Check Access Rights to File/Directory on NTFS Volume

More information: Windows NT/2000/XP has API function AccessCheck, which in fact checks access rights to every operating system object, which supports access rights. This function is called implicitly by system every time user accesses such object. To call AccessCheck function explicitly it is necessary to carry out a whole series of operations with data structures responsible for OS security and call some other functions.

To simplify working with access rights to objects of NTFS file system (files, directories) I have written CheckFileAccess function which assumes all this hard work.

Here is description of this function:

CheckFileAccess(Filename As String, _
ByVal DesiredAccess As Long) As Long,

where:

Filename - file or directory full path.
Directory path must not end on "/" character.

DesiredAccess - desired access rights bit mask.

The function returns a bit mask which consists of those bits of desired bit mask, which correspond with allowed access rights. In case of access rights to given file or directory not supported, the function returns -1 value.

As desired access mask you may use any combination with OR operator of constants from the beginning of CheckFileAccess function listing. The most popular of them are:

FILE_GENERIC_READ - read access,

FILE_GENERIC_WRITE - write access,

FILE_GENERIC_EXECUTE - execute access,

DELETE - delete access,

WRITE_DAC - change access rights access,

WRITE_OWNER - change owner access,

FILE_ALL_ACCESS - full access,

MAXIMUM_ALLOWED - maximal allowed access.

It is also possible to use constants, applicable to any secure OS objects:

GENERIC_READ - read access,

GENERIC_WRITE - write access,

GENERIC_EXECUTE - execute access,

GENERIC_ALL - full access,

but in this case the function returns correspondingly values FILE_GENERIC_READ, FILE_GENERIC_WRITE, FILE_GENERIC_EXECUTE, FILE_ALL_ACCESS (of course, if correspondent rights exist).

For example, to find out whether exists read and write access to the file "d:/Test.tmp", it is possible to use two ways:

Way 1:

Dim AccessRead As Boolean, AccessWrite As Boolean
    AccessRead = CheckFileAccess("d:/Test.tmp", _
                 FILE_GENERIC_READ) = FILE_GENERIC_READ
    AccessWrite = CheckFileAccess("d:/Test.tmp", _
                 FILE_GENERIC_WRITE) = FILE_GENERIC_WRITE

Way 2:

Dim AccessRead As Boolean, AccessWrite As Boolean
Dim AccessMask As Long
    AccessMask = CheckFileAccess("d:/Test.tmp", MAXIMUM_ALLOWED)
    AccessRead = (AccessMask _
                 And FILE_GENERIC_READ) = FILE_GENERIC_READ
    AccessWrite = (AccessMask _
                 And FILE_GENERIC_WRITE) = FILE_GENERIC_WRITE

In the first case call of CheckFileAccess function performs twice, in second case intermediate variable used.

This code has been viewed 78147 times.

Instructions: Copy the declarations and code below and paste directly into your VB project.

 

1. 'PUT IN MODULE
2. Option Explicit
3. '   ********************************************
4. '   *         ?2000 Sergey Merzlikin          *
5. '   ********************************************
7. ' Desired access rights constants
8. Public Const MAXIMUM_ALLOWED           As Long = 
9. Public Const DELETE                    As Long = 
10. Public Const READ_CONTROL              As Long = 
11. Public Const WRITE_DAC                 As Long = 
12. Public Const WRITE_OWNER               As Long = 
13. Public Const SYNCHRONIZE               As Long = 
14. Public Const STANDARD_RIGHTS_READ      As Long = READ_CONTROL
15. Public Const STANDARD_RIGHTS_WRITE     As Long = READ_CONTROL
16. Public Const STANDARD_RIGHTS_EXECUTE   As Long = READ_CONTROL
17. Public Const STANDARD_RIGHTS_REQUIRED  As Long = 
18. Public Const FILE_READ_DATA            As Long = &H1   '  file & pipe
19. Public Const FILE_LIST_DIRECTORY       As Long = &H1   '  directory
20. Public Const FILE_ADD_FILE             As Long = &H2   '  directory
21. Public Const FILE_WRITE_DATA           As Long = &H2   '  file & pipe
22. Public Const FILE_CREATE_PIPE_INSTANCE As Long = &H4   '  named pipe
23. Public Const FILE_ADD_SUBDIRECTORY     As Long = &H4   '  directory
24. Public Const FILE_APPEND_DATA          As Long = &H4   '  file
25. Public Const FILE_READ_EA              As Long = &H8   '  file & directory
26. Public Const FILE_READ_PROPERTIES      As Long = FILE_READ_EA
27. Public Const FILE_WRITE_EA             As Long = &H10  '  file & directory
28. Public Const FILE_WRITE_PROPERTIES     As Long = FILE_WRITE_EA
29. Public Const FILE_EXECUTE              As Long = &H20  '  file
30. Public Const FILE_TRAVERSE             As Long = &H20  '  directory
31. Public Const FILE_DELETE_CHILD         As Long = &H40  '  directory
32. Public Const FILE_READ_ATTRIBUTES      As Long = &H80  '  all
33. Public Const FILE_WRITE_ATTRIBUTES     As Long = &H100 '  all
34. Public Const FILE_GENERIC_READ         As Long = (STANDARD_RIGHTS_READ _
35.       Or FILE_READ_DATA Or FILE_READ_ATTRIBUTES _
36.       Or FILE_READ_EA Or SYNCHRONIZE)
37. Public Const FILE_GENERIC_WRITE        As Long = (STANDARD_RIGHTS_WRITE _
38.       Or FILE_WRITE_DATA Or FILE_WRITE_ATTRIBUTES _
39.       Or FILE_WRITE_EA Or FILE_APPEND_DATA Or SYNCHRONIZE)
40. Public Const FILE_GENERIC_EXECUTE      As Long = (STANDARD_RIGHTS_EXECUTE _
41.       Or FILE_READ_ATTRIBUTES Or FILE_EXECUTE Or SYNCHRONIZE)
42. Public Const FILE_ALL_ACCESS           As Long = (STANDARD_RIGHTS_REQUIRED _
43.       Or SYNCHRONIZE Or &H1FF&)
44. Public Const GENERIC_READ              As Long = 
45. Public Const GENERIC_WRITE             As Long = 
46. Public Const GENERIC_EXECUTE           As Long = 
47. Public Const GENERIC_ALL               As Long = 
49. ' Types, constants and functions
50. ' to work with access rights
51. Public Const OWNER_SECURITY_INFORMATION As Long = 
52. Public Const GROUP_SECURITY_INFORMATION As Long = 
53. Public Const DACL_SECURITY_INFORMATION  As Long = 
54. Public Const TOKEN_QUERY                As Long = 8
55. Public Const SecurityImpersonation As Integer = 3
56. Public Const ANYSIZE_ARRAY = 1
57. Public Type GENERIC_MAPPING
58.     GenericRead As Long
59.     GenericWrite As Long
60.     GenericExecute As Long
61.     GenericAll As Long
62. End Type
63. Public Type LUID
64.     LowPart As Long
65.     HighPart As Long
66. End Type
67. Public Type LUID_AND_ATTRIBUTES
68.     pLuid As LUID
69.     Attributes As Long
70. End Type
71. Public Type PRIVILEGE_SET
72.     PrivilegeCount As Long
73.     Control As Long
74.     Privilege(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES
75. End Type
76. Public Declare Function GetFileSecurity Lib "advapi32.dll" _
77.     Alias "GetFileSecurityA" (ByVal lpFileName As String, _
78.     ByVal RequestedInformation As Long, pSecurityDescriptor As Byte, _
79.     ByVal nLength As Long, lpnLengthNeeded As Long) As Long
80. Public Declare Function AccessCheck Lib "advapi32.dll" _
81.     (pSecurityDescriptor As Byte, ByVal ClientToken As Long, _
82.     ByVal DesiredAccess As Long, GenericMapping As GENERIC_MAPPING, _
83.     PrivilegeSet As PRIVILEGE_SET, PrivilegeSetLength As Long, _
84.     GrantedAccess As Long, Status As Long) As Long
85. Public Declare Function ImpersonateSelf Lib "advapi32.dll" _
86.     (ByVal ImpersonationLevel As Integer) As Long
87. Public Declare Function RevertToSelf Lib "advapi32.dll" () As Long
88. Public Declare Sub MapGenericMask Lib "advapi32.dll" (AccessMask As Long, _
89.     GenericMapping As GENERIC_MAPPING)
90. Public Declare Function OpenThreadToken Lib "advapi32.dll" _
91.     (ByVal ThreadHandle As Long, ByVal DesiredAccess As Long, _
92.     ByVal OpenAsSelf As Long, TokenHandle As Long) As Long
93. Public Declare Function GetCurrentThread Lib "kernel32" () As Long
94. Public Declare Function CloseHandle Lib "kernel32" _
95.     (ByVal hObject As Long) As Long
97. ' Types, constants and functions for OS version detection
98. Public Type OSVERSIONINFO
99.     dwOSVersionInfoSize As Long
100.     dwMajorVersion As Long
101.     dwMinorVersion As Long
102.     dwBuildNumber As Long
103.     dwPlatformId As Long
104.     szCSDVersion As String * 128
105. End Type
106. Public Const VER_PLATFORM_WIN32_NT As Long = 2
107. Public Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" _
108.     (lpVersionInformation As OSVERSIONINFO) As Long
110. ' Constant and function for detection of support
111. ' of access rights by file system
112. Public Const FS_PERSISTENT_ACLS As Long = 
113. Public Declare Function GetVolumeInformation Lib "kernel32" _
114.     Alias "GetVolumeInformationA" (ByVal lpRootPathName As String, _
115.     ByVal lpVolumeNameBuffer As String, ByVal nVolumeNameSize As Long, _
116.     lpVolumeSerialNumber As Long, lpMaximumComponentLength As Long, _
117.     lpFileSystemFlags As Long, ByVal lpFileSystemNameBuffer As String, _
118.     ByVal nFileSystemNameSize As Long) As Long
120. ' *-----------------------------------------------------------------------*
121. ' CheckFileAccess function checks access rights to given file.
122. ' DesiredAccess - bitmask of desired access rights.
123. ' The function returns bitmask, which contains those bits of desired bitmask,
124. ' which correspond with existing access rights.
125. Private Function CheckFileAccess(Filename As String, _
126.                 ByVal DesiredAccess As Long) As Long
127. Dim r As Long, SecDesc() As Byte, SDSize As Long, hToken As Long
128. Dim PrivSet As PRIVILEGE_SET, GenMap As GENERIC_MAPPING
129. Dim Volume As String, FSFlags As Long
130. ' Checking OS type
131. If Not IsNT() Then
132. ' Rights not supported. Returning -1.
133.     CheckFileAccess = -1
134.     Exit Function
135. End If
136. ' Checking access rights support by file system
137. If Left$(Filename, 2) = "//" Then
138. ' Path in UNC format. Extracting share name from it
139.     r = InStr(3, Filename, "/")
140.     If r = 0 Then
141.         Volume = Filename & "/"
142.     Else
143.         Volume = Left$(Filename, r)
144.     End If
145. ElseIf Mid$(Filename, 2, 2) = ":/" Then
146. ' Path begins with drive letter
147.     Volume = Left$(Filename, 3)
148. 'Else
149. ' If path not set, we are leaving Volume blank.
150. ' It retutns information about current drive.
151. End If
152. ' Getting information about drive
153. GetVolumeInformation Volume, vbNullString, 0, ByVal 0&, _
154.                     ByVal 0&, FSFlags, vbNullString, 0
155. If (FSFlags And FS_PERSISTENT_ACLS) = 0 Then
156. ' Rights not supported. Returning -1.
157.     CheckFileAccess = -1
158.     Exit Function
159. End If
160. ' Determination of buffer size
161. GetFileSecurity Filename, OWNER_SECURITY_INFORMATION _
162.         Or GROUP_SECURITY_INFORMATION _
163.         Or DACL_SECURITY_INFORMATION, 0, 0, SDSize
164. If Err.LastDllError <> 122 Then
165. ' Rights not supported. Returning -1.
166.     CheckFileAccess = -1
167.     Exit Function
168. End If
169. If SDSize = 0 Then Exit Function
170. ' Buffer allocation
171. ReDim SecDesc(1 To SDSize)
172. ' Once more call of function
173. ' to obtain Security Descriptor
174. If GetFileSecurity(Filename, OWNER_SECURITY_INFORMATION _
175.         Or GROUP_SECURITY_INFORMATION _
176.         Or DACL_SECURITY_INFORMATION, _
177.         SecDesc(1), SDSize, SDSize) = 0 Then
178. ' Error. We must return no access rights.
179.     Exit Function
180. End If
181. ' Adding Impersonation Token for thread
182. ImpersonateSelf SecurityImpersonation
183. ' Opening of Token of current thread
184. OpenThreadToken GetCurrentThread(), TOKEN_QUERY, 0, hToken
185. If hToken <> 0 Then
186. ' Filling GenericMask type
187.     GenMap.GenericRead = FILE_GENERIC_READ
188.     GenMap.GenericWrite = FILE_GENERIC_WRITE
189.     GenMap.GenericExecute = FILE_GENERIC_EXECUTE
190.     GenMap.GenericAll = FILE_ALL_ACCESS
191. ' Conversion of generic rights
192. ' to specific file access rights
193.     MapGenericMask DesiredAccess, GenMap
194. ' Checking access
195.     AccessCheck SecDesc(1), hToken, DesiredAccess, GenMap, _
196.             PrivSet, Len(PrivSet), CheckFileAccess, r
197.     CloseHandle hToken
198. End If
199. ' Deleting Impersonation Token
200. RevertToSelf
201. End Function
203. ' *-----------------------------------------------------------------------*
204. ' IsNT() function returns True, if the program works
205. ' in Windows NT or Windows 2000 operating system, and False
206. ' otherwise.
207. Private Function IsNT() As Boolean
208. Dim OSVer As OSVERSIONINFO
209. OSVer.dwOSVersionInfoSize = Len(OSVer)
210. GetVersionEx OSVer
211. IsNT = (OSVer.dwPlatformId = VER_PLATFORM_WIN32_NT)
212. End Function
214. ' *-----------------------------------------------------------------------*