Adds an unmarshaler CLSID to the allowed list for the calling process only.
HRESULT WINOLEAPI CoAllowUnmarshalerCLSID( _In_ REFCLSID clsid );
- clsid [in]
The CLSID of the unmarshaler to be added to the per-process allowed list.
If this function succeeds, it returns S_OK. Otherwise, it returns an HRESULT error code.
Don't call the CoAllowUnmarshalerCLSID function until after CoInitializeSecurity has been called in the current process.
The CoAllowUnmarshalerCLSID function provides more granular control over unmarshaling policy than is provided by the policy options. If the process applies any unmarshaling policy, the effect of the CoAllowUnmarshalerCLSID function is to make the policy comparatively weaker. For this reason, only call CoAllowUnmarshalerCLSID when the security impact is well understood. Usually, this is used to facilitate applying a stronger unmarshaling policy option for the broad attack surface reduction this provides, when a specific unmarshaler CLSID not allowed by that option is needed due to other constraints.
For example, it's appropriate to call the CoAllowUnmarshalerCLSID function when an unmarshaler is known or believed to have a vulnerability but is required by an app. Also, it's appropriate to call CoAllowUnmarshalerCLSID if the unmarshaler is used in multiple processes, but only as part of an uncommon feature. Don't use the CoAllowUnmarshalerCLSID function as a replacement for hardening the unmarshaler.
Minimum supported client
Minimum supported server
|Windows Server 2012|
Build date: 11/16/2013