SeAccessCheckFromStateEx function (ntifs.h)

SeAccessCheckFromStateEx checks whether the requested access rights can be granted to an object that is protected by a security descriptor and an optional object owner.

Syntax

BOOLEAN SeAccessCheckFromStateEx(
  PSECURITY_DESCRIPTOR SecurityDescriptor,
  PACCESS_TOKEN        PrimaryToken,
  PACCESS_TOKEN        ClientToken,
  ACCESS_MASK          DesiredAccess,
  ACCESS_MASK          PreviouslyGrantedAccess,
  PPRIVILEGE_SET       *Privileges,
  PGENERIC_MAPPING     GenericMapping,
  KPROCESSOR_MODE      AccessMode,
  PACCESS_MASK         GrantedAccess,
  PNTSTATUS            AccessStatus
);

Parameters

SecurityDescriptor

[in] Pointer to a SECURITY_DESCRIPTOR structure containing the security information protecting the object being accessed.

PrimaryToken

[in] Pointer to an opaque ACCESS_TOKEN structure for the primary token. This structure provides the token's information needed to perform an access check.

ClientToken

[in_opt] Optional pointer to an opaque ACCESS_TOKEN structure for the client token.

DesiredAccess

[in] An ACCESS_MASK value that specifies the desired access rights to check.

PreviouslyGrantedAccess

[in] An ACCESS_MASK value that specifies any accesses that the user has already been granted; for example, as a result of holding a privilege.

Privileges

[out] Pointer to a PRIVILEGE_SET structure in which a privilege set is returned to indicate any privileges that were used as part of the access validation.

GenericMapping

[in] Pointer to the GENERIC_MAPPING structure associated with this object type.

AccessMode

[in] A KPROCESSOR_MODE value that specifies the processor mode to be used in the check. AccessMode can be either KernelMode or UserMode. Lower-level drivers should specify KernelMode.

GrantedAccess

[out] Pointer to a returned ACCESS_MASK value that indicates the granted access.

AccessStatus

[out] Pointer to an NT status value that can be returned to indicate why access was denied. See Remarks.

Return value

SeAccessCheckFromStateEx returns TRUE if access is allowed; it returns FALSE if access is not allowed.

Remarks

SeAccessCheckFromStateEx might perform tests for the following privileges, depending on the accesses being requested:

  • SeTakeOwnershipPrivilege
  • SeSecurityPrivilege

This routine also might check whether the caller is the owner of the object in order to grant WRITE_DAC or READ_CONTROL access.

If this routine returns FALSE, the caller should use the returned AccessStatus as its return value. That is, the caller should avoid hardcoding a return value of STATUS_ACCESS_DENIED or any other specific STATUS_XXX value.

This routine might be called from DPC level so must not be pageable.

Requirements

Requirement Value
Minimum supported client Windows 2000
Header ntifs.h
Library NtosKrnl.lib
DLL NtosKrnl.exe

See also

SeAccessCheck

SeAccessCheckFromState