Windows API Reference

Security & Authorization

Authorization APIs

This section provides documentation for the Windows APIs related to authorization, which governs what actions authenticated users or processes are permitted to perform on system resources.

Core Concepts

Authorization in Windows relies on several key components:

  • Access Tokens: Represent the security context of a process or thread, containing security identifiers (SIDs) for the user and groups, as well as privileges.
  • Security Descriptors (SDs): Objects that contain the security information for securable objects, including the owner, group, Discretionary Access Control List (DACL), and System Access Control List (SACL).
  • Access Control Lists (ACLs): A component of a Security Descriptor, containing Access Control Entries (ACEs) that define permissions for specific principals.
  • Access Control Entries (ACEs): Specify whether to grant or deny specific access rights to a user or group for a securable object.

Key Functions

Here are some of the most frequently used authorization-related functions:

AccessCheck

Determines whether a security object is accessible by a given security descriptor and access mask.

AdjustTokenPrivileges

Enables or disables locally unique privileges in the specified access token.

CreateRestrictedToken

Creates a new token that is a restricted version of the caller's impersonation token.

FindNextAce

Retrieves the next Access Control Entry (ACE) in an Access Control List (ACL).

FreeSid

Frees memory allocated by a function that returns a Security Identifier (SID).

GetAce

Retrieves a pointer to an Access Control Entry (ACE) in an Access Control List (ACL).

GetFileSecurity

Retrieves specified components of the security descriptor for a file or directory.

GetSecurityInfo

Retrieves a copy of the security descriptor associated with a specified object.

ImpersonateSelf

Enables a thread to impersonate itself. This is useful for DLLs that need to impersonate the calling thread.

IsTokenRestricted

Determines whether a token has restricted SIDs.

PrivilegeCheck

Determines whether a token contains a specified set of privileges.

RevertToSelf

Stops the calling thread from impersonating.

SetEntriesInAcl

Creates a new Access Control List (ACL) or modifies an existing ACL by adding or removing ACEs.

SetSecurityInfo

Modifies the security of an object by setting specified components of its security descriptor.

SetTokenInformation

Sets various pieces of information in the specified access token.

Related Topics