A major portion of Windows security checking occurs inside the IRP_MJ_CREATE dispatch routine. This is because the bulk of the Windows security model is related to access validation. Access validation results are stored as part of the handle that is created as a result of this operation. Subsequent operations are validated against the rights computed at this point.
If the access rights on the file change after the file or directory has been opened, the original access rights provided during the IRP_MJ_CREATE operation continue to be valid. These access rights are associated with the handle, so as long as the handle persists, the access granted under it governs subsequent operations.
This section includes the following topics: