The SECURITY_DESCRIPTOR structure defines the security attributes of an object. It contains information about the object's owner, primary group, discretionary access control list (DACL), and system access control list (SACL).
typedef struct _SECURITY_DESCRIPTOR {
BYTE Revision;
BYTE Sbz1;
SECURITY_DESCRIPTOR_CONTROL Control;
PSID Owner;
PSID Group;
PACL Sacl;
PACL Dacl;
} SECURITY_DESCRIPTOR, *PISECURITY_DESCRIPTOR;| Member | Type | Description |
|---|---|---|
| Revision | BYTE | Revision level of the security descriptor. Must be SECURITY_DESCRIPTOR_REVISION (1). |
| Sbz1 | BYTE | Reserved; must be zero. |
| Control | SECURITY_DESCRIPTOR_CONTROL | Flags that indicate the presence of a DACL, SACL, owner, and group, among other options. |
| Owner | PSID | Pointer to the owner SID. |
| Group | PSID | Pointer to the primary group SID. |
| Sacl | PACL | Pointer to the system ACL. Present only if SE_SACL_PRESENT flag is set. |
| Dacl | PACL | Pointer to the discretionary ACL. Present only if SE_DACL_PRESENT flag is set. |
Create a security descriptor with a DACL that grants full control to the current user.
#include <windows.h>
#include <aclapi.h>
int main() {
SECURITY_DESCRIPTOR sd;
InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
PSID pSid = NULL;
ConvertStringSidToSid(L"S-1-5-32-544", &pSid); // Built-in Administrators group
EXPLICIT_ACCESS ea = {0};
ea.grfAccessPermissions = GENERIC_ALL;
ea.grfAccessMode = SET_ACCESS;
ea.grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea.Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea.Trustee.ptstrName = (LPWSTR)pSid;
PACL pAcl = NULL;
SetEntriesInAcl(1, &ea, NULL, &pAcl);
SetSecurityDescriptorDacl(&sd, TRUE, pAcl, FALSE);
// Use sd for CreateFile, CreateProcess, etc.
LocalFree(pSid);
LocalFree(pAcl);
return 0;
}