Authorization Functions


GetNamedSecurityInfo Function

The GetNamedSecurityInfo function retrieves a copy of the security descriptor for an object specified by name.

Syntax

C++ 
DWORD WINAPI GetNamedSecurityInfo(
  __in       LPTSTR pObjectName,
  __in       SE_OBJECT_TYPE ObjectType,
  __in       SECURITY_INFORMATION SecurityInfo,
  __out_opt  PSID *ppsidOwner,
  __out_opt  PSID *ppsidGroup,
  __out_opt  PACL *ppDacl,
  __out_opt  PACL *ppSacl,
  __out_opt  PSECURITY_DESCRIPTOR *ppSecurityDescriptor
);

Parameters

pObjectName [in]

A pointer to a null-terminated string that specifies the name of the object from which to retrieve security information. For descriptions of the string formats for the different object types, see SE_OBJECT_TYPE.

ObjectType [in]

Specifies a value from the SE_OBJECT_TYPE enumeration that indicates the type of object named by the pObjectName parameter.

SecurityInfo [in]

A set of bit flags that indicate the type of security information to retrieve. This parameter can be a combination of the SECURITY_INFORMATION bit flags.

ppsidOwner [out, optional]

A pointer to a variable that receives a pointer to the owner SID in the security descriptor returned in ppSecurityDescriptor. The returned pointer is valid only if you set the OWNER_SECURITY_INFORMATION flag. This parameter can be NULL if you do not need the owner SID.

ppsidGroup [out, optional]

A pointer to a variable that receives a pointer to the primary group SID in the returned security descriptor. The returned pointer is valid only if you set the GROUP_SECURITY_INFORMATION flag. This parameter can be NULL if you do not need the group SID.

ppDacl [out, optional]

A pointer to a variable that receives a pointer to the DACL in the returned security descriptor. The returned pointer is valid only if you set the DACL_SECURITY_INFORMATION flag. This parameter can be NULL if you do not need the DACL.

ppSacl [out, optional]

A pointer to a variable that receives a pointer to the SACL in the returned security descriptor. The returned pointer is valid only if you set the SACL_SECURITY_INFORMATION flag. This parameter can be NULL if you do not need the SACL.

ppSecurityDescriptor [out, optional]

A pointer to a variable that receives a pointer to the security descriptor of the object. When you have finished using the pointer, free the returned buffer by calling the LocalFree function.

This parameter is required if any one of the ppsidOwner, ppsidGroup, ppDacl, or ppSacl parameters is not NULL.

Return Value

If the function succeeds, the return value is ERROR_SUCCESS.

If the function fails, the return value is a nonzero error code defined in WinError.h.

Remarks

If the ppsidOwner, ppsidGroup, ppDacl, and ppSacl parameters are non-NULL, and the SecurityInfo parameter specifies that they be retrieved from the object, those parameters will point to the corresponding parameters in the security descriptor returned in ppSecurityDescriptor.

To read the owner, group, or DACL from the object's security descriptor, the object's DACL must grant READ_CONTROL access to the caller, or the caller must be the owner of the object.

To read the system access control list of the object, the SE_SECURITY_NAME privilege must be enabled for the calling process. For information about the security implications of enabling privileges, see Running with Special Privileges.

You can use the GetNamedSecurityInfo function with the following types of objects:

  • Local or remote files or directories on an NTFS file system
  • Local or remote printers
  • Local or remote Windows services
  • Network shares
  • Registry keys
  • Semaphores, events, mutexes, and waitable timers
  • File-mapping objects
  • Directory service objects

This function does not handle race conditions. If your thread calls this function at the approximate time that another thread changes the object's security descriptor, then this function could fail.

This function transfers information in plaintext. The information transferred by this function is signed unless signing has been turned off for the system, but no encryption is performed.

Windows 2000 with SP2:  The information transferred by this function is unsigned.

Examples

For an example that uses GetNamedSecurityInfo, see Modifying the ACLs of an Object.

Requirements

Minimum supported clientWindows 2000 Professional
Minimum supported serverWindows 2000 Server
HeaderAclapi.h
LibraryAdvapi32.lib
DLLAdvapi32.dll
Unicode and ANSI namesGetNamedSecurityInfoW (Unicode) and GetNamedSecurityInfoA (ANSI)

See Also

Access Control
Basic Access Control Functions
Privilege Constants
ACL
GetSecurityInfo
LocalFree
SE_OBJECT_TYPE
SECURITY_DESCRIPTOR
SECURITY_INFORMATION
SetNamedSecurityInfo
SetSecurityInfo
SID

Send comments about this topic to Microsoft

Build date: 9/11/2009

Tags :


Community Content

Gideon7
No way to access 64-bit registry keys in WOW64
Note: When getting or setting the ACLs in the registry using SetNamedSecurityInfo or GetNamedSecurityInfo there is no way to access the 64-bit registry keys from a 32-bit DLL or EXE. A new SE_OBJECT_TYPE named SE_REGISTRY_WOW64_64KEY is needed that sets KEY_WOW64_64KEY in NTMARTA.DLL.

The workaround is to create a 64-bit DLL (or EXE) and distribute both with your application.

Jo Lines - MSFT
Please direct suggestions to the microsoft.public.platformsdk.security newsgroup
The Community Content section of an MSDN library topic provides an area where developers can collaborate on additional information related to that topic. Use this section to contribute code examples, tips and tricks, and links to other relevant content.

You can use the MSDN Forums (http://forums.microsoft.com/msdn/) or the Microsoft public security newsgroups (http://www.microsoft.com/technet/community/newsgroups/security/) to ask questions or participate in discussions about the APIs.

To submit feedback on the documentation, use the feedback link on this page (see the "Send comments about this topic to Microsoft" link).

If you receive useful information from the forums that you want to share with other developers, we welcome you to post the information here in the community content.

Thank you.
Tags :

vikie
Remote Machine registry ACL
Can this function be used to get the ACL for the remote machine's registry. I am trying to use this function but not able to get the ACL for remote registry. Is there any way out to do it? Please help.
Tags :

Page view tracker