The SYSTEM_AUDIT_CALLBACK_OBJECT_ACE structure defines an access control entry (ACE) for a system access control list (SACL). The ACE can audit access to an object or subobjects such as property sets or properties. The ACE contains a set of access rights, a GUID that identifies the type of object or subobject, and a security identifier (SID) that identifies the trustee for whom the system will audit access. The ACE also contains a GUID and a set of flags that control inheritance of the ACE by child objects.

When the AuthzAccessCheck function is called, each SYSTEM_AUDIT_CALLBACK_OBJECT_ACE structure contained in the DACL of a SECURITY_DESCRIPTOR structure passed through a pointer to the AuthzAccessCheck function invokes a call to the application-defined AuthzAccessCheckCallback function, in which a pointer to the SYSTEM_AUDIT_CALLBACK_OBJECT_ACE structure found is passed in the pAce parameter.


  ACE_HEADER  Header;
  DWORD       Flags;
  GUID        ObjectType;
  GUID        InheritedObjectType;
  DWORD       SidStart;



ACE_HEADER structure that specifies the size and type of ACE. It contains flags that control inheritance of the ACE by child objects. The structure also contains flags that indicate whether the ACE audits successful access attempts, failed access attempts, or both. The AceType member of the ACE_HEADER structure should be set to SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE, and the AceSize member should be set to the total number of bytes allocated for the SYSTEM_AUDIT_CALLBACK_OBJECT_ACE structure.


An ACCESS_MASK that specifies the access rights the system will audit for access attempts by the trustee.


A set of bit flags that indicate whether the ObjectType and InheritedObjectType members contain GUIDs. This member can be a combination of the following values. Set all undefined bits to zero.

Value Meaning
The ObjectType member contains a GUID.
The InheritedObjectType member contains a GUID.


A GUID structure that identifies a property set, property, extended right, or type of child object.

This member is valid only if the ACE_OBJECT_TYPE_PRESENT bit is set in the Flags member. Otherwise, ObjectType is ignored.

The purpose of this GUID depends on the access rights specified in the Mask member.

This member can be one of the following values.

Value Meaning
The ObjectType GUID identifies a property set or property of the object. The ACE controls auditing of the trustee's attempts to read or write the property or property set.
The ObjectType GUID identifies an extended access right.
The ObjectType GUID identifies a type of child object. The ACE controls auditing of the trustee's attempts to create this type of child object.
The ObjectType GUID identifies a validated write.


A GUID structure that identifies the type of child object that can inherit the ACE.

This member is valid only if the ACE_INHERITED_OBJECT_TYPE_PRESENT bit is set in the Flags member. If that bit is not set, InheritedObjectType is ignored and all types of child objects can inherit the ACE. In either case, inheritance is also controlled by the inheritance flags in the ACE_HEADER, as well as by any protection against inheritance placed on the child objects.


The first DWORD of a trustee's SID. The remaining bytes of the SID are stored in contiguous memory after the SidStart member. This SID can be appended with application data.


If neither the ObjectType nor InheritedObjectType GUID is specified, the SYSTEM_AUDIT_CALLBACK_OBJECT_ACE structure has the same semantics as the SYSTEM_AUDIT_CALLBACK_ACE structure. In that case, use the SYSTEM_AUDIT_CALLBACK_ACE structure because it is smaller and more efficient.

An ACL that contains a SYSTEM_AUDIT_CALLBACK_OBJECT_ACE structure must specify the ACL_REVISION_DS revision number in its ACE_HEADER structure.

When a SYSTEM_AUDIT_CALLBACK_OBJECT_ACE structure is created, sufficient memory must be allocated to accommodate the GUID structures in ObjectType and InheritedObjectType members, if one or both of them exists, as well as to accommodate the complete SID of the trustee in the SidStart member and the contiguous memory that follows it.


Minimum supported client Windows XP [desktop apps only]
Minimum supported server Windows Server 2003 [desktop apps only]
Header winnt.h (include Windows.h)

See also