SeOpenObjectForDeleteAuditAlarm function (ntifs.h)
The SeOpenObjectForDeleteAuditAlarm routine generates audit and alarm messages when an attempt is made to open an object for deletion.
Syntax
void SeOpenObjectForDeleteAuditAlarm(
[in] PUNICODE_STRING ObjectTypeName,
[in, optional] PVOID Object,
[in, optional] PUNICODE_STRING AbsoluteObjectName,
[in] PSECURITY_DESCRIPTOR SecurityDescriptor,
[in] PACCESS_STATE AccessState,
[in] BOOLEAN ObjectCreated,
[in] BOOLEAN AccessGranted,
[in] KPROCESSOR_MODE AccessMode,
[out] PBOOLEAN GenerateOnClose
);
Parameters
[in] ObjectTypeName
Pointer to a null-terminated string specifying the type of object to which the client is requesting access. This string appears in any audit message that is generated.
[in, optional] Object
Address of the object being opened with intent to delete. This value is needed only to enter into log messages. If the open attempt fails, the value of Object is ignored. Otherwise, it must be provided.
[in, optional] AbsoluteObjectName
Pointer to a null-terminated string specifying the name of the object being opened with intent to delete. This string appears in any audit message that is generated.
[in] SecurityDescriptor
A pointer to the security descriptor structure for the object being opened with intent to delete.
[in] AccessState
Pointer to an access state structure containing the object's subject context, remaining desired access types, granted access types, and, optionally, a privilege set to indicate which privileges were used to permit the access.
[in] ObjectCreated
Set to TRUE if the open operation causes a new object to be created, or FALSE if an existing object is opened.
[in] AccessGranted
Set to TRUE if open access was granted based on a previous access check or privilege check, or FALSE if it was denied.
[in] AccessMode
Access mode used for the access check. Either UserMode or KernelMode.
[out] GenerateOnClose
Pointer to a flag set by the audit generation routine when SeOpenObjectAuditAlarm returns.
Return value
None
Remarks
SeOpenObjectForDeleteAuditAlarm generates any necessary audit or alarm messages when a user-mode process attempts to open an object with the intent to delete it. SeOpenObjectForDeleteAuditAlarm is used by file systems when the flag FILE_DELETE_ON_CLOSE is specified. No messages are generated for kernel-mode accesses.
Before calling SeOpenObjectForDeleteAuditAlarm, the caller must call SeLockSubjectContext to lock the caller's primary and impersonation tokens. After calling SeOpenObjectForDeleteAuditAlarm, the caller must call SeUnlockSubjectContext to release these tokens.
For more information about security and access control, see Windows security model for driver developers and the documentation on these topics in the Windows SDK.
Requirements
| Requirement | Value |
|---|---|
| Target Platform | Universal |
| Header | ntifs.h (include Ntifs.h) |
| Library | NtosKrnl.lib |
| DLL | NtosKrnl.exe |
| IRQL | PASSIVE_LEVEL |
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for