             uint32
    887 }
    888 
    889 //sys WTSQueryUserToken(session uint32, token *Token) (err error) = wtsapi32.WTSQueryUserToken
    890 //sys WTSEnumerateSessions(handle Handle, reserved uint32, version uint32, sessions **WTS_SESSION_INFO, count *uint32) (err error) = wtsapi32.WTSEnumerateSessionsW
    891 //sys WTSFreeMemory(ptr uintptr) = wtsapi32.WTSFreeMemory
    892 //sys WTSGetActiveConsoleSessionId() (sessionID uint32)
    893 
    894 type ACL struct {
    895 	aclRevision byte
    896 	sbz1        byte
    897 	aclSize     uint16
    898 	aceCount    uint16
    899 	sbz2        uint16
    900 }
    901 
    902 type SECURITY_DESCRIPTOR struct {
    903 	revision byte
    904 	sbz1     byte
    905 	control  SECURITY_DESCRIPTOR_CONTROL
    906 	owner    *SID
    907 	group    *SID
    908 	sacl     *ACL
    909 	dacl     *ACL
    910 }
    911 
    912 type SECURITY_QUALITY_OF_SERVICE struct {
    913 	Length              uint32
    914 	ImpersonationLevel  uint32
    915 	ContextTrackingMode byte
    916 	EffectiveOnly       byte
    917 }
    918 
    919 // Constants for the ContextTrackingMode field of SECURITY_QUALITY_OF_SERVICE.
    920 const (
    921 	SECURITY_STATIC_TRACKING  = 0
    922 	SECURITY_DYNAMIC_TRACKING = 1
    923 )
    924 
    925 type SecurityAttributes struct {
    926 	Length             uint32
    927 	SecurityDescriptor *SECURITY_DESCRIPTOR
    928 	InheritHandle      uint32
    929 }
    930 
    931 type SE_OBJECT_TYPE uint32
    932 
    933 // Constants for type SE_OBJECT_TYPE
    934 const (
    935 	SE_UNKNOWN_OBJECT_TYPE     = 0
    936 	SE_FILE_OBJECT             = 1
    937 	SE_SERVICE                 = 2
    938 	SE_PRINTER                 = 3
    939 	SE_REGISTRY_KEY            = 4
    940 	SE_LMSHARE                 = 5
    941 	SE_KERNEL_OBJECT           = 6
    942 	SE_WINDOW_OBJECT           = 7
    943 	SE_DS_OBJECT               = 8
    944 	SE_DS_OBJECT_ALL           = 9
    945 	SE_PROVIDER_DEFINED_OBJECT = 10
    946 	SE_WMIGUID_OBJECT          = 11
    947 	SE_REGISTRY_WOW64_32KEY    = 12
    948 	SE_REGISTRY_WOW64_64KEY    = 13
    949 )
    950 
    951 type SECURITY_INFORMATION uint32
    952 
    953 // Constants for type SECURITY_INFORMATION
    954 const (
    955 	OWNER_SECURITY_INFORMATION            = 0x00000001
    956 	GROUP_SECURITY_INFORMATION            = 0x00000002
    957 	DACL_SECURITY_INFORMATION             = 0x00000004
    958 	SACL_SECURITY_INFORMATION             = 0x00000008
    959 	LABEL_SECURITY_INFORMATION            = 0x00000010
    960 	ATTRIBUTE_SECURITY_INFORMATION        = 0x00000020
    961 	SCOPE_SECURITY_INFORMATION            = 0x00000040
    962 	BACKUP_SECURITY_INFORMATION           = 0x00010000
    963 	PROTECTED_DACL_SECURITY_INFORMATION   = 0x80000000
    964 	PROTECTED_SACL_SECURITY_INFORMATION   = 0x40000000
    965 	UNPROTECTED_DACL_SECURITY_INFORMATION = 0x20000000
    966 	UNPROTECTED_SACL_SECURITY_INFORMATION = 0x10000000
    967 )
    968 
    969 type SECURITY_DESCRIPTOR_CONTROL uint16
    970 
    971 // Constants for type SECURITY_DESCRIPTOR_CONTROL
    972 const (
    973 	SE_OWNER_DEFAULTED       = 0x0001
    974 	SE_GROUP_DEFAULTED       = 0x0002
    975 	SE_DACL_PRESENT          = 0x0004
    976 	SE_DACL_DEFAULTED        = 0x0008
    977 	SE_SACL_PRESENT          = 0x0010
    978 	SE_SACL_DEFAULTED        = 0x0020
    979 	SE_DACL_AUTO_INHERIT_REQ = 0x0100
    980 	SE_SACL_AUTO_INHERIT_REQ = 0x0200
    981 	SE_DACL_AUTO_INHERITED   = 0x0400
    982 	SE_SACL_AUTO_INHERITED   = 0x0800
    983 	SE_DACL_PROTECTED        = 0x1000
    984 	SE_SACL_PROTECTED        = 0x2000
    985 	SE_RM_CONTROL_VALID      = 0x4000
    986 	SE_SELF_RELATIVE         = 0x8000
    987 )
    988 
    989 type ACCESS_MASK uint32
    990 
    991 // Constants for type ACCESS_MASK
    992 const (
    993 	DELETE                   = 0x00010000
    994 	READ_CONTROL             = 0x00020000
    995 	WRITE_DAC                = 0x00040000
    996 	WRITE_OWNER              = 0x00080000
    997 	SYNCHRONIZE              = 0x00100000
    998 	STANDARD_RIGHTS_REQUIRED = 0x000F0000
    999 	STANDARD_RIGHTS_READ     = READ_CONTROL
   1000 	STANDARD_RIGHTS_WRITE    = READ_CONTROL
   1001 	STANDARD_RIGHTS_EXECUTE  = READ_CONTROL
   1002 	STANDARD_RIGHTS_ALL      = 0x001F0000
   1003 	SPECIFIC_RIGHTS_ALL      = 0x0000FFFF
   1004 	ACCESS_SYSTEM_SECURITY   = 0x01000000
   1005 	MAXIMUM_ALLOWED          = 0x02000000
   1006 	GENERIC_READ             = 0x80000000
   1007 	GENERIC_WRITE            = 0x40000000
   1008 	GENERIC_EXECUTE          = 0x20000000
   1009 	GENERIC_ALL              = 0x10000000
   1010 )
   1011 
   1012 type ACCESS_MODE uint32
   1013 
   1014 // Constants for type ACCESS_MODE
   1015 const (
   1016 	NOT_USED_ACCESS   = 0
   1017 	GRANT_ACCESS      = 1
   1018 	SET_ACCESS        = 2
   1019 	DENY_ACCESS       = 3
   1020 	REVOKE_ACCESS     = 4
   1021 	SET_AUDIT_SUCCESS = 5
   1022 	SET_AUDIT_FAILURE = 6
   1023 )
   1024 
   1025 // Constants for AceFlags and Inheritance fields
   1026 const (
   1027 	NO_INHERITANCE                     = 0x0
   1028 	SUB_OBJECTS_ONLY_INHERIT           = 0x1
   1029 	SUB_CONTAINERS_ONLY_INHERIT        = 0x2
   1030 	SUB_CONTAINERS_AND_OBJECTS_INHERIT = 0x3
   1031 	INHERIT_NO_PROPAGATE               = 0x4
   1032 	INHERIT_ONLY                       = 0x8
   1033 	INHERITED_ACCESS_ENTRY             = 0x10
   1034 	INHERITED_PARENT                   = 0x10000000
   1035 	INHERITED_GRANDPARENT              = 0x20000000
   1036 	OBJECT_INHERIT_ACE                 = 0x1
   1037 	CONTAINER_INHERIT_ACE              = 0x2
   1038 	NO_PROPAGATE_INHERIT_ACE           = 0x4
   1039 	INHERIT_ONLY_ACE                   = 0x8
   1040 	INHERITED_ACE                      = 0x10
   1041 	VALID_INHERIT_FLAGS                = 0x1F
   1042 )
   1043 
   1044 type MULTIPLE_TRUSTEE_OPERATION uint32
   1045 
   1046 // Constants for MULTIPLE_TRUSTEE_OPERATION
   1047 const (
   1048 	NO_MULTIPLE_TRUSTEE    = 0
   1049 	TRUSTEE_IS_IMPERSONATE = 1
   1050 )
   1051 
   1052 type TRUSTEE_FORM uint32
   1053 
   1054 // Constants for TRUSTEE_FORM
   1055 const (
   1056 	TRUSTEE_IS_SID              = 0
   1057 	TRUSTEE_IS_NAME             = 1
   1058 	TRUSTEE_BAD_FORM            = 2
   1059 	TRUSTEE_IS_OBJECTS_AND_SID  = 3
   1060 	TRUSTEE_IS_OBJECTS_AND_NAME = 4
   1061 )
   1062 
   1063 type TRUSTEE_TYPE uint32
   1064 
   1065 // Constants for TRUSTEE_TYPE
   1066 const (
   1067 	TRUSTEE_IS_UNKNOWN          = 0
   1068 	TRUSTEE_IS_USER             = 1
   1069 	TRUSTEE_IS_GROUP            = 2
   1070 	TRUSTEE_IS_DOMAIN           = 3
   1071 	TRUSTEE_IS_ALIAS            = 4
   1072 	TRUSTEE_IS_WELL_KNOWN_GROUP = 5
   1073 	TRUSTEE_IS_DELETED          = 6
   1074 	TRUSTEE_IS_INVALID          = 7
   1075 	TRUSTEE_IS_COMPUTER         = 8
   1076 )
   1077 
   1078 // Constants for ObjectsPresent field
   1079 const (
   1080 	ACE_OBJECT_TYPE_PRESENT           = 0x1
   1081 	ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x2
   1082 )
   1083 
   1084 type EXPLICIT_ACCESS struct {
   1085 	AccessPermissions ACCESS_MASK
   1086 	AccessMode        ACCESS_MODE
   1087 	Inheritance       uint32
   1088 	Trustee           TRUSTEE
   1089 }
   1090 
   1091 // This type is the union inside of TRUSTEE and must be created using one of the TrusteeValueFrom* functions.
   1092 type TrusteeValue uintptr
   1093 
   1094 func TrusteeValueFromString(str string) TrusteeValue {
   1095 	return TrusteeValue(unsafe.Pointer(StringToUTF16Ptr(str)))
   1096 }
   1097 func TrusteeValueFromSID(sid *SID) TrusteeValue {
   1098 	return TrusteeValue(unsafe.Pointer(sid))
   1099 }
   1100 func TrusteeValueFromObjectsAndSid(objectsAndSid *OBJECTS_AND_SID) TrusteeValue {
   1101 	return TrusteeValue(unsafe.Pointer(objectsAndSid))
   1102 }
   1103 func TrusteeValueFromObjectsAndName(objectsAndName *OBJECTS_AND_NAME) TrusteeValue {
   1104 	return TrusteeValue(unsafe.Pointer(objectsAndName))
   1105 }
   1106 
   1107 type TRUSTEE struct {
   1108 	MultipleTrustee          *TRUSTEE
   1109 	MultipleTrusteeOperation MULTIPLE_TRUSTEE_OPERATION
   1110 	TrusteeForm              TRUSTEE_FORM
   1111 	TrusteeType              TRUSTEE_TYPE
   1112 	TrusteeValue             TrusteeValue
   1113 }
   1114 
   1115 type OBJECTS_AND_SID struct {
   1116 	ObjectsPresent          uint32
   1117 	ObjectTypeGuid          GUID
   1118 	InheritedObjectTypeGuid GUID
   1119 	Sid                     *SID
   1120 }
   1121 
   1122 type OBJECTS_AND_NAME struct {
   1123 	ObjectsPresent          uint32
   1124 	ObjectType              SE_OBJECT_TYPE
   1125 	ObjectTypeName          *uint16
   1126 	InheritedObjectTypeName *uint16
   1127 	Name                    *uint16
   1128 }
   1129 
   1130 //sys	getSecurityInfo(handle Handle, objectType SE_OBJECT_TYPE, securityInformation SECURITY_INFORMATION, owner **SID, group **SID, dacl **ACL, sacl **ACL, sd **SECURITY_DESCRIPTOR) (ret error) = advapi32.GetSecurityInfo
   1131 //sys	SetSecurityInfo(handle Handle, objectType SE_OBJECT_TYPE, securityInformation SECURITY_INFORMATION, owner *SID, group *SID, dacl *ACL, sacl *ACL) (ret error) = advapi32.SetSecurityInfo
   1132 //sys	getNamedSecurityInfo(objectName string, objectType SE_OBJECT_TYPE, securityInformation SECURITY_INFORMATION, owner **SID, group **SID, dacl **ACL, sacl **ACL, sd **SECURITY_DESCRIPTOR) (ret error) = advapi32.GetNamedSecurityInfoW
   1133 //sys	SetNamedSecurityInfo(objectName string, objectType SE_OBJECT_TYPE, securityInformation SECURITY_INFORMATION, owner *SID, group *SID, dacl *ACL, sacl *ACL) (ret error) = advapi32.SetNamedSecurityInfoW
   1134 //sys	SetKernelObjectSecurity(handle Handle, securityInformation SECURITY_INFORMATION, securityDescriptor *SECURITY_DESCRIPTOR) (err error) = advapi32.SetKernelObjectSecurity
   1135 
   1136 //sys	buildSecurityDescriptor(owner *TRUSTEE, group *TRUSTEE, countAccessEntries uint32, accessEntries *EXPLICIT_ACCESS, countAuditEntries uint32, auditEntries *EXPLICIT_ACCESS, oldSecurityDescriptor *SECURITY_DESCRIPTOR, sizeNewSecurityDescriptor *uint32, newSecurityDescriptor **SECURITY_DESCRIPTOR) (ret error) = advapi32.BuildSecurityDescriptorW
   1137 //sys	initializeSecurityDescriptor(absoluteSD *SECURITY_DESCRIPTOR, revision uint32) (err error) = advapi32.InitializeSecurityDescriptor
   1138 
   1139 //sys	getSecurityDescriptorControl(sd *SECURITY_DESCRIPTOR, control *SECURITY_DESCRIPTOR_CONTROL, revision *uint32) (err error) = advapi32.GetSecurityDescriptorControl
   1140 //sys	getSecurityDescriptorDacl(sd *SECURITY_DESCRIPTOR, daclPresent *bool, dacl **ACL, daclDefaulted *bool) (err error) = advapi32.GetSecurityDescriptorDacl
   1141 //sys	getSecurityDescriptorSacl(sd *SECURITY_DESCRIPTOR, saclPresent *bool, sacl **ACL, saclDefaulted *bool) (err error) = advapi32.GetSecurityDescriptorSacl
   1142 //sys	getSecurityDescriptorOwner(sd *SECURITY_DESCRIPTOR, owner **SID, ownerDefaulted *bool) (err error) = advapi32.GetSecurityDescriptorOwner
   1143 //sys	getSecurityDescriptorGroup(sd *SECURITY_DESCRIPTOR, group **SID, groupDefaulted *bool) (err error) = advapi32.GetSecurityDescriptorGroup
   1144 //sys	getSecurityDescriptorLength(sd *SECURITY_DESCRIPTOR) (len uint32) = advapi32.GetSecurityDescriptorLength
   1145 //sys	getSecurityDescriptorRMControl(sd *SECURITY_DESCRIPTOR, rmControl *uint8) (ret error) [failretval!=0] = advapi32.GetSecurityDescriptorRMControl
   1146 //sys	isValidSecurityDescriptor(sd *SECURITY_DESCRIPTOR) (isValid bool) = advapi32.IsValidSecurityDescriptor
   1147 
   1148 //sys	setSecurityDescriptorControl(sd *SECURITY_DESCRIPTOR, controlBitsOfInterest SECURITY_DESCRIPTOR_CONTROL, controlBitsToSet SECURITY_DESCRIPTOR_CONTROL) (err error) = advapi32.SetSecurityDescriptorControl
   1149 //sys	setSecurityDescriptorDacl(sd *SECURITY_DESCRIPTOR, daclPresent bool, dacl *ACL, daclDefaulted bool) (err error) = advapi32.SetSecurityDescriptorDacl
   1150 //sys	setSecurityDescriptorSacl(sd *SECURITY_DESCRIPTOR, saclPresent bool, sacl *ACL, saclDefaulted bool) (err error) = advapi32.SetSecurityDescriptorSacl
   1151 //sys	setSecurityDescriptorOwner(sd *SECURITY_DESCRIPTOR, owner *SID, ownerDefaulted bool) (err error) = advapi32.SetSecurityDescriptorOwner
   1152 //sys	setSecurityDescriptorGroup(sd *SECURITY_DESCRIPTOR, group *SID, groupDefaulted bool) (err error) = advapi32.SetSecurityDescriptorGroup
   1153 //sys	setSecurityDescriptorRMControl(sd *SECURITY_DESCRIPTOR, rmControl *uint8) = advapi32.SetSecurityDescriptorRMControl
   1154 
   1155 //sys	convertStringSecurityDescriptorToSecurityDescriptor(str string, revision uint32, sd **SECURITY_DESCRIPTOR, size *uint32) (err error) = advapi32.ConvertStringSecurityDescriptorToSecurityDescriptorW
   1156 //sys	convertSecurityDescriptorToStringSecurityDescriptor(sd *SECURITY_DESCRIPTOR, revision uint32, securityInformation SECURITY_INFORMATION, str **uint16, strLen *uint32) (err error) = advapi32.ConvertSecurityDescriptorToStringSecurityDescriptorW
   1157 
   1158 //sys	makeAbsoluteSD(selfRelativeSD *SECURITY_DESCRIPTOR, absoluteSD *SECURITY_DESCRIPTOR, absoluteSDSize *uint32, dacl *ACL, daclSize *uint32, sacl *ACL, saclSize *uint32, owner *SID, ownerSize *uint32, group *SID, groupSize *uint32) (err error) = advapi32.MakeAbsoluteSD
   1159 //sys	makeSelfRelativeSD(absoluteSD *SECURITY_DESCRIPTOR, selfRelativeSD *SECURITY_DESCRIPTOR, selfRelativeSDSize *uint32) (err error) = advapi32.MakeSelfRelativeSD
   1160 
   1161 //sys	setEntriesInAcl(countExplicitEntries uint32, explicitEntries *EXPLICIT_ACCESS, oldACL *ACL, newACL **ACL) (ret error) = advapi32.SetEntriesInAclW
   1162 
   1163 // Control returns the security descriptor control bits.
   1164 func (sd *SECURITY_DESCRIPTOR) Control() (control SECURITY_DESCRIPTOR_CONTROL, revision uint32, err error) {
   1165 	err = getSecurityDescriptorControl(sd, &control, &revision)
   1166 	return
   1167 }
   1168 
   1169 // SetControl sets the security descriptor control bits.
   1170 func (sd *SECURITY_DESCRIPTOR) SetControl(controlBitsOfInterest SECURITY_DESCRIPTOR_CONTROL, controlBitsToSet SECURITY_DESCRIPTOR_CONTROL) error {
   1171 	return setSecurityDescriptorControl(sd, controlBitsOfInterest, controlBitsToSet)
   1172 }
   1173 
   1174 // RMControl returns the security descriptor resource manager control bits.
   1175 func (sd *SECURITY_DESCRIPTOR) RMControl() (control uint8, err error) {
   1176 	err = getSecurityDescriptorRMControl(sd, &control)
   1177 	return
   1178 }
   1179 
   1180 // SetRMControl sets the security descriptor resource manager control bits.
   1181 func (sd *SECURITY_DESCRIPTOR) SetRMControl(rmControl uint8) {
   1182 	setSecurityDescriptorRMControl(sd, &rmControl)
   1183 }
   1184 
   1185 // DACL returns the security descriptor DACL and whether it was defaulted. The dacl return value may be nil
   1186 // if a DACL exists but is an "empty DACL", meaning fully permissive. If the DACL does not exist, err returns
   1187 // ERROR_OBJECT_NOT_FOUND.
   1188 func (sd *SECURITY_DESCRIPTOR) DACL() (dacl *ACL, defaulted bool, err error) {
   1189 	var present bool
   1190 	err = getSecurityDescriptorDacl(sd, &present, &dacl, &defaulted)
   1191 	if !present {
   1192 		err = ERROR_OBJECT_NOT_FOUND
   1193 	}
   1194 	return
   1195 }
   1196 
   1197 // SetDACL sets the absolute security descriptor DACL.
   1198 func (absoluteSD *SECURITY_DESCRIPTOR) SetDACL(dacl *ACL, present, defaulted bool) error {
   1199 	return setSecurityDescriptorDacl(absoluteSD, present, dacl, defaulted)
   1200 }
   1201 
   1202 // SACL returns the security descriptor SACL and whether it was defaulted. The sacl return value may be nil
   1203 // if a SACL exists but is an "empty SACL", meaning fully permissive. If the SACL does not exist, err returns
   1204 // ERROR_OBJECT_NOT_FOUND.
   1205 func (sd *SECURITY_DESCRIPTOR) SACL() (sacl *ACL, defaulted bool, err error) {
   1206 	var present bool
   1207 	err = getSecurityDescriptorSacl(sd, &present, &sacl, &defaulted)
   1208 	if !present {
   1209 		err = ERROR_OBJECT_NOT_FOUND
   1210 	}
   1211 	return
   1212 }
   1213 
   1214 // SetSACL sets the absolute security descriptor SACL.
   1215 func (absoluteSD *SECURITY_DESCRIPTOR) SetSACL(sacl *ACL, present, defaulted bool) error {
   1216 	return setSecurityDescriptorSacl(absoluteSD, present, sacl, defaulted)
   1217 }
   1218 
   1219 // Owner returns the security descriptor owner and whether it was defaulted.
   1220 func (sd *SECURITY_DESCRIPTOR) Owner() (owner *SID, defaulted bool, err error) {
   1221 	err = getSecurityDescriptorOwner(sd, &owner, &defaulted)
   1222 	return
   1223 }
   1224 
   1225 // SetOwner sets the absolute security descriptor owner.
   1226 func (absoluteSD *SECURITY_DESCRIPTOR) SetOwner(owner *SID, defaulted bool) error {
   1227 	return setSecurityDescriptorOwner(absoluteSD, owner, defaulted)
   1228 }
   1229 
   1230 // Group returns the security descriptor group and whether it was defaulted.
   1231 func (sd *SECURITY_DESCRIPTOR) Group() (group *SID, defaulted bool, err error) {
   1232 	err = getSecurityDescriptorGroup(sd, &group, &defaulted)
   1233 	return
   1234 }
   1235 
   1236 // SetGroup sets the absolute security descriptor owner.
   1237 func (absoluteSD *SECURITY_DESCRIPTOR) SetGroup(group *SID, defaulted bool) error {
   1238 	return setSecurityDescriptorGroup(absoluteSD, group, defaulted)
   1239 }
   1240 
   1241 // Length returns the length of the security descriptor.
   1242 func (sd *SECURITY_DESCRIPTOR) Length() uint32 {
   1243 	return getSecurityDescriptorLength(sd)
   1244 }
   1245 
   1246 // IsValid returns whether the security descriptor is valid.
   1247 func (sd *SECURITY_DESCRIPTOR) IsValid() bool {
   1248 	return isValidSecurityDescriptor(sd)
   1249 }
   1250 
   1251 // String returns the SDDL form of the security descriptor, with a function signature that can be
   1252 // used with %v formatting directives.
   1253 func (sd *SECURITY_DESCRIPTOR) String() string {
   1254 	var sddl *uint16
   1255 	err := convertSecurityDescriptorToStringSecurityDescriptor(sd, 1, 0xff, &sddl, nil)
   1256 	if err != nil {
   1257 		return ""
   1258 	}
   1259 	defer LocalFree(Handle(unsafe.Pointer(sddl)))
   1260 	return UTF16PtrToString(sddl)
   1261 }
   1262 
   1263 // ToAbsolute converts a self-relative security descriptor into an absolute one.
   1264 func (selfRelativeSD *SECURITY_DESCRIPTOR) ToAbsolute() (absoluteSD *SECURITY_DESCRIPTOR, err error) {
   1265 	control, _, err := selfRelativeSD.Control()
   1266 	if err != nil {
   1267 		return
   1268 	}
   1269 	if control&SE_SELF_RELATIVE == 0 {
   1270 		err = ERROR_INVALID_PARAMETER
   1271 		return
   1272 	}
   1273 	var absoluteSDSize, daclSize, saclSize, ownerSize, groupSize uint32
   1274 	err = makeAbsoluteSD(selfRelativeSD, nil, &absoluteSDSize,
   1275 		nil, &daclSize, nil, &saclSize, nil, &ownerSize, nil, &groupSize)
   1276 	switch err {
   1277 	case ERROR_INSUFFICIENT_BUFFER:
   1278 	case nil:
   1279 		// makeAbsoluteSD is expected to fail, but it succeeds.
   1280 		return nil, ERROR_INTERNAL_ERROR
   1281 	default:
   1282 		return nil, err
   1283 	}
   1284 	if absoluteSDSize > 0 {
   1285 		absoluteSD = (*SECURITY_DESCRIPTOR)(unsafe.Pointer(&make([]byte, absoluteSDSize)[0]))
   1286 	}
   1287 	var (
   1288 		dacl  *ACL
   1289 		sacl  *ACL
   1290 		owner *SID
   1291 		group *SID
   1292 	)
   1293 	if daclSize > 0 {
   1294 		dacl = (*ACL)(unsafe.Pointer(&make([]byte, daclSize)[0]))
   1295 	}
   1296 	if saclSize > 0 {
   1297 		sacl = (*ACL)(unsafe.Pointer(&make([]byte, saclSize)[0]))
   1298 	}
   1299 	if ownerSize > 0 {
   1300 		owner = (*SID)(unsafe.Pointer(&make([]byte, ownerSize)[0]))
   1301 	}
   1302 	if groupSize > 0 {
   1303 		group = (*SID)(unsafe.Pointer(&make([]byte, groupSize)[0]))
   1304 	}
   1305 	err = makeAbsoluteSD(selfRelativeSD, absoluteSD, &absoluteSDSize,
   1306 		dacl, &daclSize, sacl, &saclSize, owner, &ownerSize, group, &groupSize)
   1307 	return
   1308 }
   1309 
   1310 // ToSelfRelative converts an absolute security descriptor into a self-relative one.
   1311 func (absoluteSD *SECURITY_DESCRIPTOR) ToSelfRelative() (selfRelativeSD *SECURITY_DESCRIPTOR, err error) {
   1312 	control, _, err := absoluteSD.Control()
   1313 	if err != nil {
   1314 		return
   1315 	}
   1316 	if control&SE_SELF_RELATIVE != 0 {
   1317 		err = ERROR_INVALID_PARAMETER
   1318 		return
   1319 	}
   1320 	var selfRelativeSDSize uint32
   1321 	err = makeSelfRelativeSD(absoluteSD, nil, &selfRelativeSDSize)
   1322 	switch err {
   1323 	case ERROR_INSUFFICIENT_BUFFER:
   1324 	case nil:
   1325 		// makeSelfRelativeSD is expected to fail, but it succeeds.
   1326 		return nil, ERROR_INTERNAL_ERROR
   1327 	default:
   1328 		return nil, err
   1329 	}
   1330 	if selfRelativeSDSize > 0 {
   1331 		selfRelativeSD = (*SECURITY_DESCRIPTOR)(unsafe.Pointer(&make([]byte, selfRelativeSDSize)[0]))
   1332 	}
   1333 	err = makeSelfRelativeSD(absoluteSD, selfRelativeSD, &selfRelativeSDSize)
   1334 	return
   1335 }
   1336 
   1337 func (selfRelativeSD *SECURITY_DESCRIPTOR) copySelfRelativeSecurityDescriptor() *SECURITY_DESCRIPTOR {
   1338 	sdLen := int(selfRelativeSD.Length())
   1339 	const min = int(unsafe.Sizeof(SECURITY_DESCRIPTOR{}))
   1340 	if sdLen < min {
   1341 		sdLen = min
   1342 	}
   1343 
   1344 	var src []byte
   1345 	h := (*unsafeheader.Slice)(unsafe.Pointer(&src))
   1346 	h.Data = unsafe.Pointer(selfRelativeSD)
   1347 	h.Len = sdLen
   1348 	h.Cap = sdLen
   1349 
   1350 	const psize = int(unsafe.Sizeof(uintptr(0)))
   1351 
   1352 	var dst []byte
   1353 	h = (*unsafeheader.Slice)(unsafe.Pointer(&dst))
   1354 	alloc := make([]uintptr, (sdLen+psize-1)/psize)
   1355 	h.Data = (*unsafeheader.Slice)(unsafe.Pointer(&alloc)).Data
   1356 	h.Len = sdLen
   1357 	h.Cap = sdLen
   1358 
   1359 	copy(dst, src)
   1360 	return (*SECURITY_DESCRIPTOR)(unsafe.Pointer(&dst[0]))
   1361 }
   1362 
   1363 // SecurityDescriptorFromString converts an SDDL string describing a security descriptor into a
   1364 // self-relative security descriptor object allocated on the Go heap.
   1365 func SecurityDescriptorFromString(sddl string) (sd *SECURITY_DESCRIPTOR, err error) {
   1366 	var winHeapSD *SECURITY_DESCRIPTOR
   1367 	err = convertStringSecurityDescriptorToSecurityDescriptor(sddl, 1, &winHeapSD, nil)
   1368 	if err != nil {
   1369 		return
   1370 	}
   1371 	defer LocalFree(Handle(unsafe.Pointer(winHeapSD)))
   1372 	return winHeapSD.copySelfRelativeSecurityDescriptor(), nil
   1373 }
   1374 
   1375 // GetSecurityInfo queries the security information for a given handle and returns the self-relative security
   1376 // descriptor result on the Go heap.
   1377 func GetSecurityInfo(handle Handle, objectType SE_OBJECT_TYPE, securityInformation SECURITY_INFORMATION) (sd *SECURITY_DESCRIPTOR, err error) {
   1378 	var winHeapSD *SECURITY_DESCRIPTOR
   1379 	err = getSecurityInfo(handle, objectType, securityInformation, nil, nil, nil, nil, &winHeapSD)
   1380 	if err != nil {
   1381 		return
   1382 	}
   1383 	defer LocalFree(Handle(unsafe.Pointer(winHeapSD)))
   1384 	return winHeapSD.copySelfRelativeSecurityDescriptor(), nil
   1385 }
   1386 
   1387 // GetNamedSecurityInfo queries the security information for a given named object and returns the self-relative security
   1388 // descriptor result on the Go heap.
   1389 func GetNamedSecurityInfo(objectName string, objectType SE_OBJECT_TYPE, securityInformation SECURITY_INFORMATION) (sd *SECURITY_DESCRIPTOR, err error) {
   1390 	var winHeapSD *SECURITY_DESCRIPTOR
   1391 	err = getNamedSecurityInfo(objectName, objectType, securityInformation, nil, nil, nil, nil, &winHeapSD)
   1392 	if err != nil {
   1393 		return
   1394 	}
   1395 	defer LocalFree(Handle(unsafe.Pointer(winHeapSD)))
   1396 	return winHeapSD.copySelfRelativeSecurityDescriptor(), nil
   1397 }
   1398 
   1399 // BuildSecurityDescriptor makes a new security descriptor using the input trustees, explicit access lists, and
   1400 // prior security descriptor to be merged, any of which can be nil, returning the self-relative security descriptor
   1401 // result on the Go heap.
   1402 func BuildSecurityDescriptor(owner *TRUSTEE, group *TRUSTEE, accessEntries []EXPLICIT_ACCESS, auditEntries []EXPLICIT_ACCESS, mergedSecurityDescriptor *SECURITY_DESCRIPTOR) (sd *SECURITY_DESCRIPTOR, err error) {
   1403 	var winHeapSD *SECURITY_DESCRIPTOR
   1404 	var winHeapSDSize uint32
   1405 	var firstAccessEntry *EXPLICIT_ACCESS
   1406 	if len(accessEntries) > 0 {
   1407 		firstAccessEntry = &accessEntries[0]
   1408 	}
   1409 	var firstAuditEntry *EXPLICIT_ACCESS
   1410 	if len(auditEntries) > 0 {
   1411 		firstAuditEntry = &auditEntries[0]
   1412 	}
   1413 	err = buildSecurityDescriptor(owner, group, uint32(len(accessEntries)), firstAccessEntry, uint32(len(auditEntries)), firstAuditEntry, mergedSecurityDescriptor, &winHeapSDSize, &winHeapSD)
   1414 	if err != nil {
   1415 		return
   1416 	}
   1417 	defer LocalFree(Handle(unsafe.Pointer(winHeapSD)))
   1418 	return winHeapSD.copySelfRelativeSecurityDescriptor(), nil
   1419 }
   1420 
   1421 // NewSecurityDescriptor creates and initializes a new absolute security descriptor.
   1422 func NewSecurityDescriptor() (absoluteSD *SECURITY_DESCRIPTOR, err error) {
   1423 	absoluteSD = &SECURITY_DESCRIPTOR{}
   1424 	err = initializeSecurityDescriptor(absoluteSD, 1)
   1425 	return
   1426 }
   1427 
   1428 // ACLFromEntries returns a new ACL on the Go heap containing a list of explicit entries as well as those of another ACL.
   1429 // Both explicitEntries and mergedACL are optional and can be nil.
   1430 func ACLFromEntries(explicitEntries []EXPLICIT_ACCESS, mergedACL *ACL) (acl *ACL, err error) {
   1431 	var firstExplicitEntry *EXPLICIT_ACCESS
   1432 	if len(explicitEntries) > 0 {
   1433 		firstExplicitEntry = &explicitEntries[0]
   1434 	}
   1435 	var winHeapACL *ACL
   1436 	err = setEntriesInAcl(uint32(len(explicitEntries)), firstExplicitEntry, mergedACL, &winHeapACL)
   1437 	if err != nil {
   1438 		return
   1439 	}
   1440 	defer LocalFree(Handle(unsafe.Pointer(winHeapACL)))
   1441 	aclBytes := make([]byte, winHeapACL.aclSize)
   1442 	copy(aclBytes, (*[(1 << 31) - 1]byte)(unsafe.Pointer(winHeapACL))[:len(aclBytes):len(aclBytes)])
   1443 	return (*ACL)(unsafe.Pointer(&aclBytes[0])), nil
   1444 }