In my previous column, I explained the various structures that low-level security API calls use to work with reading and setting security attributes. As I discussed last time, several security issues have cropped up from installation routines that don’t set permissions. In this column, I’ll present an application you can use to initialize the discretionary access control list (DACL) on a registry key to give Administrators full control. You can fairly easily extend this application to set different permissions or set file system permissions. I hope that you’ll be able to use this code to make your applications more secure.
Listing 1 presents the application code (I suggest that you view the code in a separate window and follow along while I explain how the application works). First, note that I’m declaring my entry point as wmain, not main. Also, instead of accepting an array of ANSI strings, the entry point for the application takes an array of WCHAR strings. Because Windows 2000 and Windows NT use UNICODE at the lowest levels, it is more efficient to use the UNICODE versions of function calls. If you've ever had to convert user-supplied input from single-byte to UNICODE, you know that it can be troublesome and error-prone; however, if you use wmain, the OS will provide the input as UNICODE for you. . . .
Register
