Home Library Learn Downloads Support Community
Sign in | United States - English | |
0 out of 1 rated this helpful - Rate this topic

GetKernelObjectSecurity function

Applies to: desktop apps only

The GetKernelObjectSecurity function retrieves a copy of the security descriptor that protects a kernel object.

Syntax

Copy 
BOOL WINAPI GetKernelObjectSecurity(
  __in       HANDLE Handle,
  __in       SECURITY_INFORMATION RequestedInformation,
  __out_opt  PSECURITY_DESCRIPTOR pSecurityDescriptor,
  __in       DWORD nLength,
  __out      LPDWORD lpnLengthNeeded
);

Parameters

Handle [in]

A handle to a kernel object.

RequestedInformation [in]

Specifies a SECURITY_INFORMATION value that identifies the security information being requested.

pSecurityDescriptor [out, optional]

A pointer to a buffer the function fills with a copy of the security descriptor of the specified object. The calling process must have the right to view the specified aspects of the object's security status. The SECURITY_DESCRIPTOR structure is returned in self-relative format.

nLength [in]

Specifies the size, in bytes, of the buffer pointed to by the pSecurityDescriptor parameter.

lpnLengthNeeded [out]

A pointer to a variable that receives the number of bytes required for the buffer pointed to by the pSecurityDescriptor parameter. If this variable's value is greater than the value of the nLength parameter when the function returns, none of the security descriptor is copied to the buffer.

Return value

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.

Remarks

To read the owner, group, or DACL from the kernel object's security descriptor, the calling process must have been granted READ_CONTROL access when the handle was opened. To get READ_CONTROL access, the caller must be the owner of the object or the object's DACL must grant the access.

To read the SACL from the security descriptor, the calling process must have been granted ACCESS_SYSTEM_SECURITY access when the handle was opened. The proper way to get this access is to enable the SE_SECURITY_NAME privilege in the caller's current token, open the handle for ACCESS_SYSTEM_SECURITY access, and then disable the privilege.

Requirements

Minimum supported client

Windows XP

Minimum supported server

Windows Server 2003

Header
Winbase.h (include Windows.h)

Library
Advapi32.lib

DLL
Advapi32.dll

See also

Low-level Access Control
Low-level Access Control Functions
GetFileSecurity
GetPrivateObjectSecurity
GetUserObjectSecurity
SECURITY_DESCRIPTOR
SECURITY_INFORMATION
SetKernelObjectSecurity

 

 

Send comments about this topic to Microsoft

Build date: 3/7/2012

Did you find this helpful?
(1500 characters remaining)
Community Content Add
Annotations FAQ