GetKernelObjectSecurity Function (Windows)

MSDN Home

MSDN
MSDN Library
Win32 and COM Development
Security
Authorization
Authorization Reference
Authorization Functions

Authorization Functions

AccessCheck
AccessCheckAndAuditAlarm
AccessCheckByType
AccessCheckByTypeAndAuditAlarm
AccessCheckByTypeResultList
AccessCheckByTypeResultListAnd ...
AccessCheckByTypeResultListAnd ...
AddAccessAllowedAce
AddAccessAllowedAceEx
AddAccessAllowedObjectAce
AddAccessDeniedAce
AddAccessDeniedAceEx
AddAccessDeniedObjectAce
AddAce
AddAuditAccessAce
AddAuditAccessAceEx
AddAuditAccessObjectAce
AddConditionalAce
AddMandatoryAce
AdjustTokenGroups
AdjustTokenPrivileges
AllocateAndInitializeSid
AllocateLocallyUniqueId
AreAllAccessesGranted
AreAnyAccessesGranted
AuditComputeEffectivePolicyByS ...
AuditComputeEffectivePolicyByT ...
AuditEnumerateCategories
AuditEnumeratePerUserPolicy
AuditEnumerateSubCategories
AuditFree
AuditLookupCategoryGuidFromCat ...
AuditLookupCategoryIdFromCateg ...
AuditLookupCategoryName
AuditLookupSubCategoryName
AuditQueryPerUserPolicy
AuditQuerySecurity
AuditQuerySystemPolicy
AuditSetPerUserPolicy
AuditSetSecurity
AuditSetSystemPolicy
AuthzAccessCheck
AuthzAccessCheckCallback
AuthzAddSidsToContext
AuthzCachedAccessCheck
AuthzComputeGroupsCallback
AuthzEnumerateSecurityEventSou ...
AuthzFreeAuditEvent
AuthzFreeContext
AuthzFreeGroupsCallback
AuthzFreeHandle
AuthzFreeResourceManager
AuthzGetInformationFromContext
AuthzInitializeContextFromAuth ...
AuthzInitializeContextFromSid
AuthzInitializeContextFromToke ...
AuthzInitializeObjectAccessAud ...
AuthzInitializeObjectAccessAud ...
AuthzInitializeResourceManager
AuthzInstallSecurityEventSourc ...
AuthzModifySecurityAttributes
AuthzOpenObjectAudit
AuthzRegisterSecurityEventSour ...
AuthzReportSecurityEvent
AuthzReportSecurityEventFromPa ...
AuthzUninstallSecurityEventSou ...
AuthzUnregisterSecurityEventSo ...
BuildExplicitAccessWithName
BuildImpersonateExplicitAccess ...
BuildImpersonateTrustee
BuildSecurityDescriptor
BuildTrusteeWithName
BuildTrusteeWithObjectsAndName
BuildTrusteeWithObjectsAndSid
BuildTrusteeWithSid
CheckTokenMembership
ConvertSecurityDescriptorToStr ...
ConvertSidToStringSid
ConvertStringSecurityDescripto ...
ConvertStringSidToSid
ConvertToAutoInheritPrivateObj ...
CopySid
CreatePrivateObjectSecurity
CreatePrivateObjectSecurityEx
CreatePrivateObjectSecurityWit ...
CreateRestrictedToken
CreateSecurityPage
CreateWellKnownSid
DeleteAce
DestroyPrivateObjectSecurity
DSCreateSecurityPage
DSCreateISecurityInfoObject
DSCreateISecurityInfoObjectEx
DSEditSecurity
DuplicateToken
DuplicateTokenEx
EditSecurity
EqualDomainSid
EqualPrefixSid
EqualSid
FindFirstFreeAce
FreeInheritedFromArray
FreeSid
GetAce
GetAclInformation
GetAuditedPermissionsFromAcl
GetEffectiveRightsFromAcl
GetExplicitEntriesFromAcl
GetFileSecurity
GetInheritanceSource
GetKernelObjectSecurity
GetLengthSid
GetMultipleTrustee
GetMultipleTrusteeOperation
GetNamedSecurityInfo
GetPrivateObjectSecurity
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorLength
GetSecurityDescriptorOwner
GetSecurityDescriptorRMControl
GetSecurityDescriptorSacl
GetSecurityInfo
GetSidIdentifierAuthority
GetSidLengthRequired
GetSidSubAuthority
GetSidSubAuthorityCount
GetTokenInformation
GetTrusteeForm
GetTrusteeName
GetTrusteeType
GetUserObjectSecurity
GetWindowsAccountDomainSid
ImpersonateAnonymousToken
ImpersonateLoggedOnUser
ImpersonateNamedPipeClient
ImpersonateSelf
InitializeAcl
InitializeSecurityDescriptor
InitializeSid
IsTokenRestricted
IsValidAcl
IsValidSecurityDescriptor
IsValidSid
IsWellKnownSid
LookupAccountName
LookupAccountSid
LookupPrivilegeDisplayName
LookupPrivilegeName
LookupPrivilegeValue
LookupSecurityDescriptorParts
MakeAbsoluteSD
MakeSelfRelativeSD
MapGenericMask
NtCompareTokens
ObjectCloseAuditAlarm
ObjectDeleteAuditAlarm
ObjectOpenAuditAlarm
ObjectPrivilegeAuditAlarm
OpenProcessToken
OpenThreadToken
PrivilegeCheck
PrivilegedServiceAuditAlarm
QuerySecurityAccessMask
QueryServiceObjectSecurity
RegGetKeySecurity
RegSetKeySecurity
RevertToSelf
RtlConvertSidToUnicodeString
RtlSetSaclSecurityDescriptor
SetAclInformation
SetEntriesInAcl
SetFileSecurity
SetKernelObjectSecurity
SetNamedSecurityInfo
SetPrivateObjectSecurity
SetPrivateObjectSecurityEx
SetSecurityAccessMask
SetSecurityDescriptorControl
SetSecurityDescriptorDacl
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
SetSecurityDescriptorRMControl
SetSecurityDescriptorSacl
SetSecurityInfo
SetServiceObjectSecurity
SetThreadToken
SetTokenInformation
SetUserObjectSecurity
TreeResetNamedSecurityInfo
TreeSetNamedSecurityInfo

Switch View :

Lightweight Beta

GetKernelObjectSecurity Function

The GetKernelObjectSecurity function retrieves a copy of the security descriptor that protects a kernel object.

Syntax

C++

BOOL WINAPI GetKernelObjectSecurity(
  __in       HANDLE Handle,
  __in       SECURITY_INFORMATION RequestedInformation,
  __out_opt  PSECURITY_DESCRIPTOR pSecurityDescriptor,
  __in       DWORD nLength,
  __out      LPDWORD lpnLengthNeeded
);

Parameters

Handle [in]: A handle to a kernel object.
RequestedInformation [in]: Specifies a SECURITY_INFORMATION value that identifies the security information being requested.
pSecurityDescriptor [out, optional]: A pointer to a buffer the function fills with a copy of the security descriptor of the specified object. The calling process must have the right to view the specified aspects of the object's security status. The SECURITY_DESCRIPTOR structure is returned in self-relative format.
nLength [in]: Specifies the size, in bytes, of the buffer pointed to by the pSecurityDescriptor parameter.
lpnLengthNeeded [out]: A pointer to a variable that receives the number of bytes required for the buffer pointed to by the pSecurityDescriptor parameter. If this variable's value is greater than the value of the nLength parameter when the function returns, none of the security descriptor is copied to the buffer.

Return Value

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.

Remarks

To read the owner, group, or DACL from the kernel object's security descriptor, the calling process must have been granted READ_CONTROL access when the handle was opened. To get READ_CONTROL access, the caller must be the owner of the object or the object's DACL must grant the access.

To read the SACL from the security descriptor, the calling process must have been granted ACCESS_SYSTEM_SECURITY access when the handle was opened. The proper way to get this access is to enable the SE_SECURITY_NAME privilege in the caller's current token, open the handle for ACCESS_SYSTEM_SECURITY access, and then disable the privilege.

Requirements

Minimum supported client	Windows 2000 Professional
Minimum supported server	Windows 2000 Server
Header	Winbase.h (include Windows.h)
Library	Advapi32.lib
DLL	Advapi32.dll

See Also

Low-level Access Control
Low-level Access Control Functions
GetFileSecurity
GetPrivateObjectSecurity
GetUserObjectSecurity
SECURITY_DESCRIPTOR
SECURITY_INFORMATION
SetKernelObjectSecurity

Send comments about this topic to Microsoft

Build date: 9/11/2009

Tags :