SaferComputeTokenFromLevel function (winsafer.h)
The SaferComputeTokenFromLevel function restricts a token using restrictions specified by a SAFER_LEVEL_HANDLE.
Syntax
BOOL SaferComputeTokenFromLevel(
[in] SAFER_LEVEL_HANDLE LevelHandle,
[in, optional] HANDLE InAccessToken,
[out] PHANDLE OutAccessToken,
[in] DWORD dwFlags,
[in, out, optional] LPVOID lpReserved
);
Parameters
[in] LevelHandle
SAFER_LEVEL_HANDLE that contains the restrictions to place on the input token. Do not pass handles with a LevelId of SAFER_LEVELID_FULLYTRUSTED or SAFER_LEVELID_DISALLOWED to this function. This is because SAFER_LEVELID_FULLYTRUSTED is unrestricted and SAFER_LEVELID_DISALLOWED does not contain a token.
[in, optional] InAccessToken
Token to be restricted. If this parameter is NULL, the token of the current thread will be used. If the current thread does not contain a token, the token of the current process is used.
[out] OutAccessToken
The resulting restricted token.
[in] dwFlags
Specifies the behavior of the method. The value can be NULL or one or more of the following values combined by using a bitwise-OR operation.
| Value | Meaning |
|---|---|
|
If the OutAccessToken parameter is not more restrictive than the InAccessToken parameter, the OutAccessToken parameter returns NULL. |
|
The token specified by the InAccessToken parameter is compared with the token that would be created if the restrictions specified by the LevelHandle parameter were applied. The restricted token is not actually created.
On output, the value of the lpReserved parameter specifies the result of the comparison. |
|
If this flag is set, the system does not check AppLocker rules or apply Software Restriction Policies. For AppLocker, this flag disables checks for all four rule collections: Executable, Windows Installer, Script, and DLL.
Set this flag when creating a setup program that must run extracted DLLs during installation. A token can be queried for existence of this flag by using GetTokenInformation. Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: AppLocker is not supported. |
|
On output, the value of the lpReserved parameter specifies the set of flags used to create the restricted token. |
[in, out, optional] lpReserved
If the SAFER_TOKEN_COMPARE_ONLY flag is set, this parameter, on output, specifies the result of the token comparison. The output value is an LPDWORD. A value of –1 indicates that the resulting token would be less privileged than the token specified by the InAccessToken parameter.
If the SAFER_TOKEN_WANT_FLAGS flag is set, and the SAFER_TOKEN_COMPARE_ONLY flag is not set, this parameter is an LPDWORD value that specifies the flags used to create the restricted token.
Return value
TRUE if the function succeeds; otherwise, FALSE. For extended information, call GetLastError.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows XP [desktop apps only] |
| Minimum supported server | Windows Server 2003 [desktop apps only] |
| Target Platform | Windows |
| Header | winsafer.h |
| Library | Advapi32.lib |
| DLL | Advapi32.dll |
| API set | ext-ms-win-advapi32-safer-l1-1-0 (introduced in Windows 8) |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for