locked
How to specify security descriptor to createeventex?

    Question

  • Hi,

    I'm porting some code to a runtime app which creates a security descriptor via InitializeSecurityDescriptor, SetSecurityDescriptorDacl etc.  However all the security apis seem to be desktop only. 

    So how should a security descriptor be passed to CreateEventEx?  Is the expectation that SECURITY_ATTRIBUTES will either be NULL (as in all the sample code I've seen) or with a NULL descriptor but bInheritHandle set appropriately?

    Thanks

    Tuesday, September 9, 2014 10:21 AM

Answers

  • Hi Wantabeguitarboy,

    Got some additional information for you. Let's see from the documentation:

    lpEventAttributes [in, optional] - A pointer to a SECURITY_ATTRIBUTES structure. If lpEventAttributes is NULL, the event handle cannot be inherited by child processes.

    As we know Windows Store Apps are quite isolated, one app cannot access threads of another app, that means child processes we mentioned here is useless and therefore we have to set NULL here.

    Besides you mentioned: "I want to restict access to the created event". What kind of restrictions do you want to impose?

    --James


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Monday, September 22, 2014 1:19 AM
    Moderator

All replies

  • Hi Wantabeguitarboy,

    Correct, InitializeSecurityDescriptor is a Desktop API but not Windows Store App API, see the documentation requirement section for more information.

    DataProtectionProvider class might be a good choice:

    You can use the class to protect data to any of the following:

    • You can use a security descriptor (SID) or a security descriptor definition language (SDDL) string  to protect data to an Active Directory (AD) security principal such as an AD group. Any member of the group can decrypt the data.
    • You can protect data to the local user or computer account.
    • You can protect data to the credentials (password) used during logon to a website.

    For security descriptors and SDDL strings, you must set the enterprise authentication capability in the manifest. The enterprise authentication capability is restricted to Windows Store apps built with company accounts, and is subject to additional onboarding validation. You should avoid the enterprise authentication capability unless it is absolutely necessary.  For more information, see Registering for a Windows Store developer account.

    For example, the following SID and SDDL providers require the enterprise authentication capability:

    • "SID=S-1-5-21-4392301 AND SID=S-1-5-21-3101812"
    • "SDDL=O:S-1-5-5-0-290724G:SYD:(A;;CCDC;;;S-1-5-5-0-290724)(A;;DC;;;WD)"

    These providers do not require the enterprise authentication capability:

    • "LOCAL=user"
    • "LOCAL=machine"
    • "WEBCREDENTIALS=MyPasswordName"
    • "WEBCREDENTIALS=MyPasswordName,myweb.com"

    --James


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Wednesday, September 10, 2014 5:59 AM
    Moderator
  • Hi James,

    Thanks for the reply.  The DataProtectionProvider looks useful but I don't see how it helps with CreateThreadEx?  I want to restict access to the created event and the API takes a SECURITY_ATTRIBUTES so any idea how I set the security descriptor?

    Thanks

    Wednesday, September 10, 2014 8:07 AM
  • Hi Wantabeguitarboy,

    Sorry, seems I misunderstood your question in my first reply.

    I can see that SECURITY_DESCRIPTOR is supported in Windows Store App, but I don't know how to work with it, I will try to consult others to see if we can make it work.

    However I saw the documentation mentioned: For creating and manipulating a security descriptor, use the functions listed in See Also. But none of the API is supported in Windows Store App, I'm afraid that's why we set it as null in our sample:

    GetSecurityDescriptorControl

    GetSecurityDescriptorDacl
    GetSecurityDescriptorGroup
    GetSecurityDescriptorLength
    GetSecurityDescriptorOwner
    GetSecurityDescriptorRMControl
    GetSecurityDescriptorSacl
    InitializeSecurityDescriptor
    IsValidSecurityDescriptor
    SetSecurityDescriptorDacl
    SetSecurityDescriptorGroup
    SetSecurityDescriptorOwner
    SetSecurityDescriptorRMControl
    SetSecurityDescriptorSacl

    Again apologize my previous post.

    --James


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.


    Wednesday, September 10, 2014 11:03 AM
    Moderator
  • Hi Wantabeguitarboy,

    Got some additional information for you. Let's see from the documentation:

    lpEventAttributes [in, optional] - A pointer to a SECURITY_ATTRIBUTES structure. If lpEventAttributes is NULL, the event handle cannot be inherited by child processes.

    As we know Windows Store Apps are quite isolated, one app cannot access threads of another app, that means child processes we mentioned here is useless and therefore we have to set NULL here.

    Besides you mentioned: "I want to restict access to the created event". What kind of restrictions do you want to impose?

    --James


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Monday, September 22, 2014 1:19 AM
    Moderator