ObReferenceObjectByHandle function (wdm.h)

The ObReferenceObjectByHandle routine provides access validation on the object handle, and, if access can be granted, returns the corresponding pointer to the object's body.


NTSTATUS ObReferenceObjectByHandle(
  [in]            HANDLE                     Handle,
  [in]            ACCESS_MASK                DesiredAccess,
  [in, optional]  POBJECT_TYPE               ObjectType,
  [in]            KPROCESSOR_MODE            AccessMode,
  [out]           PVOID                      *Object,
  [out, optional] POBJECT_HANDLE_INFORMATION HandleInformation


[in] Handle

Specifies an open handle for an object.

[in] DesiredAccess

Specifies the requested types of access to the object. The interpretation of this field is dependent on the object type. Do not use any generic access rights. For more information, see ACCESS_MASK.

[in, optional] ObjectType

Pointer to the object type. ObjectType can be *ExEventObjectType, *ExSemaphoreObjectType, *IoFileObjectType, *PsProcessType, *PsThreadType, *SeTokenObjectType, *TmEnlistmentObjectType, *TmResourceManagerObjectType, *TmTransactionManagerObjectType, or *TmTransactionObjectType.

If ObjectType is not NULL, the operating system verifies that the supplied object type matches the object type of the object that Handle specifies.

[in] AccessMode

Specifies the access mode to use for the access check. It must be either UserMode or KernelMode. Drivers should always specify UserMode for handles they receive from user address space.

[out] Object

Pointer to a variable that receives a pointer to the object's body. The following table contains the pointer types.

ObjectType parameter Object pointer type
*ExEventObjectType PKEVENT
*ExSemaphoreObjectType PKSEMAPHORE
*IoFileObjectType PFILE_OBJECT
*SeTokenObjectType PACCESS_TOKEN
*TmEnlistmentObjectType PKENLISTMENT
*TmResourceManagerObjectType PKRESOURCEMANAGER
*TmTransactionManagerObjectType PKTM
*TmTransactionObjectType PKTRANSACTION

The structures that the pointer types reference are opaque, and drivers cannot access the structure members. Because the structures are opaque, PEPROCESS is equivalent to PKPROCESS, and PETHREAD is equivalent to PKTHREAD.

[out, optional] HandleInformation

Drivers set this to NULL.

Return value

ObReferenceObjectByHandle returns STATUS_SUCCESS if the call is successful. Possible return values include the following error codes:

Return code Description
STATUS_OBJECT_TYPE_MISMATCH The ObjectType parameter specifies the wrong object type for the object that is identified by the Handle parameter.
STATUS_ACCESS_DENIED The caller cannot be granted the requested access rights to the object.
STATUS_INVALID_HANDLE The Handle parameter is not a valid object handle.


A pointer to the object body is retrieved from the object table entry and returned to the caller by means of the Object parameter.

If AccessMode is UserMode, the requested access is compared to the granted access for the object. If AccessMode is KernelMode, the handle should originate in the kernel address space.

Starting with Windows 7, if AccessMode is KernelMode and handle is received from user address space, Driver Verifier issues bugcheck C4, subcode F6.

If the call succeeds, a pointer to the object body is returned to the caller and the pointer reference count is incremented. Incrementing this count prevents the object from being deleted while the pointer is being referenced. The caller must decrement the reference count with ObDereferenceObject as soon as it is done with the object.


Minimum supported client Available starting with Windows 2000.
Target Platform Universal
Header wdm.h (include Wdm.h, Ntddk.h, Ntifs.h)
Library NtosKrnl.lib
DLL NtosKrnl.exe
DDI compliance rules IrqlObPassive, TargetRelationNeedsRef, HwStorPortProhibitedDDIs

See also