Debugging the Access Control List Editor (225031)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Datacenter Server
This article was previously published under Q225031
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

The Access Control List Editor can provide output to a debugger. This may be useful when troubleshooting Access Control List Editor related issues.

MORE INFORMATION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

There are two dynamic-link library (.dll) files in Windows 2000 involved in the functionality of the Access Control List Editor, Dssec.dll, and Aclui.dll.

The checked version of the Dssec.dll file generates debug print statements when used in conjunction with a debugger. To enable debug output from the Access Control List Editor:

  1. Rename the original Dssec.dll file in the %SYSTEMROOT%\SYSTEM32 folder to Dssec.old, or another unique file name.
  2. Copy the checked Dssec.dll file to the %SYSTEMROOT%\SYSTEM32 folder.
  3. Debugging detail can be set from the following registry key value:

    HKEY_CLASSES_ROOT\CLSID\{4E40F770-369C-11d0-8922-00A-24AB2DBB)\TraceMask


    • To see basic debug output, set the value to (DWORD) 0x40000007
    • To see more detailed debug output, set the value to (DWORD) 0x4000003F
Useful information can also be gained by using the checked version of the Aclui.dll file with a debugger. Once this new file is installed, a specific trace mask may be assigned in the registry to denote the level of detail. To enable debugging output for the Aclui.dll file:
  1. Rename the original Aclui.dll file in the %SYSTEMROOT%\SYSTEM32 folder to Aclui.old, or another unique file name.
  2. Copy the checked Aclui.dll file to the %SYSTEMROOT%\SYSTEM32 folder.
  3. Debugging detail can be set from the following registry key value:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AclUI\TraceMask



    To enable basic debug output, set the value of TraceMask to (DWORD) 0x400001ff.

Here is a more detailed list of the debug flags in the mask for debugging the Dssec.dll and Aclui.dll files:

Common Debug Flags

TRACE_COMMON_STR0x80000000String functions
TRACE_COMMON_ASSERT0x40000000Break on assertion failures

ACLUI Debug Flags

TRACE_PERMPAGE0x00000001Security Page
TRACE_PRINCIPAL0x00000002SID specific changes on security page
TRACE_SI0x00000004Additional security page information
TRACE_PERMSET0x00000004Permission changes on security page
TRACE_ACELIST0x00000010Advanced permission and audit pages
TRACE_ACEEDIT0x00000020View/Edit ACE page
TRACE_OWNER0x00000040Ownership Page
TRACE_MISC0x00000080Includes SID lookup/cache
TRACE_CHECKLIST0x00000100"List of Checkboxes" control

DSSEC Debug Flags

TRACE_CORE0x00000001DLLMain, etc.
TRACE_SECURITY0x00000002Shell extension
TRACE_DSSI0x00000004DS provider for ACLUI
TRACE_SCHEMA0x00000008Schema cache
TRACE_SCHEMACLASS0x00000010Schema cache (class specific)
TRACE_SCHEMAPROP0x00000020Schema cache (property specific
Modification Type:MajorLast Reviewed:11/21/2003
Keywords:kbhowto KB225031
©2003 Microsoft Corporation. All rights reserved.