SeValidSecurityDescriptor function

The SeValidSecurityDescriptor routine returns whether a given security descriptor is structurally valid.

Syntax

BOOLEAN SeValidSecurityDescriptor(
  ULONG                Length,
  PSECURITY_DESCRIPTOR SecurityDescriptor
);

Parameters

Length

Specifies the size in bytes of the given security descriptor.

SecurityDescriptor

Pointer to the self-relative SECURITY_DESCRIPTOR, which must be buffered somewhere in system space.

Return Value

SeValidSecurityDescriptor returns TRUE if the buffered security descriptor is structurally valid.

Remarks

SeValidSecurityDescriptor does not enforce policy. It simply checks that the given security descriptor data is formatted correctly. In particular, it checks the revision information, self relativity, owner, alignment, and, if available, SID, group, DACL, ACL, and/or SACL do not overflow the given Length. Consequently, callers of SeValidSecurityDescriptor cannot assume that a returned TRUE implies that the given security descriptor necessarily has valid contents.

If SeValidSecurityDescriptor returns TRUE, the given security descriptor can be passed on to another kernel-mode component because it is structurally valid. Otherwise, passing a structurally invalid security descriptor to be manipulated by another kernel-mode component can cause undefined results or even a system bug check.

To validate a security descriptor that was passed in from user mode, call RtlValidSecurityDescriptor rather than SeValidSecurityDescriptor.

Requirements

   
Minimum supported client Available in Windows 2000 and later versions of Windows.
Target Platform Universal
Header wdm.h (include Wdm.h, Ntddk.h, Ntifs.h)
Library NtosKrnl.lib
DLL NtosKrnl.exe
IRQL PASSIVE_LEVEL
DDI compliance rules PowerIrpDDis, HwStorPortProhibitedDDIs

See Also

RtlValidSecurityDescriptor

SECURITY_DESCRIPTOR