MSDN Documentation

Windows Kernel API Reference

Security

This section covers the API functions and structures related to security within the Windows kernel. These APIs allow for the management and enforcement of security policies, access control, and protection of system resources.

Access Control Functions

NtAccessCheck

NTSTATUS NtAccessCheck( PSECURITY_DESCRIPTOR SecurityDescriptor, HANDLE ClientToken, ACCESS_MASK DesiredAccess, PGENERIC_MAPPING GenericMapping, PPRIVILEGE_SET PrivilegeSet, PULONG ReturnLength, PACCESS_MASK GrantedAccess, PNTSTATUS AccessStatus );

Determines whether a client has been granted a requested access set on an object.

Parameters:

  • SecurityDescriptor: Pointer to the security descriptor of the object.
  • ClientToken: Handle to the client's access token.
  • DesiredAccess: The requested access mask.
  • GenericMapping: Pointer to a GENERIC_MAPPING structure.
  • PrivilegeSet: Pointer to a buffer that receives a structure of privileges.
  • ReturnLength: Pointer to the size of the buffer pointed to by PrivilegeSet.
  • GrantedAccess: Pointer to a variable that receives the granted access mask.
  • AccessStatus: Pointer to a variable that receives the final status of the access check.

Return Value:

  • STATUS_SUCCESS if the access check is performed successfully.
  • Appropriate error status code.

Remarks:

  • This function is typically called by object managers.
  • Client applications rarely call this function directly.

NtOpenProcessToken

NTSTATUS NtOpenProcessToken( HANDLE ProcessHandle, ACCESS_MASK DesiredAccess, PHANDLE TokenHandle );

Opens the access token associated with a process.

Parameters:

  • ProcessHandle: Handle to the process whose token is to be opened.
  • DesiredAccess: Mask of access rights to be requested for the token.
  • TokenHandle: Pointer to a variable that receives the handle to the opened token.

Return Value:

  • STATUS_SUCCESS if the token is opened successfully.
  • Appropriate error status code.

Security Descriptor Functions

NtCreateSecurityDescriptor

NTSTATUS NtCreateSecurityDescriptor( PSECURITY_DESCRIPTOR SecurityDescriptor, ULONG Revision );

Initializes a security descriptor structure.

Parameters:

  • SecurityDescriptor: Pointer to the security descriptor to be initialized.
  • Revision: The revision level of the security descriptor.

Return Value:

  • STATUS_SUCCESS if the security descriptor is initialized successfully.
  • Appropriate error status code.

NtSetSecurityObject

NTSTATUS NtSetSecurityObject( HANDLE Handle, SECURITY_INFORMATION SecurityInformation, PSECURITY_DESCRIPTOR SecurityDescriptor );

Sets the security descriptor for an object.

Parameters:

  • Handle: Handle to the object whose security descriptor is to be set.
  • SecurityInformation: Flags indicating which security information is being set.
  • SecurityDescriptor: Pointer to the new security descriptor.

Return Value:

  • STATUS_SUCCESS if the security descriptor is set successfully.
  • Appropriate error status code.

Privilege Management

NtAdjustPrivilegesToken

NTSTATUS NtAdjustPrivilegesToken( HANDLE TokenHandle, BOOLEAN DisableAllPrivileges, PTOKEN_PRIVILEGES NewState, ULONG BufferLength, PTOKEN_PRIVILEGES PreviousState, PULONG ReturnLength );

Enables or disables the privileges in the specified access token.

Parameters:

  • TokenHandle: Handle to the access token whose privileges are to be adjusted.
  • DisableAllPrivileges: If TRUE, all privileges are disabled.
  • NewState: Pointer to a TOKEN_PRIVILEGES structure specifying the new state of privileges.
  • BufferLength: Size of the PreviousState buffer.
  • PreviousState: Pointer to a buffer that receives the previous state of the privileges.
  • ReturnLength: Pointer to a variable that receives the size of the data written to PreviousState.

Return Value:

  • STATUS_SUCCESS if the privileges are adjusted successfully.
  • Appropriate error status code.