Specifying Access Rights

The ACCESS_MASK type is a bitmask that specifies a set of access rights in the access mask of an access control entry.

typedef ULONG  ACCESS_MASK;

The following standard specific access rights apply to all types of executive objects.

Flag Description

DELETE

The caller can delete the object.

READ_CONTROL

The caller can read the access control list (ACL) and ownership information for the file.

SYNCHRONIZE

The caller can perform a wait operation on the object. (For example, the object can be passed to KeWaitForMultipleObjects.)

WRITE_DAC

The caller can change the discretionary access control list (DACL) information for the object.

WRITE_OWNER

The caller can change the ownership information for the file.

Note that normally only DELETE and SYNCHRONIZE are of interest to driver writers.

You can also specify the following generic access rights. These also apply to all types of executive objects. The meaning of each generic access right is specific to that type of object.

Flag Description

GENERIC_READ

The caller can perform normal read operations on the object.

GENERIC_WRITE

The caller can perform normal write operations on the object.

GENERIC_EXECUTE

The caller can execute the object. (Note this generally only makes sense for certain kinds of objects, such as file objects and section objects.)

GENERIC_ALL

The caller can perform all normal operations on the object.

The following combinations of standard specific access rights are also defined. These are not normally used directly, but are used as templates to define other bitmasks. (For example, when you specify GENERIC_READ for a file object, the system maps this to the FILE_GENERIC_READ bitmask of specific access rights. FILE_GENERIC_READ is defined in terms of STANDARD_RIGHTS_READ.)

Bitmask Description

STANDARD_RIGHTS_READ

Standard specific rights that correspond to GENERIC_READ

STANDARD_RIGHTS_WRITE

Standard specific rights that correspond to GENERIC_WRITE

STANDARD_RIGHTS_EXECUTE

Standard specific rights that correspond to GENERIC_EXECUTE

STANDARD_RIGHTS_REQUIRED

Standard specific rights that correspond to GENERIC_ALL. This includes DELETE, but not SYNCHRONIZE.

STANDARD_RIGHTS_ALL

All standard access rights.

Each type of object can have its own additional access rights. For a description of the access rights that are applicable to a file, directory, or device, see ZwCreateFile. For a description of the access rights that are applicable to an object manager directory, see ZwCreateDirectoryObject. For a description of the access rights that are applicable to a registry key, see ZwCreateKey. For a description of the access rights that are applicable to a section object, see ZwOpenSection. For a description of the access rights that are applicable to a WMI data block, see IoWMIOpenBlock.

For more information about access rights, see the following topics in the Microsoft Windows SDK documentation:

Wdm.h (include Wdm.h, Ntddk.h, or Ntifs.h)

IoWMIOpenBlock
ZwCreateDirectoryObject
ZwCreateFile
ZwCreateKey
ZwOpenSection