Windows Driver Kit: Installable File System Drivers
ZwSetSecurityObject
The ZwSetSecurityObject routine sets an object's security state.
NTSTATUS
ZwSetSecurityObject(
IN HANDLE Handle,
IN SECURITY_INFORMATION SecurityInformation,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
);
Parameters
- Handle
- Handle for the object whose security state is to be set. This handle must have the access specified in the Meaning column of the table shown in the description of the SecurityInformation parameter.
- SecurityInformation
- Pointer to a SECURITY_INFORMATION value specifying the information to be set. Can be a combination of one or more of the following.
| Value | Meaning |
|---|
| DACL_SECURITY_INFORMATION | Indicates the discretionary access control list (DACL) of the object is to be set. Requires WRITE_DAC access. |
| GROUP_SECURITY_INFORMATION | Indicates the primary group identifier of the object is to be set. Requires WRITE_OWNER access. |
| OWNER_SECURITY_INFORMATION | Indicates the owner identifier of the object is to be set. Requires WRITE_OWNER access. |
| SACL_SECURITY_INFORMATION | Indicates the system ACL (SACL) of the object is to be set. Requires ACCESS_SYSTEM_SECURITY access. |
- SecurityDescriptor
- Pointer to the security descriptor to be set for the object.
Return Value
ZwSetSecurityObject returns STATUS_SUCCESS or an appropriate error status. Possible error status codes include the following:
- STATUS_ACCESS_DENIED
- Handle did not have the required access.
- STATUS_ACCESS_VIOLATION
- SecurityDescriptor was a NULL pointer.
- STATUS_INSUFFICIENT_RESOURCES
- The object's security descriptor could not be captured.
- STATUS_INVALID_ACL
- The object's security descriptor contained an invalid ACL.
- STATUS_INVALID_HANDLE
- Handle was not a valid handle.
- STATUS_INVALID_SECURITY_DESCR
- SecurityDescriptor did not point to a valid security descriptor.
- STATUS_INVALID_SID
- The object's security descriptor contained an invalid SID.
- STATUS_OBJECT_TYPE_MISMATCH
- Handle was not a handle of the expected type.
- STATUS_UNKNOWN_REVISION
- The revision level of the object's security descriptor was unknown or not supported.
Comments
A security descriptor can be in absolute or self-relative form. In self-relative form, all members of the structure are located contiguously in memory. In absolute form, the structure only contains pointers to the members. For more information, see "Absolute and Self-Relative Security Descriptors" in the Security section of the Microsoft Windows SDK documentation.
For more information about security and access control, see the documentation on these topics in the Windows SDK.
Minifilters should use FltSetSecurityObject instead of ZwSetSecurityObject.
Callers of ZwSetSecurityObject must be running at IRQL = PASSIVE_LEVEL and with APCs enabled.
Requirements
Versions: This routine is available on Microsoft Windows XP and later.
IRQL: PASSIVE_LEVEL (see Comments section)
Headers: Declared in Ntifs.h. Include Ntifs.h.
See Also
FltSetSecurityObject, SECURITY_DESCRIPTOR, SECURITY_INFORMATION, ZwQuerySecurityObject