Export (0) Print
Expand All

SaferComputeTokenFromLevel function

The SaferComputeTokenFromLevel function restricts a token using restrictions specified by a SAFER_LEVEL_HANDLE.

Syntax


BOOL WINAPI SaferComputeTokenFromLevel(
  _In_         SAFER_LEVEL_HANDLE LevelHandle,
  _In_opt_     HANDLE InAccessToken,
  _Out_        PHANDLE OutAccessToken,
  _In_         DWORD dwFlags,
  _Inout_opt_  LPVOID lpReserved
);

Parameters

LevelHandle [in]

SAFER_LEVEL_HANDLE that contains the restrictions to place on the input token. Do not pass handles with a LevelId of SAFER_LEVELID_FULLYTRUSTED or SAFER_LEVELID_DISALLOWED to this function. This is because SAFER_LEVELID_FULLYTRUSTED is unrestricted and SAFER_LEVELID_DISALLOWED does not contain a token.

InAccessToken [in, optional]

Token to be restricted. If this parameter is NULL, the token of the current thread will be used. If the current thread does not contain a token, the token of the current process is used.

OutAccessToken [out]

The resulting restricted token.

dwFlags [in]

Specifies the behavior of the method. The value can be NULL or one or more of the following values combined by using a bitwise-OR operation.

ValueMeaning
SAFER_TOKEN_NULL_IF_EQUAL
1 (0x1)

If the OutAccessToken parameter is not more restrictive than the InAccessToken parameter, the OutAccessToken parameter returns NULL.

SAFER_TOKEN_COMPARE_ONLY
2 (0x2)

The token specified by the InAccessToken parameter is compared with the token that would be created if the restrictions specified by the LevelHandle parameter were applied. The restricted token is not actually created.

On output, the value of the lpReserved parameter specifies the result of the comparison.

SAFER_TOKEN_MAKE_INERT
4 (0x4)

If this flag is set, the system does not check AppLocker rules or apply Software Restriction Policies. For AppLocker, this flag disables checks for all four rule collections: Executable, Windows Installer, Script, and DLL.

Set this flag when creating a setup program that must run extracted DLLs during installation.

A token can be queried for existence of this flag by using GetTokenInformation.

Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP:  AppLocker is not supported.

SAFER_TOKEN_WANT_FLAGS
8 (0x8)

On output, the value of the lpReserved parameter specifies the set of flags used to create the restricted token.

 

lpReserved [in, out, optional]

If the SAFER_TOKEN_COMPARE_ONLY flag is set, this parameter, on output, specifies the result of the token comparison. The output value is an LPDWORD. A value of –1 indicates that the resulting token would be less privileged than the token specified by the InAccessToken parameter.

If the SAFER_TOKEN_WANT_FLAGS flag is set, and the SAFER_TOKEN_COMPARE_ONLY flag is not set, this parameter is an LPDWORD value that specifies the flags used to create the restricted token.

Return value

TRUE if the function succeeds; otherwise, FALSE. For extended information, call GetLastError.

Requirements

Minimum supported client

Windows XP [desktop apps only]

Minimum supported server

Windows Server 2003 [desktop apps only]

Header

WinSafer.h

Library

Advapi32.lib

DLL

Advapi32.dll

 

 

Community Additions

ADD
Show:
© 2014 Microsoft