Win API bitmasks two with same value - is this a MS doc's mistake?

SECURITY_DESCRIPTOR_CONTROL (Winnt.h) - Win32 apps | Microsoft Docs

So I’ve spotted two entries with the same hex value which doesnt make sense for a bitmask especially as the GetSecurityInfo function (aclapi.h) - Win32 apps | Microsoft Docs gives individual memory addresses for a SACL and one for a DACL, in its prototype.

SE_DACL_DEFAULTED 0x0008
and
SE_SACL_DEFAULTED 0x0008

Now if you put these entries in bitmask order (see below) you can see the two “defaulted”'s with the same bitmask, but the SE_DACL_PRESENT (04h) is before SE_DACL_DEFAULTED (08h) so I would expect the same for the SACL’s, but they are not, so I’m wondering if I am seeing a mistake on a webpage.
The reason I say “mistake” is because other times, information has been missing from the MS api webpages, so I’ve even gone and checked the webpage on someone else’s device unconnected to me to see if they see the same thing (using computers connected to the net at PC World can be useful here), but I’m also massively aware that alot of these webservers are akamai hosted just like this website is hosted on Cloudfare, so are mirrors of originals, in the EU and I know alot of countries are into hacking each other for various reasons.

So do you think this is a mistake?

Edit. Further down the SACL_Protected and DACL_Protected have separate values.

IS_SE_OWNER_DEFAULTED              Equate(0001h)        !Indicates that the SID of the owner of the security descriptor was provided by a default mechanism. This flag can be used by a resource manager to identify objects whose owner was set by a default mechanism. To set this flag, use the SetSecurityDescriptorOwner function.

IS_SE_GROUP_DEFAULTED              Equate(0002h)        !Indicates that the security identifier (SID) of the security descriptor group was provided by a default mechanism. This flag can be used by a resource manager to identify objects whose security descriptor group was set by a default mechanism. To set this flag, use the SetSecurityDescriptorGroup function.

IS_SE_DACL_PRESENT                 Equate(0004h)        !Indicates a security descriptor that has a DACL. If this flag is not set, or if this flag is set and the DACL is NULL, the security descriptor allows full access to everyone.
                                                        !This flag is used to hold the security information specified by a caller until the security descriptor is associated with a securable object. After the security descriptor is associated with a securable object, the SE_DACL_PRESENT flag is always set in the security descriptor control.
                                                        !To set this flag, use the SetSecurityDescriptorDacl function.

IS_SE_DACL_DEFAULTED               Equate(0008h)        !Indicates a security descriptor with a default DACL. For example, if the creator an object does not specify a DACL, the object receives the default DACL from the access token of the creator. This flag can affect how the system treats the DACL with respect to ACE inheritance. The system ignores this flag if the SE_DACL_PRESENT flag is not set.
                                                        !This flag is used to determine how the final DACL on the object is to be computed and is not stored physically in the security descriptor control of the securable object.
                                                        !To set this flag, use the SetSecurityDescriptorDacl function.

!???? Normally they are unique and if the DACLS are to go by, then this should be whatever the next bit mask is because DACL Present is before DACL Default
IS_SE_SACL_DEFAULTED               Equate(0008h)        !A default mechanism, rather than the original provider of the security descriptor, provided the SACL. This flag can affect how the system treats the SACL, with respect to ACE inheritance. The system ignores this flag if the SE_SACL_PRESENT flag is not set. To set this flag, use the SetSecurityDescriptorSacl function.
!???? Normally they are unique and if the DACLS are to go by, then this should be whatever the next bit mask is because DACL Present is before DACL Default

IS_SE_SACL_PRESENT                 Equate(0010h)        !Indicates a security descriptor that has a SACL. To set this flag, use the SetSecurityDescriptorSacl function.


IS_SE_DACL_AUTO_INHERIT_REQ        Equate(0100h)        !Indicates a required security descriptor in which the discretionary access control list (DACL) is set up to support automatic propagation of inheritable access control entries (ACEs) to existing child objects.
                                                        !For access control lists (ACLs) that support auto inheritance, this bit is always set. Protected servers can call the ConvertToAutoInheritPrivateObjectSecurity function to convert a security descriptor and set this flag.

IS_SE_SACL_AUTO_INHERIT_REQ        Equate(0200h)        !Indicates a required security descriptor in which the system access control list (SACL) is set up to support automatic propagation of inheritable ACEs to existing child objects.
                                                        !The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects. To convert a security descriptor and set this flag, protected servers can call the ConvertToAutoInheritPrivateObjectSecurity function.

IS_SE_DACL_AUTO_INHERITED          Equate(0400h)        !Indicates a security descriptor in which the discretionary access control list (DACL) is set up to support automatic propagation of inheritable access control entries (ACEs) to existing child objects.
                                                        !For access control lists (ACLs) that support auto inheritance, this bit is always set. Protected servers can call the ConvertToAutoInheritPrivateObjectSecurity function to convert a security descriptor and set this flag.


IS_SE_SACL_AUTO_INHERITED          Equate(0800h)        !Indicates a security descriptor in which the system access control list (SACL) is set up to support automatic propagation of inheritable ACEs to existing child objects.
                                                        !The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects. To convert a security descriptor and set this flag, protected servers can call the ConvertToAutoInheritPrivateObjectSecurity function.

IS_SE_DACL_PROTECTED               Equate(1000h)        !Prevents the DACL of the security descriptor from being modified by inheritable ACEs. To set this flag, use the SetSecurityDescriptorControl function.

IS_SE_SACL_PROTECTED               Equate(2000h)        !Prevents the SACL of the security descriptor from being modified by inheritable ACEs. To set this flag, use the SetSecurityDescriptorControl function.


IS_SE_RM_CONTROL_VALID             Equate(4000h)        !Indicates that the resource manager control is valid.


IS_SE_SELF_RELATIVE                Equate(8000h)        !Indicates a self-relative security descriptor. If this flag is not set, the security descriptor is in absolute format. For more information, see Absolute and Self-Relative Security Descriptors.

This is from my copy of winnt.h. That file came with the one of the Windows 10 Window Kits from MSDN.

I think this is the setup I used. https://download.microsoft.com/download/9/3/9/939441D4-6FBA-48EE-9EF7-402C1AA8B8A7/windowssdk/winsdksetup.exe

Well unless this is the UK version of military sock puppets, ie fake websites with fake posters to consensus crack, it would seem I’m not going mad then, but then I dont know what security cert is issued and used by clarionhub so the fact its encrypted still doesnt mean anything in my books. Thats a problem with having multiple root certs for webpages.

Anyway, top and bottom entry on the screen shot, they are clearly both 8h and its different in the winnt.h file installed by visual studio.

Now I wonder if this is a typo or something a bit more nefarious.

Reason I say that is because there have been API’s where the dll filename that is normally listed towards the bottom of the webpage, has been missing making it a tedious task of going through all the dll’s in win\system32 in libmaker to track down the api.

But I also wonder if this is MS’s attempt to mess up web page scrapers. This isnt the only bitmask/enum list to have a couple of entries with the same value, showing up on non-MS websites.

This api doesnt even exist in AdvApi.dll!
LookupAccountSidLocalA function (winbase.h) - Win32 apps | Microsoft Docs
I know I can use LookupAccountSidA function (winbase.h) - Win32 apps | Microsoft Docs
and pass a null aka a 0 for lpSystemName, but I am beginning to question the MS doc’s a bit more.

Any other guesses why this might the be occurring?

sacldacldefaulted1917×1036 113 KB

“Any other guesses why this might the be occurring?”

I don’t know this symbol, but I have seen duplicate bit definitions (or combinations) used to make a more understandable symbol name for a particular usage.

Maybe the second symbol does not have to be different from the first, but they wanted the header consistant for clarity?

The original appears to be a mistake on the website or at least its different to what is stored in the .h files.

So this is access types in winnt.h

////////////////////////////////////////////////////////////////////////
//                                                                    //
//                             ACCESS TYPES                           //
//                                                                    //
////////////////////////////////////////////////////////////////////////


// begin_wdm
//
//  The following are masks for the predefined standard access types
//

#define DELETE                           (0x00010000L)
#define READ_CONTROL                     (0x00020000L)
#define WRITE_DAC                        (0x00040000L)
#define WRITE_OWNER                      (0x00080000L)
#define SYNCHRONIZE                      (0x00100000L)

#define STANDARD_RIGHTS_REQUIRED         (0x000F0000L)

#define STANDARD_RIGHTS_READ             (READ_CONTROL)
#define STANDARD_RIGHTS_WRITE            (READ_CONTROL)
#define STANDARD_RIGHTS_EXECUTE          (READ_CONTROL)

I cant figure out why the last three in this list are all Read_Controls.

That explains alot! Thanks, I do like reading what Raymond has to say on his blogs when they come up in search results.

SACL (System Access Control List) and DACL (Discretionary Access Control List) are two separate security descriptors. SE_SACL_* masks must be used with SACL, SE_DACL_* masks - with DACL descriptors. Therefore, similar masks can have different values.