Using a MSDN supplied code to modify sacls on a registry entry and I am getting an error 87 when GetNamedSecurityInfo is called. The error best I can tell from googling is a bad parameter but I can't for the life of me find the bad parameter. The code is below. It is probably really obvious but I am completely missing it. The problem is almost definitely in szKey or SE_REGISTRY_KEY (first 2 arguments) because everything else is from within the example function. Thanks, Tom AddAceToObjectsSecurityDescriptor is from http://msdn.microsoft.com/en-us/library/aa379283(VS.85).aspx and has not been modified. HKEY hHkey; LPCTSTR sTrust; PSID psidTrust; LPCTSTR szKey; //HKEY hKey = HKEY_LOCAL_MACHINE; szKey = (LPCTSTR)"MACHINE\\SOFTWARE\\TerraNovum"; sTrust = (LPCTSTR)"Users"; printf("about to add ace\n"); AddAceToObjectsSecurityDescriptor( (LPTSTR)szKey, SE_REGISTRY_KEY, (LPTSTR)sTrust, TRUSTEE_IS_NAME, STANDARD_RIGHTS_ALL, GRANT_ACCESS, CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE);
Thomas Bolioli writes: > szKey = (LPCTSTR)"MACHINE\\SOFTWARE\\TerraNovum"; > sTrust = (LPCTSTR)"Users"; Those casts are wrong if UNICODE is defined, and unnecessary otherwise. Try instead: szKey = TEXT("MACHINE\\SOFTWARE\\TerraNovum"); sTrust = TEXT("Users"); In addition, I suspect some localized versions of Windows may not recognize the "Users" name. Using the well-known SID instead would avoid that risk.
That was it. Thanks, I knew it was going to be something obvious because I had looked into all of the least likely stuff it could be... :-) What is the well known SID of Users? I don't know it. Also, is that guaranteed to be that number always? Tom Kalle Olavi Niemitalo wrote: > Thomas Bolioli writes: > >> szKey = (LPCTSTR)"MACHINE\\SOFTWARE\\TerraNovum"; >> sTrust = (LPCTSTR)"Users"; > > Those casts are wrong if UNICODE is defined, and unnecessary otherwise. > Try instead: > > szKey = TEXT("MACHINE\\SOFTWARE\\TerraNovum"); > sTrust = TEXT("Users"); > > In addition, I suspect some localized versions of Windows may not > recognize the "Users" name. Using the well-known SID instead > would avoid that risk.
Thomas Bolioli writes: > What is the well known SID of Users? I don't know it. BUILTIN\Users is S-1-5-32-545. It consists of these components: 1 is the SID revision level. 5 is SECURITY_NT_AUTHORITY. 32 is SECURITY_BUILTIN_DOMAIN_RID. 545 is DOMAIN_ALIAS_RID_USERS (not DOMAIN_GROUP_RID_USERS). To add that to an access control list, you'll need TRUSTEE_IS_SID, and a PSID that you can get from any of AllocateAndInitializeSid, CreateWellKnownSid, or ConvertStringSidToSid. > Also, is that guaranteed to be that number always? According to KB243330, the values of well-known SIDs "remain constant across all operating systems."
