IRP_MJ_SET_SECURITY (FS and filter drivers)
When Sent
The I/O Manager sends the IRP_MJ_SET_SECURITY request. This request can be sent, for example, when a user-mode application has called a Win32 function such as SetSecurityInfo.
Operation: File System Drivers
The file system driver should extract and decode the file object to determine whether it represents a user file or directory open. If it does, the driver should process the request and complete the IRP. Otherwise, the driver should complete the IRP as appropriate without processing the request.
Operation: Legacy File System Filter Drivers
The filter driver should pass this IRP down to the next-lower driver on the stack.
Parameters
A file system or filter driver calls IoGetCurrentIrpStackLocation for the given IRP to get a pointer to its own stack location in the IRP. In the following parameters, Irp points to the IRP and IrpSp points to the IO_STACK_LOCATION. The driver can use the information that is set in the following members of the IRP and the IRP stack location to process a set security information request:
DeviceObject is a pointer to the target device object.
Irp->IoStatus points to an IO_STATUS_BLOCK structure that receives the final completion status and information about the requested operation.
IrpSp->FileObject points to the file object that is associated with DeviceObject.
The IrpSp->FileObject parameter contains a pointer to the RelatedFileObject field, which is also a FILE_OBJECT structure. The RelatedFileObject field of the FILE_OBJECT structure isn't valid during the processing of IRP_MJ_SET_SECURITY and shouldn't be used.
IrpSp->MajorFunction is set to IRP_MJ_SET_SECURITY.
IrpSp->Parameters.SetSecurity.SecurityDescriptor points to a SECURITY_DESCRIPTOR structure that contains the values of the security information to be assigned to the object.
IrpSp->Parameters.SetSecurity.SecurityInformation is a value of type SECURITY_INFORMATION that specifies which security information is to be set in the security descriptor, and can be one of the following values.
| SecurityInformation Value | Meaning |
|---|---|
| DACL_SECURITY_INFORMATION | Indicates that the discretionary access control list (DACL) of the object is being set. Requires WRITE_DAC access. |
| GROUP_SECURITY_INFORMATION | Indicates that the primary group identifier of the object is being set. Requires WRITE_OWNER access. |
| OWNER_SECURITY_INFORMATION | Indicates that the owner identifier of the object is being set. Requires WRITE_OWNER access. |
| SACL_SECURITY_INFORMATION | Indicates that the system ACL (SACL) of the object is being set. Requires ACCESS_SYSTEM_SECURITY access. |
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for