Windows 10 implements mechanisms that help to prevent data loss for sensitive files. The endpoint data loss prevention (DLP) APIs allow applications to notify the OS before and after certain operations, such as opening or saving a file. These notifications serve as "hints" that allow the system to optimize data loss operations.
Location of the DLP dll
Since the endpoint DLP dll isn't bundled with the Windows SDK, applications will need to load the dll manually at runtime. The path to the dll location is stored in the registry. The following table lists the registry keys and values that store this information. These paths are defined as constants in the sample endpointdlp.h code listing provided below as a convenience for developers.
Constant
Value
Description
ENDPOINTDLP_DLL_NAME
"EndpointDlp.dll"
The name of the Endpoint DLP DLL that provides the API
ENDPOINTDLP_WINDOWS_DEFENDER_REGKEY
"SOFTWARE\Microsoft\Windows Defender"
Windows Defender registry key under HKLM where some Endpoint DLP settings are stored
ENDPOINTDLP_DLL_INSTALL_LOCATION_REGKEY
Value of ENDPOINTDLP_WINDOWS_DEFENDER_REGKEY
The registry path under HKLM key from which the EndpointDlp.dll install location can be obtained
ENDPOINTDLP_DLL_INSTALL_LOCATION_REGVALUE
"InstallLocation"
The registry value under ENDPOINTDLP_DLL_INSTALL_LOCATION_REGKEY in which the EndpointDlp.dll install location is stored
ENDPOINTDLP_DLL_WOW64_X86_INSTALL_LOCATION_SUFFIX
"x86"
On x64 platforms, concatenate this directory to obtain the x86 version of EndpointDlp.dll
Check if endpoint DLP is enabled
To determine if endpoint DLP is enabled on the system, check the following registry key value.
Constant
Value
Description
ENDPOINTDLP_ENABLED_FLAG_REGKEY
"\Features"
The path to the Endpoint DLP enabled flag key under (HKLM) ENDPOINTDLP_WINDOWS_DEFENDER_REGKEY
ENDPOINTDLP_ENABLED_FLAG_REGVALUE
"SenseDlpEnabled"
The registry value under ENDPOINTDLP_ENABLED_FLAG_REGKEY containing the DLP enabled flag registry key
Endpoint DLP APIs
The following tables list the APIs provided by the endpoint DLP dll.
Provides the system with information about a document after a print operation has completed.
Endpoint DLP example header
Because the endpoint DLP header is not included in the Windows SDK, you must create the header file yourself to get API signatures to use in your implementation. For your convenience we're providing example code that you can copy and paste into your application. In addition to function declarations, this code listing also defines useful constants such as versioning information and registry key paths.
//
// EndpointDlp DLL name containing the Endpoint DLP API
//
#define ENDPOINTDLP_DLL_NAME L"EndpointDlp.dll"
//
// Windows Defender registry key under HKLM where some Endpoint DLP settings are stored
//
#define ENDPOINTDLP_WINDOWS_DEFENDER_REGKEY L"SOFTWARE\\Microsoft\\Windows Defender"
//
// EndpointDlp.dll install location can be obtained from the registry under the following HKLM key
//
#define ENDPOINTDLP_DLL_INSTALL_LOCATION_REGKEY ENDPOINTDLP_WINDOWS_DEFENDER_REGKEY
//
// EndpointDlp.dll install location is stored under ENDPOINTDLP_DLL_INSTALL_LOCATION_REGKEY in the following registry value
//
#define ENDPOINTDLP_DLL_INSTALL_LOCATION_REGVALUE L"InstallLocation"
//
// On x64 platforms, concatanate the following directory to obtain the x86 version of EndpointDlp.dll
//
#define ENDPOINTDLP_DLL_WOW64_X86_INSTALL_LOCATION_SUFFIX L"x86"
//
// Endpoint DLP enabled flag can be found under the following HKLM key
//
#define ENDPOINTDLP_ENABLED_FLAG_REGKEY ENDPOINTDLP_WINDOWS_DEFENDER_REGKEY L"\\Features"
//
// Endpoint DLP enabled flag can be found under ENDPOINTDLP_ENABLED_REGKEY in the following registry value
//
#define ENDPOINTDLP_ENABLED_FLAG_REGVALUE L"SenseDlpEnabled"
#define DLP_DOCUMENT_INFO_V_1 0x1
#define DLP_DOCUMENT_INFO_V_LATEST DLP_DOCUMENT_INFO_V_1
//
// Enlightened app enforcement capablities.
//
typedef enum _DlpAppEnforceLevel {
DlpAppEnforceLevelNone = 0, // No enforcement, DLP enforces operation.
DlpAppEnforceLevelNotify, // App send notifications on operation, DLP enforces operation.
DlpAppEnforceLevelPrevent, // Currently not supported (App allows or blocks operation, DLP enforces warning, eventing and UI).
DlpAppEnforceLevelFull, // Currently not supported (App handles all enforcement (blocks operation, enforces warning, UI), DLP will only handle auditing.)
DlpAppEnforceLevelCount,
}DlpAppEnforceLevel;
typedef enum
{
DlpActionTypeCopyToRemovableMedia = 0,
DlpActionTypeCopyToNetworkShare = 1,
DlpActionTypeCopyToClipboard = 2,
DlpActionTypePrint = 3,
DlpActionTypeScreenClip = 4,
DlpActionTypeAccessByUnallowedApp = 5,
DlpActionTypeCloudAppEgress = 6,
DlpActionTypeAccessByBluetoothApp = 7,
DlpActionTypeAccessByRDPApp = 8,
DlpActionTypeCount = 9
} DlpActionType;
//
// The stucture describes the enforcement level for each operation.
//
typedef struct _DLP_APP_OP_ENLIGHTENED_LEVEL{
DlpActionType Operation;
DlpAppEnforceLevel AppEnforcementLevel;
}DLP_APP_OP_ENLIGHTENED_LEVEL, *PDLP_APP_OP_ENLIGHTENED_LEVEL;
/*
Function description:
The application calls this functio to declares the enforcement level for each operation.
Parameters:
_In_ DWORD Count - Number of operations.
_In_reads_opt_(Count) PDLP_APP_OP_ENLIGHTENED_LEVEL* OperationEnforcement - Array indicating operations
supported by the application and enforcement level:
DlpAppEnforceLevelNone - No enforcement, DLP enforces operation.
DlpAppEnforceLevelNotify - App send notifications on operation, DLP enforces operation.
Return:
S_OK - Function completed successfully.
E_INVALIDARG - Invalid parameters passed to function.
E_OUTOFMEMORY - Memory allocation failed.
E_XXX - Varius error codes.
*/
HRESULT WINAPI DlpInitializeEnforcementMode(_In_ DWORD Count, _In_reads_(Count) PDLP_APP_OP_ENLIGHTENED_LEVEL OperationEnforcement);
/*
Function description:
Returns the version of the enforcement API.
MajorVersion indicates a new interfaces/API.
MinorVersion indicates changes to existing interfaces/API-s.
Parameters:
None.
Return:
S_OK - Function completed successfully
E_XXX - Varius error codes.
*/
HRESULT WINAPI DlpGetEnforcementApiVersion(_Out_ DWORD* MajorVersion, _Out_ DWORD* MinorVersion);
typedef struct _DLP_DOCUMENT_INFO {
//
// Information version. Always set it to DLP_DOCUMENT_INFO_V_LATEST
//
DWORD Version;
//
// Original path of the document.
//
LPCWSTR PersistentFileName;
//
// Path to the real backing file.
//
LPCWSTR LocalFileName;
}DLP_DOCUMENT_INFO, *PDLP_DOCUMENT_INFO;
//
// Post operation status information.
//
#define DLP_POSTOP_STATUS_V_1 0x1
#define DLP_POSTOP_STATUS_V_LATEST DLP_POSTOP_STATUS_V_1;
typedef struct _DLP_POSTOP_STATUS {
//
// Information version. Always set it to DLP_POSTOP_STATUS_V_LATEST
//
DWORD Version;
//
// Set to TRUE if app's operation succeeded, FALSE otherwise.
//
BOOL OperationSuccess;
} DLP_POSTOP_STATUS, *PDLP_POSTOP_STATUS;
#define DLP_PRINT_INFO_V_1 0x1
#define DLP_PRINT_INFO_V_LATEST DLP_PRINT_INFO_V_1;
typedef struct _DLP_PRINT_INFO {
//
// Information version. Always set it to DLP_PRINT_INFO_V_LATEST
//
DWORD Version;
//
// Destination printer.
//
LPCWSTR PrinterName;
//
// Print job name.
//
LPCWSTR JobName;
//
// Output file, if printing to file.
//
LPCWSTR OutputFileName;
}DLP_PRINT_INFO, *PDLP_PRINT_INFO;
void WINAPI DlpNotifyPreOpenDocument(_In_ const PDLP_DOCUMENT_INFO DocumentInfo);
void WINAPI DlpNotifyPostOpenDocument(_In_ const PDLP_DOCUMENT_INFO DocumentInfo, _In_ const PDLP_POSTOP_STATUS OpStatus);
void WINAPI DlpNotifyCloseDocument(_In_ const PDLP_DOCUMENT_INFO DocumentInfo);
void WINAPI DlpNotifyPreOpenDocumentFile(_In_ const PDLP_DOCUMENT_INFO DocumentInfo);
void WINAPI DlpNotifyPostOpenDocumentFile(_In_ const PDLP_DOCUMENT_INFO DocumentInfo, _In_ const PDLP_POSTOP_STATUS OpStatus);
void WINAPI DlpNotifyCloseDocumentFile(_In_ const PDLP_DOCUMENT_INFO DocumentInfo);
void WINAPI DlpNotifyPreSaveAsDocument(_In_ const PDLP_DOCUMENT_INFO DocumentInfo, _In_ LPCWSTR Destination);
void WINAPI DlpNotifyPostSaveAsDocument(_In_ const PDLP_DOCUMENT_INFO DocumentInfo, _In_ LPCWSTR Destination, _In_ const PDLP_POSTOP_STATUS OpStatus);
void WINAPI DlpNotifyPrePrint(_In_ const PDLP_DOCUMENT_INFO DocumentInfo, _In_ const PDLP_PRINT_INFO PrintInfo);
void WINAPI DlpNotifyPostStartPrint(_In_ const PDLP_DOCUMENT_INFO DocumentInfo, _In_ const PDLP_PRINT_INFO PrintInfo);
void WINAPI DlpNotifyPostPrint(_In_ const PDLP_DOCUMENT_INFO DocumentInfo, _In_ const PDLP_PRINT_INFO PrintInfo, _In_ const PDLP_POSTOP_STATUS OpStatus);
void WINAPI DlpNotifyPreCopyToClipboard(_In_ const PDLP_DOCUMENT_INFO DocumentInfo);
void WINAPI DlpNotifyPostCopyToClipboard(_In_ const PDLP_DOCUMENT_INFO DocumentInfo, _In_ const PDLP_POSTOP_STATUS OpStatus);
void WINAPI DlpNotifyPrePasteFromClipboard(_In_ const PDLP_DOCUMENT_INFO DocumentInfo);
void WINAPI DlpNotifyPostPasteFromClipboard(_In_ const PDLP_DOCUMENT_INFO DocumentInfo, _In_ const PDLP_POSTOP_STATUS OpStatus);
void WINAPI DlpNotifyPreStashClipboard();
void WINAPI DlpNotifyPostStashClipboard(_In_ const PDLP_POSTOP_STATUS OpStatus);
void WINAPI DlpNotifyPreDragDrop(_In_ const PDLP_DOCUMENT_INFO DocumentInfo);
void WINAPI DlpNotifyPostDragDrop(_In_ const PDLP_DOCUMENT_INFO DocumentInfo, _In_ const PDLP_POSTOP_STATUS OpStatus);
void WINAPI DlpNotifyEnterDropTarget(_In_ const PDLP_DOCUMENT_INFO DocumentInfo);
void WINAPI DlpNotifyLeaveDropTarget(_In_ const PDLP_DOCUMENT_INFO DocumentInfo, _In_ const PDLP_POSTOP_STATUS OpStatus);
/*
Function description:
Determines whether the app must pull the data from the system clipboard rather than taking it from its internal cache.
Parameters:
None
Return:
TRUE if calling into the OS clipboard is mandatory, FALSE otherwise
*/
BOOL WINAPI DlpMustPasteFromSystemClipboard();
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.