Skip to main content
CoAllowUnmarshalerCLSID function

Adds an unmarshaler CLSID to the allowed list for the calling process only.


  _In_  REFCLSID clsid


clsid [in]

The CLSID of the unmarshaler to be added to the per-process allowed list.

Return value

If this function succeeds, it returns S_OK. Otherwise, it returns an HRESULT error code.


Don't call the CoAllowUnmarshalerCLSID function until after CoInitializeSecurity has been called in the current process.

The CoAllowUnmarshalerCLSID function provides more granular control over unmarshaling policy than is provided by the policy options. If the process applies any unmarshaling policy, the effect of the CoAllowUnmarshalerCLSID function is to make the policy comparatively weaker. For this reason, only call CoAllowUnmarshalerCLSID when the security impact is well understood. Usually, this is used to facilitate applying a stronger unmarshaling policy option for the broad attack surface reduction this provides, when a specific unmarshaler CLSID not allowed by that option is needed due to other constraints.

For example, it's appropriate to call the CoAllowUnmarshalerCLSID function when an unmarshaler is known or believed to have a vulnerability but is required by an app. Also, it's appropriate to call CoAllowUnmarshalerCLSID if the unmarshaler is used in multiple processes, but only as part of an uncommon feature. Don't use the CoAllowUnmarshalerCLSID function as a replacement for hardening the unmarshaler.

Windows Phone 8.1: This API is supported.


Minimum supported client

Windows 8

Minimum supported server

Windows Server 2012



See also