Access Check

This category covers access simulations in order to forecast behavior from the current user and provide a meaningful user interface (for example, there is no need to provide an encryption menu entry if the current user has no right to encrypt).

Enumerations

enum HSDCAccessCheckDepth : DWORD { HSDCAccessCheckDepthRights = 0, HSDCAccessCheckDepthRightsAndActions, HSDCAccessCheckDepthFull }

Functions

HSDCError HSDCAPI HSDCAccessCheckIsSystem (const wchar_t *path, BOOLEAN *pSystem)

Returns if the volume is controlled by Device Control. Volumes located on the physical hard drive containing the system volume are not controlled.

HSDCError HSDCAPI HSDCAccessCheckVolume (const wchar_t *path, const char *jstr, DWORD level, char **pJstr)

Computes effective accesses for a specific volume/drive letter. The full level of details requires Administrator privilege. Details can be controlled to provide different levels of access or also provide available actions that can be performed on the volume, such as encrypt/decrypt/recover access/and so on. Full level of details additionally provides information related to shadowing, file filtering, copy limit, and the device class/model/instance.

HSDCError HSDCAPI HSDCAccessCheck (const wchar_t *device, const char *jstr, char **pJstr)

Similar but more generic than the HSDCAccessCheckVolume call, this allows checks on devices without a drive letter (such as printers, portable devices, and so on), and it also allows simulation of hypothetical case (for example, would the user have write access after encrypting this USB stick). The output is a subset of the previous call since it contains only the rights part.

Enumeration Type Documentation

HSDCAccessCheckDepth

enum HSDCAccessCheckDepth : DWORD

Enumerators

HSDCAccessCheckDepthRights

Reports access rights.

HSDCAccessCheckDepthRightsAndActions

Reports access rights and actions.

HSDCAccessCheckDepthFull

Reports access rights, actions, and all filtering, logging and device information.

Function Documentation

HSDCAccessCheckIsSystem()

HSDCError HSDCAPI HSDCAccessCheckIsSystem ( const wchar_t * path, BOOLEAN * pSystem )

Returns if the volume is controlled by Device Control. Volumes located on the physical hard drive containing the system volume are not controlled.

Parameters

path

Specifies the path/drive letter of the volume.

pSystem

[out] Returns TRUE (1) if the volume is on the system disk and not controlled, otherwise it returns FALSE (0) for controlled volumes.

HSDCAccessCheckVolume()

HSDCError HSDCAPI HSDCAccessCheckVolume ( const wchar_t * path, const char * jstr, DWORD level, char ** pJstr )

Computes effective accesses for a specific volume/drive letter.

The full level of details requires Administrator privilege. Details can be controlled to provide different levels of access or also provide available actions that can be performed on the volume, such as encrypt/decrypt/recover access/and so on. Full level of details additionally provides information related to shadowing, file filtering, copy limit, and the device class/model/instance.

Parameters

path

Non-null, non-empty path/drive letter of the volume to check. Must start with a letter.

jstr

[Optional] Additional optional parameters enabling you to add or remove attributes to the device detected by path. Format is as follows:

Copy 
{
    "add": [
        "EncryptedMediaId",
        "AllSanctuaryEncryptedDevices"
    ],
    "remove": [
        "ExecutableSha1",
        "ExecutableSha256"
    ]
}

Valid list of attributes are:

Attribute

Description

AllObjectsId

Identifies an object

AllDevicesId

Identifies a managed device (any type)

UsbDevicesId

Identifies a USB device

IEEE1394DevicesId

Identifies a FireWire device

PCMCIADevicesId

Identifies a PCMCIA device

IRDADevicesId

Identifies an Infra-Red device

BluetoothDevicesId

Identifies a Bluetooth device

IDEDevicesId

Identifies an ATAPI/IDE device

SCSIDevicesId

Identifies a SCSI device

InternalDevicesId

Identifies an internal device (without other bus)

HDDevicesId

Identifies a fixed disk device

EncryptedMediaId

Identifies an encrypted device

AllSanctuaryEncryptedDevices

Identifies a natively encrypted device

ExecutableSha1

Identifies the current calling executable by its SHA-1

ExecutableSha256

Identifies the current calling executable by its SHA-256

CD

Identifies CD/DVD/BD device class

Floppy

Identifies floppy device class

Removable

Identifies removable device class

COM

Identifies com device class

LPT

Identifies parallel device class

Tape

Identifies tape device class

Modem

Identifies modem device class

SCReader

Identifies smart card reader device class

Ipaq

Identifies Compaq iPAQ device class

Palm

Identifies Palm device class

Scanner

Identifies scanner device class

Printer

Identifies printer device class

BlackBerry

Identifies BlackBerry device class

Wireless

Identifies Wireless NIC device class

PS2

Identifies PS2 device class

Biometric

Identifies biometric device class

WPD

Identifies Windows portable devices device class

RemoteFS

Identifies remote file system device class (Citrix)

level

Specifies the level of details that are needed.

pJstr

[out] Returns a JSON string with all details, formatted as below:

Copy 
{
    "access": {
        "Decrypt": false,
        "Encrypt": true,
        "Export(File)": true,
        "Export(Medium)": true,
        "Import": false,
        "Read": true,
        "Write": true
    },
    "content": {
        "write": "Filtered"
    },
    "device": "\\??\\D:\\",
    "identifier": {
        "blocklength": "512",
        "cipher": "1",
        "cipheralgorithm": "AES256-CTR",
        "cipherkeylength": "32",
        "datafilefirstsector": "89176",
        "datafilelastsector": "31332336",
        "devirationalgorithm": "SHA256",
        "id": "{39E1C94A-64D5-4E25-98A8-BDA9314376F1}",
        "keycipher": "082DCB78C202C9FD2F5A4F0447CA2145F1EB85B0AEA9F1CAD3D19C1440B40CC7",
        "keyfilefirstsector": "68696",
        "keyfilelastsector": "89168",
        "keyhash": "A7084CA8C4763114159E31659F0B062BF74C8A0970CD9DD2C3034DF1A77BF6E0",
        "location": "file",
        "options": "62",
        "passwordcomplexity": "0",
        "passwordminimumlength": "6",
        "unsuccessfulattempts": "0",
        "version": "2"
    },
    "information": {
        "bustypes": "128",
        "deviceinstanceid": "SCSI\\DISK&VEN_SAMSUNG&PROD_HD103SJ\\4&2D8DAA90&0&010000",
        "devicename": "SAMSUNG HD103SJ,Disk drive,(Standard disk drives)",
        "devicetype": "3",
        "filesystem": "NTFS",
        "hardwareid": "SCSI\\DiskSAMSUNG__________HD103SJ1AJ1",
        "instanceid": "4&2d8daa90&0&010000",
        "instancesha1": "BF05DE18999F86872ACEB19FF90090CCBB39FAF7",
        "instancesha256": "FF07E4D96D29A86B1F13A6D00B0B0C49FBAC3EBD3E51E8AA40EF0626E8005328",
        "ismedialoaded": true,
        "isuniqueid": false,
        "mediatype": "12",
        "modelsha1": "CDF1C490BE7645BD91B4136E47AB7C2431BF2E1E",
        "modelsha256": "CC8BCE19BFC400343D55B1C179FE3BEE9926C896E149EF7FD9875DB0C18C31E7",
        "pdoname": "\\Device\\00000032",
        "sectorsize": "512"
    },
    "path": "D:\\",
    "shadow": {
        "read": "Content",
        "write": "Filename"
    }
}
Returns

HSDCErrorSystemDrive

Path references a volume on the system drive that is not monitored

HSDCErrorSkCommFailure

Unable to communicate with SK driver

HSDCErrorInvalidIdentifier

Encryption identifier is not valid/supported

HSDCErrorInvalidVolume

Unable to retrieve volume information

HSDCAccessCheck()

HSDCError HSDCAPI HSDCAccessCheck ( const wchar_t * device, const char * jstr, char ** pJstr )

Similar but more generic than the HSDCAccessCheckVolume call, this allows checks on devices without a drive letter (such as printers, portable devices, and so on), and it also allows simulation of hypothetical case (for example, would the user have write access after encrypting this USB stick). The output is a subset of the previous call since it contains only the rights part.

Parameters

device

Specifies the device name, volume with letter can be named as '\??\D:'

jstr

[optional] As in HSDCAccessCheckVolume()

pJstr

[out] Returns a JSON string with all details, formatted as below:

Copy 
{
    "access": {
        "Decrypt": false,
        "Encrypt": true,
        "Export(File)": true,
        "Export(Medium)": true,
        "Import": false,
        "Read": true,
        "Write": true
    },
    "content": {
        "write": "Filtered"
    },
    "device": "\\??\\D:\\",
    "shadow": {
        "read": "Content",
        "write": "Filename"
    }
}
Returns

HSDCErrorSystemDrive

Path references a volume on the system drive that is not monitored

HSDCErrorSkCommFailure

Unable to communicated with SK driver

HSDCErrorInvalidIdentifier

Encryption identifier is not valid/supported

HSDCErrorInvalidVolume

Unable to retrieve volume information