As it is well known, COM/DCOM per-class launch and access permissions are stored in registry under HKEY_CLASSES_ROOT\AppID key. However the permissions are stored in binary form (as a named REG_BINARY value) and thus not easy to read. DCOMCNFG (or MMC snap-in) is used to modify the values interactively but once one needs to update the values progammatically, he has to know the format.

The binary value is a self-relative security descriptor, written to registry as an array of bytes. ATL provides atlsecurity.h header file with handy security management classes including CSecurityDesc to handle security descriptors. Among the methods, there are FromString and ToString which perform conversion between binary format of a self-descriptive security descriptor and Security Descriptor String Format, which is a human friendly (more human friendly at least) representation of security descriptor. The conversion uses ConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor API functions introduced with Windows 2000.

17-image001.png

The utility queries given registry binary value and converts to security descriptor string format.

Partial (some header files are excluded, however the basic idea is clear) Visual C++.NET 2005 source code can be downloaded here, compiled binary - here.