Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

SeOpenObjectAuditAlarm routine

The SeOpenObjectAuditAlarm routine generates audit and alarm messages when an attempt is made to open an object.

Syntax


VOID SeOpenObjectAuditAlarm(
  _In_     PUNICODE_STRING      ObjectTypeName,
  _In_opt_ PVOID                Object,
  _In_opt_ PUNICODE_STRING      AbsoluteObjectName,
  _In_     PSECURITY_DESCRIPTOR SecurityDescriptor,
  _In_     PACCESS_STATE        AccessState,
  _In_     BOOLEAN              ObjectCreated,
  _In_     BOOLEAN              AccessGranted,
  _In_     KPROCESSOR_MODE      AccessMode,
  _Out_    PBOOLEAN             GenerateOnClose
);

Parameters

ObjectTypeName [in]

Pointer to a null-terminated string specifying the type of object to which the client is requesting access. This string appears in any audit message that is generated.

Object [in, optional]

Address of the object being opened. This value is needed only to enter into log messages. If the open attempt fails, the value of Object is ignored. Otherwise, it must be provided.

AbsoluteObjectName [in, optional]

Pointer to a null-terminated string specifying the name of the object being opened. This string appears in any audit message that is generated.

SecurityDescriptor [in]

A pointer to the security descriptor structure for the object being opened.

AccessState [in]

Pointer to an access state structure containing the object's subject context, remaining desired access types, granted access types, and, optionally, a privilege set to indicate which privileges were used to permit the access.

ObjectCreated [in]

Set to TRUE if the open operation causes a new object to be created, or FALSE if an existing object is opened.

AccessGranted [in]

Set to TRUE if open access was granted based on a previous access check or privilege check, or FALSE if it was denied.

AccessMode [in]

Access mode used for the access check. Either UserMode or KernelMode.

GenerateOnClose [out]

Pointer to a flag set by the audit generation routine when SeOpenObjectAuditAlarm returns.

Return value

None

Remarks

SeOpenObjectAuditAlarm generates any necessary audit or alarm messages for user-mode accesses. No messages are generated for kernel-mode accesses.

Before calling SeOpenObjectAuditAlarm, the caller must call SeLockSubjectContext to lock the caller's primary and impersonation tokens. After calling SeOpenObjectAuditAlarm, the caller must call SeUnlockSubjectContext to release these tokens.

For more information about security and access control, see the documentation on these topics in the Microsoft Windows SDK.

Requirements

Target platform

Universal

Header

Ntifs.h (include Ntifs.h)

Library

NtosKrnl.lib

DLL

NtosKrnl.exe

IRQL

PASSIVE_LEVEL

See also

ACCESS_STATE
SeAuditingFileEvents
SeAuditingFileOrGlobalEvents
SECURITY_DESCRIPTOR
SeDeleteObjectAuditAlarm
SeLockSubjectContext
SeOpenObjectForDeleteAuditAlarm
SeSetAccessStateGenericMapping
SeUnlockSubjectContext
UNICODE_STRING

 

 

Send comments about this topic to Microsoft

Show:
© 2015 Microsoft