SeAccessCheck function (wdm.h)
SeAccessCheck determines whether the requested access rights can be granted to an object protected by a security descriptor and an object owner.
Syntax
BOOLEAN SeAccessCheck(
[in] PSECURITY_DESCRIPTOR SecurityDescriptor,
[in] PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
[in] BOOLEAN SubjectContextLocked,
[in] ACCESS_MASK DesiredAccess,
[in] ACCESS_MASK PreviouslyGrantedAccess,
[out] PPRIVILEGE_SET *Privileges,
[in] PGENERIC_MAPPING GenericMapping,
[in] KPROCESSOR_MODE AccessMode,
[out] PACCESS_MASK GrantedAccess,
[out] PNTSTATUS AccessStatus
);
Parameters
[in] SecurityDescriptor
Pointer to the SECURITY_DESCRIPTOR structure that describes the security descriptor protecting the object being accessed.
[in] SubjectSecurityContext
Pointer to the opaque SECURITY_SUBJECT_CONTEXT structure that specifies the subject's captured security context.
[in] SubjectContextLocked
Boolean value that indicates whether the user's subject context is locked, so that it does not have to be locked again.
[in] DesiredAccess
Specifies the ACCESS_MASK bitmask for the access rights that the caller is attempting to acquire. If the caller sets the MAXIMUM_ALLOWED bit, the routine performs all DACL checks. However, SeAccessCheck does not do any privilege checks unless the caller specifically requests them by setting the ACCESS_SYSTEM_SECURITY or WRITE_OWNER bits.
[in] PreviouslyGrantedAccess
Specifies the ACCESS_MASK bitmask of access rights already granted, such as access rights granted as a result of holding a privilege.
[out] Privileges
Pointer to a caller-supplied variable to be set to the address of the PRIVILEGE_SET structure that will be used as part of the access validation, or this parameter can be NULL. The returned buffer, if any, must be released by the caller with SeFreePrivileges.
[in] GenericMapping
Pointer to the GENERIC_MAPPING structure associated with this object type. This value specifies the specific access rights implied by each GENERIC_XXX access right.
[in] AccessMode
Specifies the access mode to be used in the check, either UserMode or KernelMode.
[out] GrantedAccess
Pointer to a returned access mask indicating the granted access. If the caller specifies MAXIMUM_ALLOWED, and the DACL in SecurityDescriptor is NULL, then the routine returns GENERIC_ALL plus any additional access the caller explicitly requests.
[out] AccessStatus
Pointer to the status value indicating why access was denied.
Return value
If access is allowed, SeAccessCheck returns TRUE.
Remarks
SeAccessCheck might perform privilege tests for SeTakeOwnershipPrivilege and SeSecurityPrivilege, depending on the accesses being requested. It might perform additional privilege testing in future releases of the operating system.
This routine also might check whether the caller is the owner of the object in order to grant WRITE_DAC or READ_CONTROL access.
If this routine returns FALSE, the caller should use the returned AccessStatus as its return value. That is, the caller should avoid hardcoding a return value of STATUS_ACCESS_DENIED or any other specific STATUS_XXX value.
For more information about security and access control, see Windows security model for driver developers and the documentation on these topics in the Microsoft Windows SDK.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows 2000 |
| Target Platform | Universal |
| Header | wdm.h (include Wdm.h, Ntddk.h, Ntifs.h) |
| Library | NtosKrnl.lib |
| DLL | NtosKrnl.exe |
| IRQL | PASSIVE_LEVEL |
| DDI compliance rules | HwStorPortProhibitedDDIs(storport), PowerIrpDDis(wdm) |
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for