CoAllowUnmarshalerCLSID function (combaseapi.h)
Adds an unmarshaler CLSID to the allowed list for the calling process only.
Syntax
HRESULT CoAllowUnmarshalerCLSID(
[in] REFCLSID clsid
);
Parameters
[in] clsid
The CLSID of the unmarshaler to be added to the per-process allowed list.
Return value
If this function succeeds, it returns S_OK. Otherwise, it returns an HRESULT error code.
Remarks
Don't call the CoAllowUnmarshalerCLSID function until after CoInitializeSecurity has been called in the current process.
The CoAllowUnmarshalerCLSID function provides more granular control over unmarshaling policy than is provided by the policy options. If the process applies any unmarshaling policy, the effect of the CoAllowUnmarshalerCLSID function is to make the policy comparatively weaker. For this reason, only call CoAllowUnmarshalerCLSID when the security impact is well understood. Usually, this is used to facilitate applying a stronger unmarshaling policy option for the broad attack surface reduction this provides, when a specific unmarshaler CLSID not allowed by that option is needed due to other constraints.
For example, it's appropriate to call the CoAllowUnmarshalerCLSID function when an unmarshaler is known or believed to have a vulnerability but is required by an app. Also, it's appropriate to call CoAllowUnmarshalerCLSID if the unmarshaler is used in multiple processes, but only as part of an uncommon feature. Don't use the CoAllowUnmarshalerCLSID function as a replacement for hardening the unmarshaler.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows 8 |
| Minimum supported server | Windows Server 2012 |
| Target Platform | Windows |
| Header | combaseapi.h |
| Library | Ole32.lib |
| DLL | Ole32.dll |
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for