给进程创建一个安全描述符(SA)

#include<windows.h>
#include<stdio.h>
#include<aclapi.h>

voidmain()
{

DWORDdwRes,dwDisposition;
PSIDpEveryoneSID=NULL,pAdminSID=NULL;
PACLpACL=NULL;
PSECURITY_DESCRIPTORpSD=NULL;
EXPLICIT_ACCESSea[2];
SID_IDENTIFIER_AUTHORITYSIDAuthWorld=
SECURITY_WORLD_SID_AUTHORITY;
SID_IDENTIFIER_AUTHORITYSIDAuthNT=SECURITY_NT_AUTHORITY;
SECURITY_ATTRIBUTESsa;
LONGlRes;
HKEYhkSub=NULL;

//Createawell-knownSIDfortheEveryonegroup.
if(!AllocateAndInitializeSid(&SIDAuthWorld,1,
SECURITY_WORLD_RID,
0,0,0,0,0,0,0,
&pEveryoneSID))
{
printf("AllocateAndInitializeSidError%u\n",GetLastError());
gotoCleanup;
}

//InitializeanEXPLICIT_ACCESSstructureforanACE.
//TheACEwillallowEveryonereadaccesstothekey.
ZeroMemory(&ea,2*sizeof(EXPLICIT_ACCESS));
ea[0].grfAccessPermissions=KEY_READ;
ea[0].grfAccessMode=SET_ACCESS;
ea[0].grfInheritance=NO_INHERITANCE;
ea[0].Trustee.TrusteeForm=TRUSTEE_IS_SID;
ea[0].Trustee.TrusteeType=TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[0].Trustee.ptstrName=(LPTSTR)pEveryoneSID;

//CreateaSIDfortheBUILTIN\Administratorsgroup.
if(!AllocateAndInitializeSid(&SIDAuthNT,2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0,0,0,0,0,0,
&pAdminSID))
{
printf("AllocateAndInitializeSidError%u\n",GetLastError());
gotoCleanup;
}

//InitializeanEXPLICIT_ACCESSstructureforanACE.
//TheACEwillallowtheAdministratorsgroupfullaccessto
//thekey.
ea[1].grfAccessPermissions=KEY_ALL_ACCESS;
ea[1].grfAccessMode=SET_ACCESS;
ea[1].grfInheritance=NO_INHERITANCE;
ea[1].Trustee.TrusteeForm=TRUSTEE_IS_SID;
ea[1].Trustee.TrusteeType=TRUSTEE_IS_GROUP;
ea[1].Trustee.ptstrName=(LPTSTR)pAdminSID;

//CreateanewACLthatcontainsthenewACEs.
dwRes=SetEntriesInAcl(2,ea,NULL,&pACL);
if(ERROR_SUCCESS!=dwRes)
{
printf("SetEntriesInAclError%u\n",GetLastError());
gotoCleanup;
}

//Initializeasecuritydescriptor.
pSD=(PSECURITY_DESCRIPTOR)LocalAlloc(LPTR,
SECURITY_DESCRIPTOR_MIN_LENGTH);
if(NULL==pSD)
{
printf("LocalAllocError%u\n",GetLastError());
gotoCleanup;
}

if(!InitializeSecurityDescriptor(pSD,
SECURITY_DESCRIPTOR_REVISION))
{
printf("InitializeSecurityDescriptorError%u\n",
GetLastError());
gotoCleanup;
}

//AddtheACLtothesecuritydescriptor.
if(!SetSecurityDescriptorDacl(pSD,
TRUE,//bDaclPresentflag
pACL,
FALSE))//notadefaultDACL
{
printf("SetSecurityDescriptorDaclError%u\n",
GetLastError());
gotoCleanup;
}

//Initializeasecurityattributesstructure.
sa.nLength=sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor=pSD;
sa.bInheritHandle=FALSE;

//Usethesecurityattributestosetthesecuritydescriptor
//whenyoucreateakey.
lRes=RegCreateKeyEx(HKEY_CURRENT_USER,"mykey",0,"",0,
KEY_READ|KEY_WRITE,&sa,&hkSub,&dwDisposition);
printf("RegCreateKeyExresult%u\n",lRes);

Cleanup:

if(pEveryoneSID)
FreeSid(pEveryoneSID);
if(pAdminSID)
FreeSid(pAdminSID);
if(pACL)
LocalFree(pACL);
if(pSD)
LocalFree(pSD);
if(hkSub)
RegCloseKey(hkSub);

return;

}

来源于MSDN：ms-help://MS.MSDNQTR.v90.chs/secauthz/security/creating_a_security_descriptor_for_a_new_object_in_c__.htm