Click to open or copy the files for the Check_sd sample.
In the Win32 Programmer's Reference, if you go to the Security overview and choose the subtopic "Allowing Access", you'll find the following comment.
Note It is fine to write code like this that builds security descriptors from scratch. It is, however, a good practice for people who write code that builds or manipulates security descriptors to first write code that explores the default security descriptors that Windows NT places on objects. For example, if Windows NT by default includes in a DACL an ACE granting the Local Logon SID certain access, it's good to know that, so that a decision not to grant any access to the Local Logon SID would be a conscious decision.
This comment is accurate; however, to begin with, this task of examining the SD is easier if there is sample code to start from. The purpose of the CHECK_SD sample is to provide sample code you can start from as you examine an SD. This sample only examines the SD on files, but the code can be modified to examine the SD on other objects.
This sample is not a supported utility.
This sample uses the following keywords:
ace; closehandle; closeservicehandle; dacl; displayhelp; equalsid; examineaccesstoken; examineacl; examinemask; examinesd; freopen; getace; getaclinformation; getcurrentprocess; getcurrentthreadid; getfilesecurity; getlasterror; getprocesswindowstation; getsecuritydescriptorcontrol; getsecuritydescriptordacl; getsecuritydescriptorgroup; getsecuritydescriptorlength; getsecuritydescriptorowner; getsecuritydescriptorsacl; getsididentifierauthority; getsidlengthrequired; getsidsubauthority; getsidsubauthoritycount; getthreaddesktop; gettokeninformation; getversion; initializesid; initializewellknownsids; isvalidacl; isvalidsecuritydescriptor; isvalidsid; localalloc; lookupaccountsid; lookupprivilegename; lookupprivilegevalue; lookupsidname; memcmp; messagebox; openprocesstoken; openscmanager; openservice; perr; pmsg; printf; regclosekey; regopenkeyex; sacl; sd; seterrormode; setlasterror; setprivilegeinaccesstoken; sid; sidstringname; sprintf; strcat; strcpy