golang.org/x/sys@v0.20.1-0.20240517151509-673e0f94c16d/windows/security_windows.go (about)

     1  // Copyright 2012 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package windows
     6  
     7  import (
     8  	"syscall"
     9  	"unsafe"
    10  )
    11  
    12  const (
    13  	NameUnknown          = 0
    14  	NameFullyQualifiedDN = 1
    15  	NameSamCompatible    = 2
    16  	NameDisplay          = 3
    17  	NameUniqueId         = 6
    18  	NameCanonical        = 7
    19  	NameUserPrincipal    = 8
    20  	NameCanonicalEx      = 9
    21  	NameServicePrincipal = 10
    22  	NameDnsDomain        = 12
    23  )
    24  
    25  // This function returns 1 byte BOOLEAN rather than the 4 byte BOOL.
    26  // http://blogs.msdn.com/b/drnick/archive/2007/12/19/windows-and-upn-format-credentials.aspx
    27  //sys	TranslateName(accName *uint16, accNameFormat uint32, desiredNameFormat uint32, translatedName *uint16, nSize *uint32) (err error) [failretval&0xff==0] = secur32.TranslateNameW
    28  //sys	GetUserNameEx(nameFormat uint32, nameBuffre *uint16, nSize *uint32) (err error) [failretval&0xff==0] = secur32.GetUserNameExW
    29  
    30  // TranslateAccountName converts a directory service
    31  // object name from one format to another.
    32  func TranslateAccountName(username string, from, to uint32, initSize int) (string, error) {
    33  	u, e := UTF16PtrFromString(username)
    34  	if e != nil {
    35  		return "", e
    36  	}
    37  	n := uint32(50)
    38  	for {
    39  		b := make([]uint16, n)
    40  		e = TranslateName(u, from, to, &b[0], &n)
    41  		if e == nil {
    42  			return UTF16ToString(b[:n]), nil
    43  		}
    44  		if e != ERROR_INSUFFICIENT_BUFFER {
    45  			return "", e
    46  		}
    47  		if n <= uint32(len(b)) {
    48  			return "", e
    49  		}
    50  	}
    51  }
    52  
    53  const (
    54  	// do not reorder
    55  	NetSetupUnknownStatus = iota
    56  	NetSetupUnjoined
    57  	NetSetupWorkgroupName
    58  	NetSetupDomainName
    59  )
    60  
    61  type UserInfo10 struct {
    62  	Name       *uint16
    63  	Comment    *uint16
    64  	UsrComment *uint16
    65  	FullName   *uint16
    66  }
    67  
    68  //sys	NetUserGetInfo(serverName *uint16, userName *uint16, level uint32, buf **byte) (neterr error) = netapi32.NetUserGetInfo
    69  //sys	NetGetJoinInformation(server *uint16, name **uint16, bufType *uint32) (neterr error) = netapi32.NetGetJoinInformation
    70  //sys	NetApiBufferFree(buf *byte) (neterr error) = netapi32.NetApiBufferFree
    71  //sys   NetUserEnum(serverName *uint16, level uint32, filter uint32, buf **byte, prefMaxLen uint32, entriesRead *uint32, totalEntries *uint32, resumeHandle *uint32) (neterr error) = netapi32.NetUserEnum
    72  
    73  const (
    74  	// do not reorder
    75  	SidTypeUser = 1 + iota
    76  	SidTypeGroup
    77  	SidTypeDomain
    78  	SidTypeAlias
    79  	SidTypeWellKnownGroup
    80  	SidTypeDeletedAccount
    81  	SidTypeInvalid
    82  	SidTypeUnknown
    83  	SidTypeComputer
    84  	SidTypeLabel
    85  )
    86  
    87  type SidIdentifierAuthority struct {
    88  	Value [6]byte
    89  }
    90  
    91  var (
    92  	SECURITY_NULL_SID_AUTHORITY        = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 0}}
    93  	SECURITY_WORLD_SID_AUTHORITY       = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 1}}
    94  	SECURITY_LOCAL_SID_AUTHORITY       = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 2}}
    95  	SECURITY_CREATOR_SID_AUTHORITY     = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 3}}
    96  	SECURITY_NON_UNIQUE_AUTHORITY      = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 4}}
    97  	SECURITY_NT_AUTHORITY              = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 5}}
    98  	SECURITY_MANDATORY_LABEL_AUTHORITY = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 16}}
    99  )
   100  
   101  const (
   102  	SECURITY_NULL_RID                   = 0
   103  	SECURITY_WORLD_RID                  = 0
   104  	SECURITY_LOCAL_RID                  = 0
   105  	SECURITY_CREATOR_OWNER_RID          = 0
   106  	SECURITY_CREATOR_GROUP_RID          = 1
   107  	SECURITY_DIALUP_RID                 = 1
   108  	SECURITY_NETWORK_RID                = 2
   109  	SECURITY_BATCH_RID                  = 3
   110  	SECURITY_INTERACTIVE_RID            = 4
   111  	SECURITY_LOGON_IDS_RID              = 5
   112  	SECURITY_SERVICE_RID                = 6
   113  	SECURITY_LOCAL_SYSTEM_RID           = 18
   114  	SECURITY_BUILTIN_DOMAIN_RID         = 32
   115  	SECURITY_PRINCIPAL_SELF_RID         = 10
   116  	SECURITY_CREATOR_OWNER_SERVER_RID   = 0x2
   117  	SECURITY_CREATOR_GROUP_SERVER_RID   = 0x3
   118  	SECURITY_LOGON_IDS_RID_COUNT        = 0x3
   119  	SECURITY_ANONYMOUS_LOGON_RID        = 0x7
   120  	SECURITY_PROXY_RID                  = 0x8
   121  	SECURITY_ENTERPRISE_CONTROLLERS_RID = 0x9
   122  	SECURITY_SERVER_LOGON_RID           = SECURITY_ENTERPRISE_CONTROLLERS_RID
   123  	SECURITY_AUTHENTICATED_USER_RID     = 0xb
   124  	SECURITY_RESTRICTED_CODE_RID        = 0xc
   125  	SECURITY_NT_NON_UNIQUE_RID          = 0x15
   126  )
   127  
   128  // Predefined domain-relative RIDs for local groups.
   129  // See https://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85).aspx
   130  const (
   131  	DOMAIN_ALIAS_RID_ADMINS                         = 0x220
   132  	DOMAIN_ALIAS_RID_USERS                          = 0x221
   133  	DOMAIN_ALIAS_RID_GUESTS                         = 0x222
   134  	DOMAIN_ALIAS_RID_POWER_USERS                    = 0x223
   135  	DOMAIN_ALIAS_RID_ACCOUNT_OPS                    = 0x224
   136  	DOMAIN_ALIAS_RID_SYSTEM_OPS                     = 0x225
   137  	DOMAIN_ALIAS_RID_PRINT_OPS                      = 0x226
   138  	DOMAIN_ALIAS_RID_BACKUP_OPS                     = 0x227
   139  	DOMAIN_ALIAS_RID_REPLICATOR                     = 0x228
   140  	DOMAIN_ALIAS_RID_RAS_SERVERS                    = 0x229
   141  	DOMAIN_ALIAS_RID_PREW2KCOMPACCESS               = 0x22a
   142  	DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS           = 0x22b
   143  	DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS      = 0x22c
   144  	DOMAIN_ALIAS_RID_INCOMING_FOREST_TRUST_BUILDERS = 0x22d
   145  	DOMAIN_ALIAS_RID_MONITORING_USERS               = 0x22e
   146  	DOMAIN_ALIAS_RID_LOGGING_USERS                  = 0x22f
   147  	DOMAIN_ALIAS_RID_AUTHORIZATIONACCESS            = 0x230
   148  	DOMAIN_ALIAS_RID_TS_LICENSE_SERVERS             = 0x231
   149  	DOMAIN_ALIAS_RID_DCOM_USERS                     = 0x232
   150  	DOMAIN_ALIAS_RID_IUSERS                         = 0x238
   151  	DOMAIN_ALIAS_RID_CRYPTO_OPERATORS               = 0x239
   152  	DOMAIN_ALIAS_RID_CACHEABLE_PRINCIPALS_GROUP     = 0x23b
   153  	DOMAIN_ALIAS_RID_NON_CACHEABLE_PRINCIPALS_GROUP = 0x23c
   154  	DOMAIN_ALIAS_RID_EVENT_LOG_READERS_GROUP        = 0x23d
   155  	DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP      = 0x23e
   156  )
   157  
   158  //sys	LookupAccountSid(systemName *uint16, sid *SID, name *uint16, nameLen *uint32, refdDomainName *uint16, refdDomainNameLen *uint32, use *uint32) (err error) = advapi32.LookupAccountSidW
   159  //sys	LookupAccountName(systemName *uint16, accountName *uint16, sid *SID, sidLen *uint32, refdDomainName *uint16, refdDomainNameLen *uint32, use *uint32) (err error) = advapi32.LookupAccountNameW
   160  //sys	ConvertSidToStringSid(sid *SID, stringSid **uint16) (err error) = advapi32.ConvertSidToStringSidW
   161  //sys	ConvertStringSidToSid(stringSid *uint16, sid **SID) (err error) = advapi32.ConvertStringSidToSidW
   162  //sys	GetLengthSid(sid *SID) (len uint32) = advapi32.GetLengthSid
   163  //sys	CopySid(destSidLen uint32, destSid *SID, srcSid *SID) (err error) = advapi32.CopySid
   164  //sys	AllocateAndInitializeSid(identAuth *SidIdentifierAuthority, subAuth byte, subAuth0 uint32, subAuth1 uint32, subAuth2 uint32, subAuth3 uint32, subAuth4 uint32, subAuth5 uint32, subAuth6 uint32, subAuth7 uint32, sid **SID) (err error) = advapi32.AllocateAndInitializeSid
   165  //sys	createWellKnownSid(sidType WELL_KNOWN_SID_TYPE, domainSid *SID, sid *SID, sizeSid *uint32) (err error) = advapi32.CreateWellKnownSid
   166  //sys	isWellKnownSid(sid *SID, sidType WELL_KNOWN_SID_TYPE) (isWellKnown bool) = advapi32.IsWellKnownSid
   167  //sys	FreeSid(sid *SID) (err error) [failretval!=0] = advapi32.FreeSid
   168  //sys	EqualSid(sid1 *SID, sid2 *SID) (isEqual bool) = advapi32.EqualSid
   169  //sys	getSidIdentifierAuthority(sid *SID) (authority *SidIdentifierAuthority) = advapi32.GetSidIdentifierAuthority
   170  //sys	getSidSubAuthorityCount(sid *SID) (count *uint8) = advapi32.GetSidSubAuthorityCount
   171  //sys	getSidSubAuthority(sid *SID, index uint32) (subAuthority *uint32) = advapi32.GetSidSubAuthority
   172  //sys	isValidSid(sid *SID) (isValid bool) = advapi32.IsValidSid
   173  
   174  // The security identifier (SID) structure is a variable-length
   175  // structure used to uniquely identify users or groups.
   176  type SID struct{}
   177  
   178  // StringToSid converts a string-format security identifier
   179  // SID into a valid, functional SID.
   180  func StringToSid(s string) (*SID, error) {
   181  	var sid *SID
   182  	p, e := UTF16PtrFromString(s)
   183  	if e != nil {
   184  		return nil, e
   185  	}
   186  	e = ConvertStringSidToSid(p, &sid)
   187  	if e != nil {
   188  		return nil, e
   189  	}
   190  	defer LocalFree((Handle)(unsafe.Pointer(sid)))
   191  	return sid.Copy()
   192  }
   193  
   194  // LookupSID retrieves a security identifier SID for the account
   195  // and the name of the domain on which the account was found.
   196  // System specify target computer to search.
   197  func LookupSID(system, account string) (sid *SID, domain string, accType uint32, err error) {
   198  	if len(account) == 0 {
   199  		return nil, "", 0, syscall.EINVAL
   200  	}
   201  	acc, e := UTF16PtrFromString(account)
   202  	if e != nil {
   203  		return nil, "", 0, e
   204  	}
   205  	var sys *uint16
   206  	if len(system) > 0 {
   207  		sys, e = UTF16PtrFromString(system)
   208  		if e != nil {
   209  			return nil, "", 0, e
   210  		}
   211  	}
   212  	n := uint32(50)
   213  	dn := uint32(50)
   214  	for {
   215  		b := make([]byte, n)
   216  		db := make([]uint16, dn)
   217  		sid = (*SID)(unsafe.Pointer(&b[0]))
   218  		e = LookupAccountName(sys, acc, sid, &n, &db[0], &dn, &accType)
   219  		if e == nil {
   220  			return sid, UTF16ToString(db), accType, nil
   221  		}
   222  		if e != ERROR_INSUFFICIENT_BUFFER {
   223  			return nil, "", 0, e
   224  		}
   225  		if n <= uint32(len(b)) {
   226  			return nil, "", 0, e
   227  		}
   228  	}
   229  }
   230  
   231  // String converts SID to a string format suitable for display, storage, or transmission.
   232  func (sid *SID) String() string {
   233  	var s *uint16
   234  	e := ConvertSidToStringSid(sid, &s)
   235  	if e != nil {
   236  		return ""
   237  	}
   238  	defer LocalFree((Handle)(unsafe.Pointer(s)))
   239  	return UTF16ToString((*[256]uint16)(unsafe.Pointer(s))[:])
   240  }
   241  
   242  // Len returns the length, in bytes, of a valid security identifier SID.
   243  func (sid *SID) Len() int {
   244  	return int(GetLengthSid(sid))
   245  }
   246  
   247  // Copy creates a duplicate of security identifier SID.
   248  func (sid *SID) Copy() (*SID, error) {
   249  	b := make([]byte, sid.Len())
   250  	sid2 := (*SID)(unsafe.Pointer(&b[0]))
   251  	e := CopySid(uint32(len(b)), sid2, sid)
   252  	if e != nil {
   253  		return nil, e
   254  	}
   255  	return sid2, nil
   256  }
   257  
   258  // IdentifierAuthority returns the identifier authority of the SID.
   259  func (sid *SID) IdentifierAuthority() SidIdentifierAuthority {
   260  	return *getSidIdentifierAuthority(sid)
   261  }
   262  
   263  // SubAuthorityCount returns the number of sub-authorities in the SID.
   264  func (sid *SID) SubAuthorityCount() uint8 {
   265  	return *getSidSubAuthorityCount(sid)
   266  }
   267  
   268  // SubAuthority returns the sub-authority of the SID as specified by
   269  // the index, which must be less than sid.SubAuthorityCount().
   270  func (sid *SID) SubAuthority(idx uint32) uint32 {
   271  	if idx >= uint32(sid.SubAuthorityCount()) {
   272  		panic("sub-authority index out of range")
   273  	}
   274  	return *getSidSubAuthority(sid, idx)
   275  }
   276  
   277  // IsValid returns whether the SID has a valid revision and length.
   278  func (sid *SID) IsValid() bool {
   279  	return isValidSid(sid)
   280  }
   281  
   282  // Equals compares two SIDs for equality.
   283  func (sid *SID) Equals(sid2 *SID) bool {
   284  	return EqualSid(sid, sid2)
   285  }
   286  
   287  // IsWellKnown determines whether the SID matches the well-known sidType.
   288  func (sid *SID) IsWellKnown(sidType WELL_KNOWN_SID_TYPE) bool {
   289  	return isWellKnownSid(sid, sidType)
   290  }
   291  
   292  // LookupAccount retrieves the name of the account for this SID
   293  // and the name of the first domain on which this SID is found.
   294  // System specify target computer to search for.
   295  func (sid *SID) LookupAccount(system string) (account, domain string, accType uint32, err error) {
   296  	var sys *uint16
   297  	if len(system) > 0 {
   298  		sys, err = UTF16PtrFromString(system)
   299  		if err != nil {
   300  			return "", "", 0, err
   301  		}
   302  	}
   303  	n := uint32(50)
   304  	dn := uint32(50)
   305  	for {
   306  		b := make([]uint16, n)
   307  		db := make([]uint16, dn)
   308  		e := LookupAccountSid(sys, sid, &b[0], &n, &db[0], &dn, &accType)
   309  		if e == nil {
   310  			return UTF16ToString(b), UTF16ToString(db), accType, nil
   311  		}
   312  		if e != ERROR_INSUFFICIENT_BUFFER {
   313  			return "", "", 0, e
   314  		}
   315  		if n <= uint32(len(b)) {
   316  			return "", "", 0, e
   317  		}
   318  	}
   319  }
   320  
   321  // Various types of pre-specified SIDs that can be synthesized and compared at runtime.
   322  type WELL_KNOWN_SID_TYPE uint32
   323  
   324  const (
   325  	WinNullSid                                    = 0
   326  	WinWorldSid                                   = 1
   327  	WinLocalSid                                   = 2
   328  	WinCreatorOwnerSid                            = 3
   329  	WinCreatorGroupSid                            = 4
   330  	WinCreatorOwnerServerSid                      = 5
   331  	WinCreatorGroupServerSid                      = 6
   332  	WinNtAuthoritySid                             = 7
   333  	WinDialupSid                                  = 8
   334  	WinNetworkSid                                 = 9
   335  	WinBatchSid                                   = 10
   336  	WinInteractiveSid                             = 11
   337  	WinServiceSid                                 = 12
   338  	WinAnonymousSid                               = 13
   339  	WinProxySid                                   = 14
   340  	WinEnterpriseControllersSid                   = 15
   341  	WinSelfSid                                    = 16
   342  	WinAuthenticatedUserSid                       = 17
   343  	WinRestrictedCodeSid                          = 18
   344  	WinTerminalServerSid                          = 19
   345  	WinRemoteLogonIdSid                           = 20
   346  	WinLogonIdsSid                                = 21
   347  	WinLocalSystemSid                             = 22
   348  	WinLocalServiceSid                            = 23
   349  	WinNetworkServiceSid                          = 24
   350  	WinBuiltinDomainSid                           = 25
   351  	WinBuiltinAdministratorsSid                   = 26
   352  	WinBuiltinUsersSid                            = 27
   353  	WinBuiltinGuestsSid                           = 28
   354  	WinBuiltinPowerUsersSid                       = 29
   355  	WinBuiltinAccountOperatorsSid                 = 30
   356  	WinBuiltinSystemOperatorsSid                  = 31
   357  	WinBuiltinPrintOperatorsSid                   = 32
   358  	WinBuiltinBackupOperatorsSid                  = 33
   359  	WinBuiltinReplicatorSid                       = 34
   360  	WinBuiltinPreWindows2000CompatibleAccessSid   = 35
   361  	WinBuiltinRemoteDesktopUsersSid               = 36
   362  	WinBuiltinNetworkConfigurationOperatorsSid    = 37
   363  	WinAccountAdministratorSid                    = 38
   364  	WinAccountGuestSid                            = 39
   365  	WinAccountKrbtgtSid                           = 40
   366  	WinAccountDomainAdminsSid                     = 41
   367  	WinAccountDomainUsersSid                      = 42
   368  	WinAccountDomainGuestsSid                     = 43
   369  	WinAccountComputersSid                        = 44
   370  	WinAccountControllersSid                      = 45
   371  	WinAccountCertAdminsSid                       = 46
   372  	WinAccountSchemaAdminsSid                     = 47
   373  	WinAccountEnterpriseAdminsSid                 = 48
   374  	WinAccountPolicyAdminsSid                     = 49
   375  	WinAccountRasAndIasServersSid                 = 50
   376  	WinNTLMAuthenticationSid                      = 51
   377  	WinDigestAuthenticationSid                    = 52
   378  	WinSChannelAuthenticationSid                  = 53
   379  	WinThisOrganizationSid                        = 54
   380  	WinOtherOrganizationSid                       = 55
   381  	WinBuiltinIncomingForestTrustBuildersSid      = 56
   382  	WinBuiltinPerfMonitoringUsersSid              = 57
   383  	WinBuiltinPerfLoggingUsersSid                 = 58
   384  	WinBuiltinAuthorizationAccessSid              = 59
   385  	WinBuiltinTerminalServerLicenseServersSid     = 60
   386  	WinBuiltinDCOMUsersSid                        = 61
   387  	WinBuiltinIUsersSid                           = 62
   388  	WinIUserSid                                   = 63
   389  	WinBuiltinCryptoOperatorsSid                  = 64
   390  	WinUntrustedLabelSid                          = 65
   391  	WinLowLabelSid                                = 66
   392  	WinMediumLabelSid                             = 67
   393  	WinHighLabelSid                               = 68
   394  	WinSystemLabelSid                             = 69
   395  	WinWriteRestrictedCodeSid                     = 70
   396  	WinCreatorOwnerRightsSid                      = 71
   397  	WinCacheablePrincipalsGroupSid                = 72
   398  	WinNonCacheablePrincipalsGroupSid             = 73
   399  	WinEnterpriseReadonlyControllersSid           = 74
   400  	WinAccountReadonlyControllersSid              = 75
   401  	WinBuiltinEventLogReadersGroup                = 76
   402  	WinNewEnterpriseReadonlyControllersSid        = 77
   403  	WinBuiltinCertSvcDComAccessGroup              = 78
   404  	WinMediumPlusLabelSid                         = 79
   405  	WinLocalLogonSid                              = 80
   406  	WinConsoleLogonSid                            = 81
   407  	WinThisOrganizationCertificateSid             = 82
   408  	WinApplicationPackageAuthoritySid             = 83
   409  	WinBuiltinAnyPackageSid                       = 84
   410  	WinCapabilityInternetClientSid                = 85
   411  	WinCapabilityInternetClientServerSid          = 86
   412  	WinCapabilityPrivateNetworkClientServerSid    = 87
   413  	WinCapabilityPicturesLibrarySid               = 88
   414  	WinCapabilityVideosLibrarySid                 = 89
   415  	WinCapabilityMusicLibrarySid                  = 90
   416  	WinCapabilityDocumentsLibrarySid              = 91
   417  	WinCapabilitySharedUserCertificatesSid        = 92
   418  	WinCapabilityEnterpriseAuthenticationSid      = 93
   419  	WinCapabilityRemovableStorageSid              = 94
   420  	WinBuiltinRDSRemoteAccessServersSid           = 95
   421  	WinBuiltinRDSEndpointServersSid               = 96
   422  	WinBuiltinRDSManagementServersSid             = 97
   423  	WinUserModeDriversSid                         = 98
   424  	WinBuiltinHyperVAdminsSid                     = 99
   425  	WinAccountCloneableControllersSid             = 100
   426  	WinBuiltinAccessControlAssistanceOperatorsSid = 101
   427  	WinBuiltinRemoteManagementUsersSid            = 102
   428  	WinAuthenticationAuthorityAssertedSid         = 103
   429  	WinAuthenticationServiceAssertedSid           = 104
   430  	WinLocalAccountSid                            = 105
   431  	WinLocalAccountAndAdministratorSid            = 106
   432  	WinAccountProtectedUsersSid                   = 107
   433  	WinCapabilityAppointmentsSid                  = 108
   434  	WinCapabilityContactsSid                      = 109
   435  	WinAccountDefaultSystemManagedSid             = 110
   436  	WinBuiltinDefaultSystemManagedGroupSid        = 111
   437  	WinBuiltinStorageReplicaAdminsSid             = 112
   438  	WinAccountKeyAdminsSid                        = 113
   439  	WinAccountEnterpriseKeyAdminsSid              = 114
   440  	WinAuthenticationKeyTrustSid                  = 115
   441  	WinAuthenticationKeyPropertyMFASid            = 116
   442  	WinAuthenticationKeyPropertyAttestationSid    = 117
   443  	WinAuthenticationFreshKeyAuthSid              = 118
   444  	WinBuiltinDeviceOwnersSid                     = 119
   445  )
   446  
   447  // Creates a SID for a well-known predefined alias, generally using the constants of the form
   448  // Win*Sid, for the local machine.
   449  func CreateWellKnownSid(sidType WELL_KNOWN_SID_TYPE) (*SID, error) {
   450  	return CreateWellKnownDomainSid(sidType, nil)
   451  }
   452  
   453  // Creates a SID for a well-known predefined alias, generally using the constants of the form
   454  // Win*Sid, for the domain specified by the domainSid parameter.
   455  func CreateWellKnownDomainSid(sidType WELL_KNOWN_SID_TYPE, domainSid *SID) (*SID, error) {
   456  	n := uint32(50)
   457  	for {
   458  		b := make([]byte, n)
   459  		sid := (*SID)(unsafe.Pointer(&b[0]))
   460  		err := createWellKnownSid(sidType, domainSid, sid, &n)
   461  		if err == nil {
   462  			return sid, nil
   463  		}
   464  		if err != ERROR_INSUFFICIENT_BUFFER {
   465  			return nil, err
   466  		}
   467  		if n <= uint32(len(b)) {
   468  			return nil, err
   469  		}
   470  	}
   471  }
   472  
   473  const (
   474  	// do not reorder
   475  	TOKEN_ASSIGN_PRIMARY = 1 << iota
   476  	TOKEN_DUPLICATE
   477  	TOKEN_IMPERSONATE
   478  	TOKEN_QUERY
   479  	TOKEN_QUERY_SOURCE
   480  	TOKEN_ADJUST_PRIVILEGES
   481  	TOKEN_ADJUST_GROUPS
   482  	TOKEN_ADJUST_DEFAULT
   483  	TOKEN_ADJUST_SESSIONID
   484  
   485  	TOKEN_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED |
   486  		TOKEN_ASSIGN_PRIMARY |
   487  		TOKEN_DUPLICATE |
   488  		TOKEN_IMPERSONATE |
   489  		TOKEN_QUERY |
   490  		TOKEN_QUERY_SOURCE |
   491  		TOKEN_ADJUST_PRIVILEGES |
   492  		TOKEN_ADJUST_GROUPS |
   493  		TOKEN_ADJUST_DEFAULT |
   494  		TOKEN_ADJUST_SESSIONID
   495  	TOKEN_READ  = STANDARD_RIGHTS_READ | TOKEN_QUERY
   496  	TOKEN_WRITE = STANDARD_RIGHTS_WRITE |
   497  		TOKEN_ADJUST_PRIVILEGES |
   498  		TOKEN_ADJUST_GROUPS |
   499  		TOKEN_ADJUST_DEFAULT
   500  	TOKEN_EXECUTE = STANDARD_RIGHTS_EXECUTE
   501  )
   502  
   503  const (
   504  	// do not reorder
   505  	TokenUser = 1 + iota
   506  	TokenGroups
   507  	TokenPrivileges
   508  	TokenOwner
   509  	TokenPrimaryGroup
   510  	TokenDefaultDacl
   511  	TokenSource
   512  	TokenType
   513  	TokenImpersonationLevel
   514  	TokenStatistics
   515  	TokenRestrictedSids
   516  	TokenSessionId
   517  	TokenGroupsAndPrivileges
   518  	TokenSessionReference
   519  	TokenSandBoxInert
   520  	TokenAuditPolicy
   521  	TokenOrigin
   522  	TokenElevationType
   523  	TokenLinkedToken
   524  	TokenElevation
   525  	TokenHasRestrictions
   526  	TokenAccessInformation
   527  	TokenVirtualizationAllowed
   528  	TokenVirtualizationEnabled
   529  	TokenIntegrityLevel
   530  	TokenUIAccess
   531  	TokenMandatoryPolicy
   532  	TokenLogonSid
   533  	MaxTokenInfoClass
   534  )
   535  
   536  // Group attributes inside of Tokengroups.Groups[i].Attributes
   537  const (
   538  	SE_GROUP_MANDATORY          = 0x00000001
   539  	SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002
   540  	SE_GROUP_ENABLED            = 0x00000004
   541  	SE_GROUP_OWNER              = 0x00000008
   542  	SE_GROUP_USE_FOR_DENY_ONLY  = 0x00000010
   543  	SE_GROUP_INTEGRITY          = 0x00000020
   544  	SE_GROUP_INTEGRITY_ENABLED  = 0x00000040
   545  	SE_GROUP_LOGON_ID           = 0xC0000000
   546  	SE_GROUP_RESOURCE           = 0x20000000
   547  	SE_GROUP_VALID_ATTRIBUTES   = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED | SE_GROUP_OWNER | SE_GROUP_USE_FOR_DENY_ONLY | SE_GROUP_LOGON_ID | SE_GROUP_RESOURCE | SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED
   548  )
   549  
   550  // Privilege attributes
   551  const (
   552  	SE_PRIVILEGE_ENABLED_BY_DEFAULT = 0x00000001
   553  	SE_PRIVILEGE_ENABLED            = 0x00000002
   554  	SE_PRIVILEGE_REMOVED            = 0x00000004
   555  	SE_PRIVILEGE_USED_FOR_ACCESS    = 0x80000000
   556  	SE_PRIVILEGE_VALID_ATTRIBUTES   = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_REMOVED | SE_PRIVILEGE_USED_FOR_ACCESS
   557  )
   558  
   559  // Token types
   560  const (
   561  	TokenPrimary       = 1
   562  	TokenImpersonation = 2
   563  )
   564  
   565  // Impersonation levels
   566  const (
   567  	SecurityAnonymous      = 0
   568  	SecurityIdentification = 1
   569  	SecurityImpersonation  = 2
   570  	SecurityDelegation     = 3
   571  )
   572  
   573  type LUID struct {
   574  	LowPart  uint32
   575  	HighPart int32
   576  }
   577  
   578  type LUIDAndAttributes struct {
   579  	Luid       LUID
   580  	Attributes uint32
   581  }
   582  
   583  type SIDAndAttributes struct {
   584  	Sid        *SID
   585  	Attributes uint32
   586  }
   587  
   588  type Tokenuser struct {
   589  	User SIDAndAttributes
   590  }
   591  
   592  type Tokenprimarygroup struct {
   593  	PrimaryGroup *SID
   594  }
   595  
   596  type Tokengroups struct {
   597  	GroupCount uint32
   598  	Groups     [1]SIDAndAttributes // Use AllGroups() for iterating.
   599  }
   600  
   601  // AllGroups returns a slice that can be used to iterate over the groups in g.
   602  func (g *Tokengroups) AllGroups() []SIDAndAttributes {
   603  	return (*[(1 << 28) - 1]SIDAndAttributes)(unsafe.Pointer(&g.Groups[0]))[:g.GroupCount:g.GroupCount]
   604  }
   605  
   606  type Tokenprivileges struct {
   607  	PrivilegeCount uint32
   608  	Privileges     [1]LUIDAndAttributes // Use AllPrivileges() for iterating.
   609  }
   610  
   611  // AllPrivileges returns a slice that can be used to iterate over the privileges in p.
   612  func (p *Tokenprivileges) AllPrivileges() []LUIDAndAttributes {
   613  	return (*[(1 << 27) - 1]LUIDAndAttributes)(unsafe.Pointer(&p.Privileges[0]))[:p.PrivilegeCount:p.PrivilegeCount]
   614  }
   615  
   616  type Tokenmandatorylabel struct {
   617  	Label SIDAndAttributes
   618  }
   619  
   620  func (tml *Tokenmandatorylabel) Size() uint32 {
   621  	return uint32(unsafe.Sizeof(Tokenmandatorylabel{})) + GetLengthSid(tml.Label.Sid)
   622  }
   623  
   624  // Authorization Functions
   625  //sys	checkTokenMembership(tokenHandle Token, sidToCheck *SID, isMember *int32) (err error) = advapi32.CheckTokenMembership
   626  //sys	isTokenRestricted(tokenHandle Token) (ret bool, err error) [!failretval] = advapi32.IsTokenRestricted
   627  //sys	OpenProcessToken(process Handle, access uint32, token *Token) (err error) = advapi32.OpenProcessToken
   628  //sys	OpenThreadToken(thread Handle, access uint32, openAsSelf bool, token *Token) (err error) = advapi32.OpenThreadToken
   629  //sys	ImpersonateSelf(impersonationlevel uint32) (err error) = advapi32.ImpersonateSelf
   630  //sys	RevertToSelf() (err error) = advapi32.RevertToSelf
   631  //sys	SetThreadToken(thread *Handle, token Token) (err error) = advapi32.SetThreadToken
   632  //sys	LookupPrivilegeValue(systemname *uint16, name *uint16, luid *LUID) (err error) = advapi32.LookupPrivilegeValueW
   633  //sys	AdjustTokenPrivileges(token Token, disableAllPrivileges bool, newstate *Tokenprivileges, buflen uint32, prevstate *Tokenprivileges, returnlen *uint32) (err error) = advapi32.AdjustTokenPrivileges
   634  //sys	AdjustTokenGroups(token Token, resetToDefault bool, newstate *Tokengroups, buflen uint32, prevstate *Tokengroups, returnlen *uint32) (err error) = advapi32.AdjustTokenGroups
   635  //sys	GetTokenInformation(token Token, infoClass uint32, info *byte, infoLen uint32, returnedLen *uint32) (err error) = advapi32.GetTokenInformation
   636  //sys	SetTokenInformation(token Token, infoClass uint32, info *byte, infoLen uint32) (err error) = advapi32.SetTokenInformation
   637  //sys	DuplicateTokenEx(existingToken Token, desiredAccess uint32, tokenAttributes *SecurityAttributes, impersonationLevel uint32, tokenType uint32, newToken *Token) (err error) = advapi32.DuplicateTokenEx
   638  //sys	GetUserProfileDirectory(t Token, dir *uint16, dirLen *uint32) (err error) = userenv.GetUserProfileDirectoryW
   639  //sys	getSystemDirectory(dir *uint16, dirLen uint32) (len uint32, err error) = kernel32.GetSystemDirectoryW
   640  //sys	getWindowsDirectory(dir *uint16, dirLen uint32) (len uint32, err error) = kernel32.GetWindowsDirectoryW
   641  //sys	getSystemWindowsDirectory(dir *uint16, dirLen uint32) (len uint32, err error) = kernel32.GetSystemWindowsDirectoryW
   642  
   643  // An access token contains the security information for a logon session.
   644  // The system creates an access token when a user logs on, and every
   645  // process executed on behalf of the user has a copy of the token.
   646  // The token identifies the user, the user's groups, and the user's
   647  // privileges. The system uses the token to control access to securable
   648  // objects and to control the ability of the user to perform various
   649  // system-related operations on the local computer.
   650  type Token Handle
   651  
   652  // OpenCurrentProcessToken opens an access token associated with current
   653  // process with TOKEN_QUERY access. It is a real token that needs to be closed.
   654  //
   655  // Deprecated: Explicitly call OpenProcessToken(CurrentProcess(), ...)
   656  // with the desired access instead, or use GetCurrentProcessToken for a
   657  // TOKEN_QUERY token.
   658  func OpenCurrentProcessToken() (Token, error) {
   659  	var token Token
   660  	err := OpenProcessToken(CurrentProcess(), TOKEN_QUERY, &token)
   661  	return token, err
   662  }
   663  
   664  // GetCurrentProcessToken returns the access token associated with
   665  // the current process. It is a pseudo token that does not need
   666  // to be closed.
   667  func GetCurrentProcessToken() Token {
   668  	return Token(^uintptr(4 - 1))
   669  }
   670  
   671  // GetCurrentThreadToken return the access token associated with
   672  // the current thread. It is a pseudo token that does not need
   673  // to be closed.
   674  func GetCurrentThreadToken() Token {
   675  	return Token(^uintptr(5 - 1))
   676  }
   677  
   678  // GetCurrentThreadEffectiveToken returns the effective access token
   679  // associated with the current thread. It is a pseudo token that does
   680  // not need to be closed.
   681  func GetCurrentThreadEffectiveToken() Token {
   682  	return Token(^uintptr(6 - 1))
   683  }
   684  
   685  // Close releases access to access token.
   686  func (t Token) Close() error {
   687  	return CloseHandle(Handle(t))
   688  }
   689  
   690  // getInfo retrieves a specified type of information about an access token.
   691  func (t Token) getInfo(class uint32, initSize int) (unsafe.Pointer, error) {
   692  	n := uint32(initSize)
   693  	for {
   694  		b := make([]byte, n)
   695  		e := GetTokenInformation(t, class, &b[0], uint32(len(b)), &n)
   696  		if e == nil {
   697  			return unsafe.Pointer(&b[0]), nil
   698  		}
   699  		if e != ERROR_INSUFFICIENT_BUFFER {
   700  			return nil, e
   701  		}
   702  		if n <= uint32(len(b)) {
   703  			return nil, e
   704  		}
   705  	}
   706  }
   707  
   708  // GetTokenUser retrieves access token t user account information.
   709  func (t Token) GetTokenUser() (*Tokenuser, error) {
   710  	i, e := t.getInfo(TokenUser, 50)
   711  	if e != nil {
   712  		return nil, e
   713  	}
   714  	return (*Tokenuser)(i), nil
   715  }
   716  
   717  // GetTokenGroups retrieves group accounts associated with access token t.
   718  func (t Token) GetTokenGroups() (*Tokengroups, error) {
   719  	i, e := t.getInfo(TokenGroups, 50)
   720  	if e != nil {
   721  		return nil, e
   722  	}
   723  	return (*Tokengroups)(i), nil
   724  }
   725  
   726  // GetTokenPrimaryGroup retrieves access token t primary group information.
   727  // A pointer to a SID structure representing a group that will become
   728  // the primary group of any objects created by a process using this access token.
   729  func (t Token) GetTokenPrimaryGroup() (*Tokenprimarygroup, error) {
   730  	i, e := t.getInfo(TokenPrimaryGroup, 50)
   731  	if e != nil {
   732  		return nil, e
   733  	}
   734  	return (*Tokenprimarygroup)(i), nil
   735  }
   736  
   737  // GetUserProfileDirectory retrieves path to the
   738  // root directory of the access token t user's profile.
   739  func (t Token) GetUserProfileDirectory() (string, error) {
   740  	n := uint32(100)
   741  	for {
   742  		b := make([]uint16, n)
   743  		e := GetUserProfileDirectory(t, &b[0], &n)
   744  		if e == nil {
   745  			return UTF16ToString(b), nil
   746  		}
   747  		if e != ERROR_INSUFFICIENT_BUFFER {
   748  			return "", e
   749  		}
   750  		if n <= uint32(len(b)) {
   751  			return "", e
   752  		}
   753  	}
   754  }
   755  
   756  // IsElevated returns whether the current token is elevated from a UAC perspective.
   757  func (token Token) IsElevated() bool {
   758  	var isElevated uint32
   759  	var outLen uint32
   760  	err := GetTokenInformation(token, TokenElevation, (*byte)(unsafe.Pointer(&isElevated)), uint32(unsafe.Sizeof(isElevated)), &outLen)
   761  	if err != nil {
   762  		return false
   763  	}
   764  	return outLen == uint32(unsafe.Sizeof(isElevated)) && isElevated != 0
   765  }
   766  
   767  // GetLinkedToken returns the linked token, which may be an elevated UAC token.
   768  func (token Token) GetLinkedToken() (Token, error) {
   769  	var linkedToken Token
   770  	var outLen uint32
   771  	err := GetTokenInformation(token, TokenLinkedToken, (*byte)(unsafe.Pointer(&linkedToken)), uint32(unsafe.Sizeof(linkedToken)), &outLen)
   772  	if err != nil {
   773  		return Token(0), err
   774  	}
   775  	return linkedToken, nil
   776  }
   777  
   778  // GetSystemDirectory retrieves the path to current location of the system
   779  // directory, which is typically, though not always, `C:\Windows\System32`.
   780  func GetSystemDirectory() (string, error) {
   781  	n := uint32(MAX_PATH)
   782  	for {
   783  		b := make([]uint16, n)
   784  		l, e := getSystemDirectory(&b[0], n)
   785  		if e != nil {
   786  			return "", e
   787  		}
   788  		if l <= n {
   789  			return UTF16ToString(b[:l]), nil
   790  		}
   791  		n = l
   792  	}
   793  }
   794  
   795  // GetWindowsDirectory retrieves the path to current location of the Windows
   796  // directory, which is typically, though not always, `C:\Windows`. This may
   797  // be a private user directory in the case that the application is running
   798  // under a terminal server.
   799  func GetWindowsDirectory() (string, error) {
   800  	n := uint32(MAX_PATH)
   801  	for {
   802  		b := make([]uint16, n)
   803  		l, e := getWindowsDirectory(&b[0], n)
   804  		if e != nil {
   805  			return "", e
   806  		}
   807  		if l <= n {
   808  			return UTF16ToString(b[:l]), nil
   809  		}
   810  		n = l
   811  	}
   812  }
   813  
   814  // GetSystemWindowsDirectory retrieves the path to current location of the
   815  // Windows directory, which is typically, though not always, `C:\Windows`.
   816  func GetSystemWindowsDirectory() (string, error) {
   817  	n := uint32(MAX_PATH)
   818  	for {
   819  		b := make([]uint16, n)
   820  		l, e := getSystemWindowsDirectory(&b[0], n)
   821  		if e != nil {
   822  			return "", e
   823  		}
   824  		if l <= n {
   825  			return UTF16ToString(b[:l]), nil
   826  		}
   827  		n = l
   828  	}
   829  }
   830  
   831  // IsMember reports whether the access token t is a member of the provided SID.
   832  func (t Token) IsMember(sid *SID) (bool, error) {
   833  	var b int32
   834  	if e := checkTokenMembership(t, sid, &b); e != nil {
   835  		return false, e
   836  	}
   837  	return b != 0, nil
   838  }
   839  
   840  // IsRestricted reports whether the access token t is a restricted token.
   841  func (t Token) IsRestricted() (isRestricted bool, err error) {
   842  	isRestricted, err = isTokenRestricted(t)
   843  	if !isRestricted && err == syscall.EINVAL {
   844  		// If err is EINVAL, this returned ERROR_SUCCESS indicating a non-restricted token.
   845  		err = nil
   846  	}
   847  	return
   848  }
   849  
   850  const (
   851  	WTS_CONSOLE_CONNECT        = 0x1
   852  	WTS_CONSOLE_DISCONNECT     = 0x2
   853  	WTS_REMOTE_CONNECT         = 0x3
   854  	WTS_REMOTE_DISCONNECT      = 0x4
   855  	WTS_SESSION_LOGON          = 0x5
   856  	WTS_SESSION_LOGOFF         = 0x6
   857  	WTS_SESSION_LOCK           = 0x7
   858  	WTS_SESSION_UNLOCK         = 0x8
   859  	WTS_SESSION_REMOTE_CONTROL = 0x9
   860  	WTS_SESSION_CREATE         = 0xa
   861  	WTS_SESSION_TERMINATE      = 0xb
   862  )
   863  
   864  const (
   865  	WTSActive       = 0
   866  	WTSConnected    = 1
   867  	WTSConnectQuery = 2
   868  	WTSShadow       = 3
   869  	WTSDisconnected = 4
   870  	WTSIdle         = 5
   871  	WTSListen       = 6
   872  	WTSReset        = 7
   873  	WTSDown         = 8
   874  	WTSInit         = 9
   875  )
   876  
   877  type WTSSESSION_NOTIFICATION struct {
   878  	Size      uint32
   879  	SessionID uint32
   880  }
   881  
   882  type WTS_SESSION_INFO struct {
   883  	SessionID         uint32
   884  	WindowStationName *uint16
   885  	State             uint32
   886  }
   887  
   888  //sys WTSQueryUserToken(session uint32, token *Token) (err error) = wtsapi32.WTSQueryUserToken
   889  //sys WTSEnumerateSessions(handle Handle, reserved uint32, version uint32, sessions **WTS_SESSION_INFO, count *uint32) (err error) = wtsapi32.WTSEnumerateSessionsW
   890  //sys WTSFreeMemory(ptr uintptr) = wtsapi32.WTSFreeMemory
   891  //sys WTSGetActiveConsoleSessionId() (sessionID uint32)
   892  
   893  type ACL struct {
   894  	aclRevision byte
   895  	sbz1        byte
   896  	aclSize     uint16
   897  	aceCount    uint16
   898  	sbz2        uint16
   899  }
   900  
   901  type SECURITY_DESCRIPTOR struct {
   902  	revision byte
   903  	sbz1     byte
   904  	control  SECURITY_DESCRIPTOR_CONTROL
   905  	owner    *SID
   906  	group    *SID
   907  	sacl     *ACL
   908  	dacl     *ACL
   909  }
   910  
   911  type SECURITY_QUALITY_OF_SERVICE struct {
   912  	Length              uint32
   913  	ImpersonationLevel  uint32
   914  	ContextTrackingMode byte
   915  	EffectiveOnly       byte
   916  }
   917  
   918  // Constants for the ContextTrackingMode field of SECURITY_QUALITY_OF_SERVICE.
   919  const (
   920  	SECURITY_STATIC_TRACKING  = 0
   921  	SECURITY_DYNAMIC_TRACKING = 1
   922  )
   923  
   924  type SecurityAttributes struct {
   925  	Length             uint32
   926  	SecurityDescriptor *SECURITY_DESCRIPTOR
   927  	InheritHandle      uint32
   928  }
   929  
   930  type SE_OBJECT_TYPE uint32
   931  
   932  // Constants for type SE_OBJECT_TYPE
   933  const (
   934  	SE_UNKNOWN_OBJECT_TYPE     = 0
   935  	SE_FILE_OBJECT             = 1
   936  	SE_SERVICE                 = 2
   937  	SE_PRINTER                 = 3
   938  	SE_REGISTRY_KEY            = 4
   939  	SE_LMSHARE                 = 5
   940  	SE_KERNEL_OBJECT           = 6
   941  	SE_WINDOW_OBJECT           = 7
   942  	SE_DS_OBJECT               = 8
   943  	SE_DS_OBJECT_ALL           = 9
   944  	SE_PROVIDER_DEFINED_OBJECT = 10
   945  	SE_WMIGUID_OBJECT          = 11
   946  	SE_REGISTRY_WOW64_32KEY    = 12
   947  	SE_REGISTRY_WOW64_64KEY    = 13
   948  )
   949  
   950  type SECURITY_INFORMATION uint32
   951  
   952  // Constants for type SECURITY_INFORMATION
   953  const (
   954  	OWNER_SECURITY_INFORMATION            = 0x00000001
   955  	GROUP_SECURITY_INFORMATION            = 0x00000002
   956  	DACL_SECURITY_INFORMATION             = 0x00000004
   957  	SACL_SECURITY_INFORMATION             = 0x00000008
   958  	LABEL_SECURITY_INFORMATION            = 0x00000010
   959  	ATTRIBUTE_SECURITY_INFORMATION        = 0x00000020
   960  	SCOPE_SECURITY_INFORMATION            = 0x00000040
   961  	BACKUP_SECURITY_INFORMATION           = 0x00010000
   962  	PROTECTED_DACL_SECURITY_INFORMATION   = 0x80000000
   963  	PROTECTED_SACL_SECURITY_INFORMATION   = 0x40000000
   964  	UNPROTECTED_DACL_SECURITY_INFORMATION = 0x20000000
   965  	UNPROTECTED_SACL_SECURITY_INFORMATION = 0x10000000
   966  )
   967  
   968  type SECURITY_DESCRIPTOR_CONTROL uint16
   969  
   970  // Constants for type SECURITY_DESCRIPTOR_CONTROL
   971  const (
   972  	SE_OWNER_DEFAULTED       = 0x0001
   973  	SE_GROUP_DEFAULTED       = 0x0002
   974  	SE_DACL_PRESENT          = 0x0004
   975  	SE_DACL_DEFAULTED        = 0x0008
   976  	SE_SACL_PRESENT          = 0x0010
   977  	SE_SACL_DEFAULTED        = 0x0020
   978  	SE_DACL_AUTO_INHERIT_REQ = 0x0100
   979  	SE_SACL_AUTO_INHERIT_REQ = 0x0200
   980  	SE_DACL_AUTO_INHERITED   = 0x0400
   981  	SE_SACL_AUTO_INHERITED   = 0x0800
   982  	SE_DACL_PROTECTED        = 0x1000
   983  	SE_SACL_PROTECTED        = 0x2000
   984  	SE_RM_CONTROL_VALID      = 0x4000
   985  	SE_SELF_RELATIVE         = 0x8000
   986  )
   987  
   988  type ACCESS_MASK uint32
   989  
   990  // Constants for type ACCESS_MASK
   991  const (
   992  	DELETE                   = 0x00010000
   993  	READ_CONTROL             = 0x00020000
   994  	WRITE_DAC                = 0x00040000
   995  	WRITE_OWNER              = 0x00080000
   996  	SYNCHRONIZE              = 0x00100000
   997  	STANDARD_RIGHTS_REQUIRED = 0x000F0000
   998  	STANDARD_RIGHTS_READ     = READ_CONTROL
   999  	STANDARD_RIGHTS_WRITE    = READ_CONTROL
  1000  	STANDARD_RIGHTS_EXECUTE  = READ_CONTROL
  1001  	STANDARD_RIGHTS_ALL      = 0x001F0000
  1002  	SPECIFIC_RIGHTS_ALL      = 0x0000FFFF
  1003  	ACCESS_SYSTEM_SECURITY   = 0x01000000
  1004  	MAXIMUM_ALLOWED          = 0x02000000
  1005  	GENERIC_READ             = 0x80000000
  1006  	GENERIC_WRITE            = 0x40000000
  1007  	GENERIC_EXECUTE          = 0x20000000
  1008  	GENERIC_ALL              = 0x10000000
  1009  )
  1010  
  1011  type ACCESS_MODE uint32
  1012  
  1013  // Constants for type ACCESS_MODE
  1014  const (
  1015  	NOT_USED_ACCESS   = 0
  1016  	GRANT_ACCESS      = 1
  1017  	SET_ACCESS        = 2
  1018  	DENY_ACCESS       = 3
  1019  	REVOKE_ACCESS     = 4
  1020  	SET_AUDIT_SUCCESS = 5
  1021  	SET_AUDIT_FAILURE = 6
  1022  )
  1023  
  1024  // Constants for AceFlags and Inheritance fields
  1025  const (
  1026  	NO_INHERITANCE                     = 0x0
  1027  	SUB_OBJECTS_ONLY_INHERIT           = 0x1
  1028  	SUB_CONTAINERS_ONLY_INHERIT        = 0x2
  1029  	SUB_CONTAINERS_AND_OBJECTS_INHERIT = 0x3
  1030  	INHERIT_NO_PROPAGATE               = 0x4
  1031  	INHERIT_ONLY                       = 0x8
  1032  	INHERITED_ACCESS_ENTRY             = 0x10
  1033  	INHERITED_PARENT                   = 0x10000000
  1034  	INHERITED_GRANDPARENT              = 0x20000000
  1035  	OBJECT_INHERIT_ACE                 = 0x1
  1036  	CONTAINER_INHERIT_ACE              = 0x2
  1037  	NO_PROPAGATE_INHERIT_ACE           = 0x4
  1038  	INHERIT_ONLY_ACE                   = 0x8
  1039  	INHERITED_ACE                      = 0x10
  1040  	VALID_INHERIT_FLAGS                = 0x1F
  1041  )
  1042  
  1043  type MULTIPLE_TRUSTEE_OPERATION uint32
  1044  
  1045  // Constants for MULTIPLE_TRUSTEE_OPERATION
  1046  const (
  1047  	NO_MULTIPLE_TRUSTEE    = 0
  1048  	TRUSTEE_IS_IMPERSONATE = 1
  1049  )
  1050  
  1051  type TRUSTEE_FORM uint32
  1052  
  1053  // Constants for TRUSTEE_FORM
  1054  const (
  1055  	TRUSTEE_IS_SID              = 0
  1056  	TRUSTEE_IS_NAME             = 1
  1057  	TRUSTEE_BAD_FORM            = 2
  1058  	TRUSTEE_IS_OBJECTS_AND_SID  = 3
  1059  	TRUSTEE_IS_OBJECTS_AND_NAME = 4
  1060  )
  1061  
  1062  type TRUSTEE_TYPE uint32
  1063  
  1064  // Constants for TRUSTEE_TYPE
  1065  const (
  1066  	TRUSTEE_IS_UNKNOWN          = 0
  1067  	TRUSTEE_IS_USER             = 1
  1068  	TRUSTEE_IS_GROUP            = 2
  1069  	TRUSTEE_IS_DOMAIN           = 3
  1070  	TRUSTEE_IS_ALIAS            = 4
  1071  	TRUSTEE_IS_WELL_KNOWN_GROUP = 5
  1072  	TRUSTEE_IS_DELETED          = 6
  1073  	TRUSTEE_IS_INVALID          = 7
  1074  	TRUSTEE_IS_COMPUTER         = 8
  1075  )
  1076  
  1077  // Constants for ObjectsPresent field
  1078  const (
  1079  	ACE_OBJECT_TYPE_PRESENT           = 0x1
  1080  	ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x2
  1081  )
  1082  
  1083  type EXPLICIT_ACCESS struct {
  1084  	AccessPermissions ACCESS_MASK
  1085  	AccessMode        ACCESS_MODE
  1086  	Inheritance       uint32
  1087  	Trustee           TRUSTEE
  1088  }
  1089  
  1090  // This type is the union inside of TRUSTEE and must be created using one of the TrusteeValueFrom* functions.
  1091  type TrusteeValue uintptr
  1092  
  1093  func TrusteeValueFromString(str string) TrusteeValue {
  1094  	return TrusteeValue(unsafe.Pointer(StringToUTF16Ptr(str)))
  1095  }
  1096  func TrusteeValueFromSID(sid *SID) TrusteeValue {
  1097  	return TrusteeValue(unsafe.Pointer(sid))
  1098  }
  1099  func TrusteeValueFromObjectsAndSid(objectsAndSid *OBJECTS_AND_SID) TrusteeValue {
  1100  	return TrusteeValue(unsafe.Pointer(objectsAndSid))
  1101  }
  1102  func TrusteeValueFromObjectsAndName(objectsAndName *OBJECTS_AND_NAME) TrusteeValue {
  1103  	return TrusteeValue(unsafe.Pointer(objectsAndName))
  1104  }
  1105  
  1106  type TRUSTEE struct {
  1107  	MultipleTrustee          *TRUSTEE
  1108  	MultipleTrusteeOperation MULTIPLE_TRUSTEE_OPERATION
  1109  	TrusteeForm              TRUSTEE_FORM
  1110  	TrusteeType              TRUSTEE_TYPE
  1111  	TrusteeValue             TrusteeValue
  1112  }
  1113  
  1114  type OBJECTS_AND_SID struct {
  1115  	ObjectsPresent          uint32
  1116  	ObjectTypeGuid          GUID
  1117  	InheritedObjectTypeGuid GUID
  1118  	Sid                     *SID
  1119  }
  1120  
  1121  type OBJECTS_AND_NAME struct {
  1122  	ObjectsPresent          uint32
  1123  	ObjectType              SE_OBJECT_TYPE
  1124  	ObjectTypeName          *uint16
  1125  	InheritedObjectTypeName *uint16
  1126  	Name                    *uint16
  1127  }
  1128  
  1129  //sys	getSecurityInfo(handle Handle, objectType SE_OBJECT_TYPE, securityInformation SECURITY_INFORMATION, owner **SID, group **SID, dacl **ACL, sacl **ACL, sd **SECURITY_DESCRIPTOR) (ret error) = advapi32.GetSecurityInfo
  1130  //sys	SetSecurityInfo(handle Handle, objectType SE_OBJECT_TYPE, securityInformation SECURITY_INFORMATION, owner *SID, group *SID, dacl *ACL, sacl *ACL) (ret error) = advapi32.SetSecurityInfo
  1131  //sys	getNamedSecurityInfo(objectName string, objectType SE_OBJECT_TYPE, securityInformation SECURITY_INFORMATION, owner **SID, group **SID, dacl **ACL, sacl **ACL, sd **SECURITY_DESCRIPTOR) (ret error) = advapi32.GetNamedSecurityInfoW
  1132  //sys	SetNamedSecurityInfo(objectName string, objectType SE_OBJECT_TYPE, securityInformation SECURITY_INFORMATION, owner *SID, group *SID, dacl *ACL, sacl *ACL) (ret error) = advapi32.SetNamedSecurityInfoW
  1133  //sys	SetKernelObjectSecurity(handle Handle, securityInformation SECURITY_INFORMATION, securityDescriptor *SECURITY_DESCRIPTOR) (err error) = advapi32.SetKernelObjectSecurity
  1134  
  1135  //sys	buildSecurityDescriptor(owner *TRUSTEE, group *TRUSTEE, countAccessEntries uint32, accessEntries *EXPLICIT_ACCESS, countAuditEntries uint32, auditEntries *EXPLICIT_ACCESS, oldSecurityDescriptor *SECURITY_DESCRIPTOR, sizeNewSecurityDescriptor *uint32, newSecurityDescriptor **SECURITY_DESCRIPTOR) (ret error) = advapi32.BuildSecurityDescriptorW
  1136  //sys	initializeSecurityDescriptor(absoluteSD *SECURITY_DESCRIPTOR, revision uint32) (err error) = advapi32.InitializeSecurityDescriptor
  1137  
  1138  //sys	getSecurityDescriptorControl(sd *SECURITY_DESCRIPTOR, control *SECURITY_DESCRIPTOR_CONTROL, revision *uint32) (err error) = advapi32.GetSecurityDescriptorControl
  1139  //sys	getSecurityDescriptorDacl(sd *SECURITY_DESCRIPTOR, daclPresent *bool, dacl **ACL, daclDefaulted *bool) (err error) = advapi32.GetSecurityDescriptorDacl
  1140  //sys	getSecurityDescriptorSacl(sd *SECURITY_DESCRIPTOR, saclPresent *bool, sacl **ACL, saclDefaulted *bool) (err error) = advapi32.GetSecurityDescriptorSacl
  1141  //sys	getSecurityDescriptorOwner(sd *SECURITY_DESCRIPTOR, owner **SID, ownerDefaulted *bool) (err error) = advapi32.GetSecurityDescriptorOwner
  1142  //sys	getSecurityDescriptorGroup(sd *SECURITY_DESCRIPTOR, group **SID, groupDefaulted *bool) (err error) = advapi32.GetSecurityDescriptorGroup
  1143  //sys	getSecurityDescriptorLength(sd *SECURITY_DESCRIPTOR) (len uint32) = advapi32.GetSecurityDescriptorLength
  1144  //sys	getSecurityDescriptorRMControl(sd *SECURITY_DESCRIPTOR, rmControl *uint8) (ret error) [failretval!=0] = advapi32.GetSecurityDescriptorRMControl
  1145  //sys	isValidSecurityDescriptor(sd *SECURITY_DESCRIPTOR) (isValid bool) = advapi32.IsValidSecurityDescriptor
  1146  
  1147  //sys	setSecurityDescriptorControl(sd *SECURITY_DESCRIPTOR, controlBitsOfInterest SECURITY_DESCRIPTOR_CONTROL, controlBitsToSet SECURITY_DESCRIPTOR_CONTROL) (err error) = advapi32.SetSecurityDescriptorControl
  1148  //sys	setSecurityDescriptorDacl(sd *SECURITY_DESCRIPTOR, daclPresent bool, dacl *ACL, daclDefaulted bool) (err error) = advapi32.SetSecurityDescriptorDacl
  1149  //sys	setSecurityDescriptorSacl(sd *SECURITY_DESCRIPTOR, saclPresent bool, sacl *ACL, saclDefaulted bool) (err error) = advapi32.SetSecurityDescriptorSacl
  1150  //sys	setSecurityDescriptorOwner(sd *SECURITY_DESCRIPTOR, owner *SID, ownerDefaulted bool) (err error) = advapi32.SetSecurityDescriptorOwner
  1151  //sys	setSecurityDescriptorGroup(sd *SECURITY_DESCRIPTOR, group *SID, groupDefaulted bool) (err error) = advapi32.SetSecurityDescriptorGroup
  1152  //sys	setSecurityDescriptorRMControl(sd *SECURITY_DESCRIPTOR, rmControl *uint8) = advapi32.SetSecurityDescriptorRMControl
  1153  
  1154  //sys	convertStringSecurityDescriptorToSecurityDescriptor(str string, revision uint32, sd **SECURITY_DESCRIPTOR, size *uint32) (err error) = advapi32.ConvertStringSecurityDescriptorToSecurityDescriptorW
  1155  //sys	convertSecurityDescriptorToStringSecurityDescriptor(sd *SECURITY_DESCRIPTOR, revision uint32, securityInformation SECURITY_INFORMATION, str **uint16, strLen *uint32) (err error) = advapi32.ConvertSecurityDescriptorToStringSecurityDescriptorW
  1156  
  1157  //sys	makeAbsoluteSD(selfRelativeSD *SECURITY_DESCRIPTOR, absoluteSD *SECURITY_DESCRIPTOR, absoluteSDSize *uint32, dacl *ACL, daclSize *uint32, sacl *ACL, saclSize *uint32, owner *SID, ownerSize *uint32, group *SID, groupSize *uint32) (err error) = advapi32.MakeAbsoluteSD
  1158  //sys	makeSelfRelativeSD(absoluteSD *SECURITY_DESCRIPTOR, selfRelativeSD *SECURITY_DESCRIPTOR, selfRelativeSDSize *uint32) (err error) = advapi32.MakeSelfRelativeSD
  1159  
  1160  //sys	setEntriesInAcl(countExplicitEntries uint32, explicitEntries *EXPLICIT_ACCESS, oldACL *ACL, newACL **ACL) (ret error) = advapi32.SetEntriesInAclW
  1161  
  1162  // Control returns the security descriptor control bits.
  1163  func (sd *SECURITY_DESCRIPTOR) Control() (control SECURITY_DESCRIPTOR_CONTROL, revision uint32, err error) {
  1164  	err = getSecurityDescriptorControl(sd, &control, &revision)
  1165  	return
  1166  }
  1167  
  1168  // SetControl sets the security descriptor control bits.
  1169  func (sd *SECURITY_DESCRIPTOR) SetControl(controlBitsOfInterest SECURITY_DESCRIPTOR_CONTROL, controlBitsToSet SECURITY_DESCRIPTOR_CONTROL) error {
  1170  	return setSecurityDescriptorControl(sd, controlBitsOfInterest, controlBitsToSet)
  1171  }
  1172  
  1173  // RMControl returns the security descriptor resource manager control bits.
  1174  func (sd *SECURITY_DESCRIPTOR) RMControl() (control uint8, err error) {
  1175  	err = getSecurityDescriptorRMControl(sd, &control)
  1176  	return
  1177  }
  1178  
  1179  // SetRMControl sets the security descriptor resource manager control bits.
  1180  func (sd *SECURITY_DESCRIPTOR) SetRMControl(rmControl uint8) {
  1181  	setSecurityDescriptorRMControl(sd, &rmControl)
  1182  }
  1183  
  1184  // DACL returns the security descriptor DACL and whether it was defaulted. The dacl return value may be nil
  1185  // if a DACL exists but is an "empty DACL", meaning fully permissive. If the DACL does not exist, err returns
  1186  // ERROR_OBJECT_NOT_FOUND.
  1187  func (sd *SECURITY_DESCRIPTOR) DACL() (dacl *ACL, defaulted bool, err error) {
  1188  	var present bool
  1189  	err = getSecurityDescriptorDacl(sd, &present, &dacl, &defaulted)
  1190  	if !present {
  1191  		err = ERROR_OBJECT_NOT_FOUND
  1192  	}
  1193  	return
  1194  }
  1195  
  1196  // SetDACL sets the absolute security descriptor DACL.
  1197  func (absoluteSD *SECURITY_DESCRIPTOR) SetDACL(dacl *ACL, present, defaulted bool) error {
  1198  	return setSecurityDescriptorDacl(absoluteSD, present, dacl, defaulted)
  1199  }
  1200  
  1201  // SACL returns the security descriptor SACL and whether it was defaulted. The sacl return value may be nil
  1202  // if a SACL exists but is an "empty SACL", meaning fully permissive. If the SACL does not exist, err returns
  1203  // ERROR_OBJECT_NOT_FOUND.
  1204  func (sd *SECURITY_DESCRIPTOR) SACL() (sacl *ACL, defaulted bool, err error) {
  1205  	var present bool
  1206  	err = getSecurityDescriptorSacl(sd, &present, &sacl, &defaulted)
  1207  	if !present {
  1208  		err = ERROR_OBJECT_NOT_FOUND
  1209  	}
  1210  	return
  1211  }
  1212  
  1213  // SetSACL sets the absolute security descriptor SACL.
  1214  func (absoluteSD *SECURITY_DESCRIPTOR) SetSACL(sacl *ACL, present, defaulted bool) error {
  1215  	return setSecurityDescriptorSacl(absoluteSD, present, sacl, defaulted)
  1216  }
  1217  
  1218  // Owner returns the security descriptor owner and whether it was defaulted.
  1219  func (sd *SECURITY_DESCRIPTOR) Owner() (owner *SID, defaulted bool, err error) {
  1220  	err = getSecurityDescriptorOwner(sd, &owner, &defaulted)
  1221  	return
  1222  }
  1223  
  1224  // SetOwner sets the absolute security descriptor owner.
  1225  func (absoluteSD *SECURITY_DESCRIPTOR) SetOwner(owner *SID, defaulted bool) error {
  1226  	return setSecurityDescriptorOwner(absoluteSD, owner, defaulted)
  1227  }
  1228  
  1229  // Group returns the security descriptor group and whether it was defaulted.
  1230  func (sd *SECURITY_DESCRIPTOR) Group() (group *SID, defaulted bool, err error) {
  1231  	err = getSecurityDescriptorGroup(sd, &group, &defaulted)
  1232  	return
  1233  }
  1234  
  1235  // SetGroup sets the absolute security descriptor owner.
  1236  func (absoluteSD *SECURITY_DESCRIPTOR) SetGroup(group *SID, defaulted bool) error {
  1237  	return setSecurityDescriptorGroup(absoluteSD, group, defaulted)
  1238  }
  1239  
  1240  // Length returns the length of the security descriptor.
  1241  func (sd *SECURITY_DESCRIPTOR) Length() uint32 {
  1242  	return getSecurityDescriptorLength(sd)
  1243  }
  1244  
  1245  // IsValid returns whether the security descriptor is valid.
  1246  func (sd *SECURITY_DESCRIPTOR) IsValid() bool {
  1247  	return isValidSecurityDescriptor(sd)
  1248  }
  1249  
  1250  // String returns the SDDL form of the security descriptor, with a function signature that can be
  1251  // used with %v formatting directives.
  1252  func (sd *SECURITY_DESCRIPTOR) String() string {
  1253  	var sddl *uint16
  1254  	err := convertSecurityDescriptorToStringSecurityDescriptor(sd, 1, 0xff, &sddl, nil)
  1255  	if err != nil {
  1256  		return ""
  1257  	}
  1258  	defer LocalFree(Handle(unsafe.Pointer(sddl)))
  1259  	return UTF16PtrToString(sddl)
  1260  }
  1261  
  1262  // ToAbsolute converts a self-relative security descriptor into an absolute one.
  1263  func (selfRelativeSD *SECURITY_DESCRIPTOR) ToAbsolute() (absoluteSD *SECURITY_DESCRIPTOR, err error) {
  1264  	control, _, err := selfRelativeSD.Control()
  1265  	if err != nil {
  1266  		return
  1267  	}
  1268  	if control&SE_SELF_RELATIVE == 0 {
  1269  		err = ERROR_INVALID_PARAMETER
  1270  		return
  1271  	}
  1272  	var absoluteSDSize, daclSize, saclSize, ownerSize, groupSize uint32
  1273  	err = makeAbsoluteSD(selfRelativeSD, nil, &absoluteSDSize,
  1274  		nil, &daclSize, nil, &saclSize, nil, &ownerSize, nil, &groupSize)
  1275  	switch err {
  1276  	case ERROR_INSUFFICIENT_BUFFER:
  1277  	case nil:
  1278  		// makeAbsoluteSD is expected to fail, but it succeeds.
  1279  		return nil, ERROR_INTERNAL_ERROR
  1280  	default:
  1281  		return nil, err
  1282  	}
  1283  	if absoluteSDSize > 0 {
  1284  		absoluteSD = (*SECURITY_DESCRIPTOR)(unsafe.Pointer(&make([]byte, absoluteSDSize)[0]))
  1285  	}
  1286  	var (
  1287  		dacl  *ACL
  1288  		sacl  *ACL
  1289  		owner *SID
  1290  		group *SID
  1291  	)
  1292  	if daclSize > 0 {
  1293  		dacl = (*ACL)(unsafe.Pointer(&make([]byte, daclSize)[0]))
  1294  	}
  1295  	if saclSize > 0 {
  1296  		sacl = (*ACL)(unsafe.Pointer(&make([]byte, saclSize)[0]))
  1297  	}
  1298  	if ownerSize > 0 {
  1299  		owner = (*SID)(unsafe.Pointer(&make([]byte, ownerSize)[0]))
  1300  	}
  1301  	if groupSize > 0 {
  1302  		group = (*SID)(unsafe.Pointer(&make([]byte, groupSize)[0]))
  1303  	}
  1304  	err = makeAbsoluteSD(selfRelativeSD, absoluteSD, &absoluteSDSize,
  1305  		dacl, &daclSize, sacl, &saclSize, owner, &ownerSize, group, &groupSize)
  1306  	return
  1307  }
  1308  
  1309  // ToSelfRelative converts an absolute security descriptor into a self-relative one.
  1310  func (absoluteSD *SECURITY_DESCRIPTOR) ToSelfRelative() (selfRelativeSD *SECURITY_DESCRIPTOR, err error) {
  1311  	control, _, err := absoluteSD.Control()
  1312  	if err != nil {
  1313  		return
  1314  	}
  1315  	if control&SE_SELF_RELATIVE != 0 {
  1316  		err = ERROR_INVALID_PARAMETER
  1317  		return
  1318  	}
  1319  	var selfRelativeSDSize uint32
  1320  	err = makeSelfRelativeSD(absoluteSD, nil, &selfRelativeSDSize)
  1321  	switch err {
  1322  	case ERROR_INSUFFICIENT_BUFFER:
  1323  	case nil:
  1324  		// makeSelfRelativeSD is expected to fail, but it succeeds.
  1325  		return nil, ERROR_INTERNAL_ERROR
  1326  	default:
  1327  		return nil, err
  1328  	}
  1329  	if selfRelativeSDSize > 0 {
  1330  		selfRelativeSD = (*SECURITY_DESCRIPTOR)(unsafe.Pointer(&make([]byte, selfRelativeSDSize)[0]))
  1331  	}
  1332  	err = makeSelfRelativeSD(absoluteSD, selfRelativeSD, &selfRelativeSDSize)
  1333  	return
  1334  }
  1335  
  1336  func (selfRelativeSD *SECURITY_DESCRIPTOR) copySelfRelativeSecurityDescriptor() *SECURITY_DESCRIPTOR {
  1337  	sdLen := int(selfRelativeSD.Length())
  1338  	const min = int(unsafe.Sizeof(SECURITY_DESCRIPTOR{}))
  1339  	if sdLen < min {
  1340  		sdLen = min
  1341  	}
  1342  
  1343  	src := unsafe.Slice((*byte)(unsafe.Pointer(selfRelativeSD)), sdLen)
  1344  	// SECURITY_DESCRIPTOR has pointers in it, which means checkptr expects for it to
  1345  	// be aligned properly. When we're copying a Windows-allocated struct to a
  1346  	// Go-allocated one, make sure that the Go allocation is aligned to the
  1347  	// pointer size.
  1348  	const psize = int(unsafe.Sizeof(uintptr(0)))
  1349  	alloc := make([]uintptr, (sdLen+psize-1)/psize)
  1350  	dst := unsafe.Slice((*byte)(unsafe.Pointer(&alloc[0])), sdLen)
  1351  	copy(dst, src)
  1352  	return (*SECURITY_DESCRIPTOR)(unsafe.Pointer(&dst[0]))
  1353  }
  1354  
  1355  // SecurityDescriptorFromString converts an SDDL string describing a security descriptor into a
  1356  // self-relative security descriptor object allocated on the Go heap.
  1357  func SecurityDescriptorFromString(sddl string) (sd *SECURITY_DESCRIPTOR, err error) {
  1358  	var winHeapSD *SECURITY_DESCRIPTOR
  1359  	err = convertStringSecurityDescriptorToSecurityDescriptor(sddl, 1, &winHeapSD, nil)
  1360  	if err != nil {
  1361  		return
  1362  	}
  1363  	defer LocalFree(Handle(unsafe.Pointer(winHeapSD)))
  1364  	return winHeapSD.copySelfRelativeSecurityDescriptor(), nil
  1365  }
  1366  
  1367  // GetSecurityInfo queries the security information for a given handle and returns the self-relative security
  1368  // descriptor result on the Go heap.
  1369  func GetSecurityInfo(handle Handle, objectType SE_OBJECT_TYPE, securityInformation SECURITY_INFORMATION) (sd *SECURITY_DESCRIPTOR, err error) {
  1370  	var winHeapSD *SECURITY_DESCRIPTOR
  1371  	err = getSecurityInfo(handle, objectType, securityInformation, nil, nil, nil, nil, &winHeapSD)
  1372  	if err != nil {
  1373  		return
  1374  	}
  1375  	defer LocalFree(Handle(unsafe.Pointer(winHeapSD)))
  1376  	return winHeapSD.copySelfRelativeSecurityDescriptor(), nil
  1377  }
  1378  
  1379  // GetNamedSecurityInfo queries the security information for a given named object and returns the self-relative security
  1380  // descriptor result on the Go heap.
  1381  func GetNamedSecurityInfo(objectName string, objectType SE_OBJECT_TYPE, securityInformation SECURITY_INFORMATION) (sd *SECURITY_DESCRIPTOR, err error) {
  1382  	var winHeapSD *SECURITY_DESCRIPTOR
  1383  	err = getNamedSecurityInfo(objectName, objectType, securityInformation, nil, nil, nil, nil, &winHeapSD)
  1384  	if err != nil {
  1385  		return
  1386  	}
  1387  	defer LocalFree(Handle(unsafe.Pointer(winHeapSD)))
  1388  	return winHeapSD.copySelfRelativeSecurityDescriptor(), nil
  1389  }
  1390  
  1391  // BuildSecurityDescriptor makes a new security descriptor using the input trustees, explicit access lists, and
  1392  // prior security descriptor to be merged, any of which can be nil, returning the self-relative security descriptor
  1393  // result on the Go heap.
  1394  func BuildSecurityDescriptor(owner *TRUSTEE, group *TRUSTEE, accessEntries []EXPLICIT_ACCESS, auditEntries []EXPLICIT_ACCESS, mergedSecurityDescriptor *SECURITY_DESCRIPTOR) (sd *SECURITY_DESCRIPTOR, err error) {
  1395  	var winHeapSD *SECURITY_DESCRIPTOR
  1396  	var winHeapSDSize uint32
  1397  	var firstAccessEntry *EXPLICIT_ACCESS
  1398  	if len(accessEntries) > 0 {
  1399  		firstAccessEntry = &accessEntries[0]
  1400  	}
  1401  	var firstAuditEntry *EXPLICIT_ACCESS
  1402  	if len(auditEntries) > 0 {
  1403  		firstAuditEntry = &auditEntries[0]
  1404  	}
  1405  	err = buildSecurityDescriptor(owner, group, uint32(len(accessEntries)), firstAccessEntry, uint32(len(auditEntries)), firstAuditEntry, mergedSecurityDescriptor, &winHeapSDSize, &winHeapSD)
  1406  	if err != nil {
  1407  		return
  1408  	}
  1409  	defer LocalFree(Handle(unsafe.Pointer(winHeapSD)))
  1410  	return winHeapSD.copySelfRelativeSecurityDescriptor(), nil
  1411  }
  1412  
  1413  // NewSecurityDescriptor creates and initializes a new absolute security descriptor.
  1414  func NewSecurityDescriptor() (absoluteSD *SECURITY_DESCRIPTOR, err error) {
  1415  	absoluteSD = &SECURITY_DESCRIPTOR{}
  1416  	err = initializeSecurityDescriptor(absoluteSD, 1)
  1417  	return
  1418  }
  1419  
  1420  // ACLFromEntries returns a new ACL on the Go heap containing a list of explicit entries as well as those of another ACL.
  1421  // Both explicitEntries and mergedACL are optional and can be nil.
  1422  func ACLFromEntries(explicitEntries []EXPLICIT_ACCESS, mergedACL *ACL) (acl *ACL, err error) {
  1423  	var firstExplicitEntry *EXPLICIT_ACCESS
  1424  	if len(explicitEntries) > 0 {
  1425  		firstExplicitEntry = &explicitEntries[0]
  1426  	}
  1427  	var winHeapACL *ACL
  1428  	err = setEntriesInAcl(uint32(len(explicitEntries)), firstExplicitEntry, mergedACL, &winHeapACL)
  1429  	if err != nil {
  1430  		return
  1431  	}
  1432  	defer LocalFree(Handle(unsafe.Pointer(winHeapACL)))
  1433  	aclBytes := make([]byte, winHeapACL.aclSize)
  1434  	copy(aclBytes, (*[(1 << 31) - 1]byte)(unsafe.Pointer(winHeapACL))[:len(aclBytes):len(aclBytes)])
  1435  	return (*ACL)(unsafe.Pointer(&aclBytes[0])), nil
  1436  }