IInternetSecurityManager::GetSecurityId method

Gets the security identification of the specified URL.


HRESULT GetSecurityId(
  [in]      LPCWSTR   pwszUrl,
  [out]     BYTE      *pbSecurityId,
  [in, out] DWORD     *pcbSecurityId,
  [in]      DWORD_PTR dwReserved


pwszUrl [in]

A string value that specifies the URL.

pbSecurityId [out]

A buffer that specifies the scheme, domain name, and zone associated with the URL.

pcbSecurityId [in, out]

An unsigned long integer value that specifies the size of the buffer being passed in.

dwReserved [in]

An unsigned long integer that specifies the domain to use. If set to zero, the full domain name is used. Otherwise, a string value containing a suffix to the domain name can be specified. This larger domain name—the full domain name combined with the suffix—is used as the security identifier.

Return value

Returns S_OK if successful, or E_INVALIDARG if the buffer is set to NULL or the string passed in to pwszUrl is not a valid URL.


Upon successful completion, pbSecurityId contains the scheme, domain, and zone information, as well as whether the specified pwszUrl was derived from a Mark of the Web.

The pcbSecurityId parameter contains the actual size of the data stored in the buffer. The largest buffer size returned by IInternetSecurityManager::GetSecurityId is 512 bytes, or MAX_SIZE_SECURITY_ID.

Security Warning:  An incorrect implementation of this method can compromise the security of your application. A custom implementation of IInternetSecurityManager::GetSecurityId should generate only IDs for hosts that cannot be handled by the default implementation. For all other hosts, this method should return INET_E_DEFAULT_ACTION. Attempting to duplicate the default implementation might result in the creation of IDs that are less secure and are susceptible to a spoofing attack. Review Security Considerations: URL Security Zones API before you continue.


Minimum supported client

Windows XP

Minimum supported server

Windows 2000 Server



See also