Privileges - Win32 Programmer's Reference (win32.hlp)

Privileges

A privilege is used to control access to an object or service more strictly than is normal with discretionary access control. A system manager uses privileges to control which users are able to manipulate system resources. An application uses privileges when it changes a system resource, such as when it changes the system time or shuts down the system.

A privilege is a locally unique identifier (LUID) identified by a character string. This 64-bit value is guaranteed to be unique on the operating system that generated it until the system is restarted. For example, SE_SYSTEMTIME_NAME is a string identifying an LUID. A privilege has three representations, as shown below.

A string name, meaningful across systems, called a global program name (for example, SE_SYSTEMTIME_NAME).
A readable name that can be displayed to the user when necessary. For example, "Change the system time."
A local representation that differs from computer to computer.

Privileges provide access to services rarely needed by most users. An account usually has privileges that are disabled, and they must be enabled to be used. For example, to set the time on the local computer, an application has to set the SE_PRIVILEGE_ENABLED attribute for the SE_SYSTEMTIME_NAME privilege. For security reasons, disable an enabled privilege when it is no longer needed.

The following privileges are defined by Windows NT.

Privilege	Description
SE_ASSIGNPRIMARYTOKEN_NAME	Required to assign the primary token of a process.
SE_AUDIT_NAME	Required to generate audit-log entries. Give this privilege to secure servers.
SE_BACKUP_NAME	Required to perform backup operations.
SE_CHANGE_NOTIFY_NAME	Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. It is enabled by default for all users.
SE_CREATE_PAGEFILE_NAME	Required to create a paging file.
SE_CREATE_PERMANENT_NAME	Required to create a permanent object.
SE_CREATE_TOKEN_NAME	Required to create a primary token.
SE_DEBUG_NAME	Required to debug a process.
SE_INC_BASE_PRIORITY_NAME	Required to increase the base priority of a process.
SE_INCREASE_QUOTA_NAME	Required to increase the quota assigned to a process.
SE_LOAD_DRIVER_NAME	Required to load or unload a device driver.
SE_LOCK_MEMORY_NAME	Required to lock physical pages in memory.
SE_PROF_SINGLE_PROCESS_NAME	Required to gather profiling information for a single process.
SE_REMOTE_SHUTDOWN_NAME	Required to shut down a system using a network request.
SE_RESTORE_NAME	Required to perform restore operations.
SE_SECURITY_NAME	Required to perform a number of security-related functions, such as controlling and viewing audit messages. This privilege identifies its holder as a security operator.
SE_SHUTDOWN_NAME	Required to shut down a local system.
SE_SYSTEM_ENVIRONMENT_NAME	Required to modify the non-volatile RAM of systems that use this type of memory to store configuration information.
SE_SYSTEM_PROFILE_NAME	Required to gather profiling information for the entire system.
SE_SYSTEMTIME_NAME	Required to modify the system time.
SE_TAKE_OWNERSHIP_NAME	Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
SE_TCB_NAME	This privilege identifies its holder as part of the trusted computer base. Some trusted protected subsystems are granted this privilege.
SE_UNSOLICITED_INPUT_NAME	Required to read unsolicited input from a terminal device.

The following functions are provided for working with privileges.

Function	Description
LookupPrivilegeValue	Allows an application to retrieve the LUID corresponding to a privilege on the local system. This is the local representation of that privilege and an application can set it in the TOKEN_PRIVILEGES and LUID_AND_ATTRIBUTES structures.
LookupPrivilegeDisplayName	Retrieves a displayable privilege name. For example, "Force shutdown from a remote system."
LookupPrivilegeName	Retrieves a programmatic privilege name.
PrivilegeCheck	Determines whether a client application has the privileges required to gain access to an object, such as, SE_REMOTE_SHUTDOWN_NAME.

More Online Helps

Win32 Programmer's Reference (win32.hlp)
Win32 Multimedia Programmer's Reference (mmedia.hlp)
OLE Programmer's Reference (ole.hlp)
Microsoft Windows Pen API Programmer's Reference (penapi.hlp)
Microsoft Windows Sockets 2 Reference (sock2.hlp)
Microsoft Windows Telephony API (TAPI) Programmer's Reference (tapi.hlp)
Unix Manual Pages

greatis just4fun network