How To Secure Performance Data in Windows NT

ID: Q146906

The information in this article applies to:

SUMMARY

Windows NT provides access to a variety of performance data that collectively represents the state of the computer. This performance data is stored in the registry key HKEY_PERFORMANCE_DATA. The default configuration of Windows NT gives everyone the ability to query this performance data, including remote users.

In some environments, you may want to restrict access to this performance data because some performance data may be considered sensitive. An example of potentially sensitive performance data is the list of running processes in the system. This article describes how to regulate access to this performance data programmatically by using the Win32 API.


MORE INFORMATION

The security on the following registry key dictates which users or groups can gain access to the performance data: 


HKEY_LOCAL_MACHINE\ 
 SOFTWARE\ 
 Microsoft\ 
 Windows NT\ 
 CurrentVersion\ 
 Perflib


In order for users to query performance data, they must have KEY_READ access to the above registry key. An example of reasonable security on the performance data would be to grant Administrators KEY_ALL_ACCESS access and Interactive (users logged onto the workstation interactively) KEY_READ access. This particular configuration would prevent non-administrator remote users from querying performance data.

Note that this operation can be performed by using the registry editor utility (Regedt32.exe).

Sample Code

/*
This sample illustrates how to regulate access to the performance data provided by the registry key HKEY_PERFORMANCE_DATA.

The security on the following registry key dictates which users or groups can gain access to the performance data:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib

This sample opens the registry key for WRITE_DAC access, which allows for a new Dacl to be applied to the registry key.

A Dacl is then built, which grants the following users access:

Administrators are granted full control to allow for future updates to the security on the key and to allow for querying performance data.

Interactively logged on users, through the well-known Interactive Sid, are granted KEY_READ access, which allows for querying performance data.

The new Dacl is then applied to the registry key using the RegSetKeySecurity() Win32 API.

This sample relies on the import library Advapi32.lib. Note that not all errors will cause an information message to be displayed.

*/ 


#include <windows.h>
#include <stdio.h>

#define RTN_OK 0
#define RTN_USAGE 1
#define RTN_ERROR 13

int
__cdecl
main(
    void
    )
{
    SID_IDENTIFIER_AUTHORITY sia = SECURITY_NT_AUTHORITY;
    PSID pInteractiveSid = NULL;
    PSID pAdministratorsSid = NULL;
    SECURITY_DESCRIPTOR sd;
    PACL pDacl = NULL;
    DWORD dwAclSize;
    HKEY hKey;
    LONG lRetCode;
    BOOL bSuccess = FALSE; // assume this function fails

    // 
    // open the performance key for WRITE_DAC access
    // 
    lRetCode = RegOpenKeyEx(
        HKEY_LOCAL_MACHINE,
       TEXT("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib"),
        0,
        WRITE_DAC,
        &hKey
        );

    if(lRetCode != ERROR_SUCCESS) {
        fprintf(stderr, "RegOpenKeyEx error! (rc=%lu)\n", lRetCode);
        return RTN_ERROR;
    }

    // 
    // prepare a Sid representing any Interactively logged-on user
    // 
    if(!AllocateAndInitializeSid(
        &sia,
        1,
        SECURITY_INTERACTIVE_RID,
        0, 0, 0, 0, 0, 0, 0,
        &pInteractiveSid
        )) goto cleanup;

    // 
    // prepare a Sid representing the well-known admin group
    // 
    if(!AllocateAndInitializeSid(
        &sia,
        2,
        SECURITY_BUILTIN_DOMAIN_RID,
        DOMAIN_ALIAS_RID_ADMINS,
        0, 0, 0, 0, 0, 0,
        &pAdministratorsSid
        )) goto cleanup;

    // 
    // compute size of new acl
    // 
    dwAclSize = sizeof(ACL) +
        2 * ( sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) ) +
        GetLengthSid(pInteractiveSid) +
        GetLengthSid(pAdministratorsSid) ;

    // 
    // allocate storage for Acl
    // 
    pDacl = (PACL)HeapAlloc(GetProcessHeap(), 0, dwAclSize);
    if(pDacl == NULL) goto cleanup;

    if(!InitializeAcl(pDacl, dwAclSize, ACL_REVISION))
        goto cleanup;

    // 
    // grant the Interactive Sid KEY_READ access to the perf key
    // 
    if(!AddAccessAllowedAce(
        pDacl,
        ACL_REVISION,
        KEY_READ,
        pInteractiveSid
        )) goto cleanup;

    // 
    // grant the Administrators Sid GENERIC_ALL access to the perf key
    // 
    if(!AddAccessAllowedAce(
        pDacl,
        ACL_REVISION,
        KEY_ALL_ACCESS,
        pAdministratorsSid
        )) goto cleanup;

    if(!InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION))
        goto cleanup;

    if(!SetSecurityDescriptorDacl(&sd, TRUE, pDacl, FALSE)) {
        fprintf(stderr, "SetSecurityDescriptorDacl error! (rc=%lu)\n",
            GetLastError());
        goto cleanup;
    }

    // 
    // apply the security descriptor to the registry key
    // 
    lRetCode = RegSetKeySecurity(
        hKey,
        (SECURITY_INFORMATION)DACL_SECURITY_INFORMATION,
        &sd
        );

    if(lRetCode != ERROR_SUCCESS) {
        fprintf(stderr, "RegSetKeySecurity error! (rc=%lu)\n",
            lRetCode);
        goto cleanup;
    }

    bSuccess = TRUE; // indicate success

cleanup:

    RegCloseKey(hKey);
    RegCloseKey(HKEY_LOCAL_MACHINE);

    // 
    // free allocated resources
    // 
    if(pDacl != NULL)
        HeapFree(GetProcessHeap(), 0, pDacl);

    if(pInteractiveSid != NULL)
        FreeSid(pInteractiveSid);

    if(pAdministratorsSid != NULL)
        FreeSid(pAdministratorsSid);

    if(!bSuccess) return RTN_ERROR;

    return RTN_OK;
}

Additional query words: 3.51 4.00 perfmon performance 


Keywords          : kbcode kbnokeyword kbAPI kbKernBase CodeSam kbGrpKernBase 
Version           : 3.51 4.00
Platform          : NT WINDOWS 
Issue type        :

Last Reviewed: March 7, 1999