3.1.4.6.3 LsarSetSecret (Opnum 29)

  • Article

The LsarSetSecret method is invoked to set the current and old values of the secret object.

 NTSTATUS LsarSetSecret(
   [in] LSAPR_HANDLE SecretHandle,
   [in, unique] PLSAPR_CR_CIPHER_VALUE EncryptedCurrentValue,
   [in, unique] PLSAPR_CR_CIPHER_VALUE EncryptedOldValue
 );

SecretHandle: An open secret object handle.

EncryptedCurrentValue: A binary large object (BLOB) representing a new encrypted cipher value. It is valid for this parameter to be NULL, in which case the value is deleted from the server's policy database.

EncryptedOldValue: A BLOB representing the encrypted old value. It is valid for this parameter to be NULL, in which case the current value in the policy database is copied.

Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing that follows.

Return value/code

Description

0x00000000

STATUS_SUCCESS

The request was successfully completed.

0xC0000022

STATUS_ACCESS_DENIED

The caller does not have the permissions to perform this operation.

0xC000000D

STATUS_INVALID_PARAMETER

One or more of the supplied parameters was invalid.

0xC0000008

STATUS_INVALID_HANDLE

SecretHandle is not a valid handle.

Processing:

This message contains three input parameters:

SecretHandle: An open handle to a secret object. If the handle is not a valid context handle to a secret object or SecretHandle.HandleType does not equal "Secret", the server MUST return STATUS_INVALID_HANDLE. The server MUST verify that SecretHandle grants access as specified in section 3.1.4.2.2 with RequiredAccess set to SECRET_SET_VALUE.<81>

EncryptedCurrentValue: The version of the new secret value that is being set, encrypted as specified in section 5.1.2. It is valid for this parameter to be NULL, in which case the server MUST delete the current value in its database. If decryption fails, the server must return an implementation-specific error.<82>

EncryptedOldValue: The version of the old secret value that is being set, encrypted as specified in section 5.1.2. It is valid for this parameter to be NULL, in which case the server MUST delete the old value in its database and replace it with the previous version of "CurrentValue". If decryption fails, the server must return an implementation-specific error.<83>

The server MUST also maintain "time stamp" values for current and old values of the secret object. The following table lists the rules by which the time stamps are computed.

Old secret value

New secret value

Effect on old time

Effect on new time

NULL

NULL

Old value of "new secret time"

Current server time

NULL

Non-NULL

Old value of "new secret time"

Current server time

Non-NULL

NULL

Current server time

Current server time

Non-NULL

Non-NULL

Current server time

Current server time