SeAccessCheckFromStateEx function (ntifs.h)
SeAccessCheckFromStateEx checks whether the requested access rights can be granted to an object that is protected by a security descriptor and an optional object owner.
Syntax
BOOLEAN SeAccessCheckFromStateEx(
PSECURITY_DESCRIPTOR SecurityDescriptor,
PACCESS_TOKEN PrimaryToken,
PACCESS_TOKEN ClientToken,
ACCESS_MASK DesiredAccess,
ACCESS_MASK PreviouslyGrantedAccess,
PPRIVILEGE_SET *Privileges,
PGENERIC_MAPPING GenericMapping,
KPROCESSOR_MODE AccessMode,
PACCESS_MASK GrantedAccess,
PNTSTATUS AccessStatus
);
Parameters
SecurityDescriptor
[in] Pointer to a SECURITY_DESCRIPTOR structure containing the security information protecting the object being accessed.
PrimaryToken
[in] Pointer to an opaque ACCESS_TOKEN structure for the primary token. This structure provides the token's information needed to perform an access check.
ClientToken
[in_opt] Optional pointer to an opaque ACCESS_TOKEN structure for the client token.
DesiredAccess
[in] An ACCESS_MASK value that specifies the desired access rights to check.
PreviouslyGrantedAccess
[in] An ACCESS_MASK value that specifies any accesses that the user has already been granted; for example, as a result of holding a privilege.
Privileges
[out] Pointer to a PRIVILEGE_SET structure in which a privilege set is returned to indicate any privileges that were used as part of the access validation.
GenericMapping
[in] Pointer to the GENERIC_MAPPING structure associated with this object type.
AccessMode
[in] A KPROCESSOR_MODE value that specifies the processor mode to be used in the check. AccessMode can be either KernelMode or UserMode. Lower-level drivers should specify KernelMode.
GrantedAccess
[out] Pointer to a returned ACCESS_MASK value that indicates the granted access.
AccessStatus
[out] Pointer to an NT status value that can be returned to indicate why access was denied. See Remarks.
Return value
SeAccessCheckFromStateEx returns TRUE if access is allowed; it returns FALSE if access is not allowed.
Remarks
SeAccessCheckFromStateEx might perform tests for the following privileges, depending on the accesses being requested:
- SeTakeOwnershipPrivilege
- SeSecurityPrivilege
This routine also might check whether the caller is the owner of the object in order to grant WRITE_DAC or READ_CONTROL access.
If this routine returns FALSE, the caller should use the returned AccessStatus as its return value. That is, the caller should avoid hardcoding a return value of STATUS_ACCESS_DENIED or any other specific STATUS_XXX value.
This routine might be called from DPC level so must not be pageable.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows 2000 |
| Header | ntifs.h |
| Library | NtosKrnl.lib |
| DLL | NtosKrnl.exe |
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for