GetFileSecurityW function (securitybaseapi.h)

The GetFileSecurity function obtains specified information about the security of a file or directory. The information obtained is constrained by the caller's access rights and privileges.

The GetNamedSecurityInfo function provides functionality similar to GetFileSecurity for files as well as other types of objects.

Syntax

BOOL GetFileSecurityW(
  [in]            LPCWSTR              lpFileName,
  [in]            SECURITY_INFORMATION RequestedInformation,
  [out, optional] PSECURITY_DESCRIPTOR pSecurityDescriptor,
  [in]            DWORD                nLength,
  [out]           LPDWORD              lpnLengthNeeded
);

Parameters

[in] lpFileName

A pointer to a null-terminated string that specifies the file or directory for which security information is retrieved.

[in] RequestedInformation

A SECURITY_INFORMATION value that identifies the security information being requested.

[out, optional] pSecurityDescriptor

A pointer to a buffer that receives a copy of the security descriptor of the object specified by the lpFileName parameter. The calling process must have permission to view the specified aspects of the object's security status. The SECURITY_DESCRIPTOR structure is returned in self-relative security descriptor format.

[in] nLength

Specifies the size, in bytes, of the buffer pointed to by the pSecurityDescriptor parameter.

[out] lpnLengthNeeded

A pointer to the variable that receives the number of bytes necessary to store the complete security descriptor. If the returned number of bytes is less than or equal to nLength, the entire security descriptor is returned in the output buffer; otherwise, none of the descriptor is returned.

Return value

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.

Remarks

To read the owner, group, or DACL from the security descriptor for the specified file or directory, the DACL for the file or directory must grant READ_CONTROL access to the caller, or the caller must be the owner of the file or directory.

To read the SACL of a file or directory, the SE_SECURITY_NAME privilege must be enabled for the calling process.

Requirements

Requirement Value
Minimum supported client Windows XP [desktop apps only]
Minimum supported server Windows Server 2003 [desktop apps only]
Target Platform Windows
Header securitybaseapi.h (include Windows.h)
Library Advapi32.lib
DLL Advapi32.dll

See also

GetKernelObjectSecurity
GetNamedSecurityInfo
GetPrivateObjectSecurity
GetUserObjectSecurity
Low-level Access Control
Low-level Access Control Functions
SECURITY_DESCRIPTOR
SECURITY_INFORMATION
SetFileSecurity