Home > Windows > Win32 API > Security Base API > SetSecurityInfo

SetSecurityInfo Function

The SetSecurityInfo function modifies the security descriptor of a specified security object.

Header: Securitybaseapi.h

Library: Advapi32.lib

DLL: Advapi32.dll

Syntax

BOOL SetSecurityInfo(
  [in]           SE_OBJECT_TYPE ObjectType,
  [in]           LPCWSTR        pObjectName,
  [in]           SECURITY_INFORMATION SecurityInfo,
  [in, optional] PSID           psidOwner,
  [in, optional] PSID           psidGroup,
  [in, optional] PACL           psidDacl,
  [in, optional] PACL           psidSacl
);

Parameters

Parameter	Description
`ObjectType`	A value from the SE_OBJECT_TYPE enumeration that indicates the type of object pointed to by the `pObjectName` parameter. This can be one of the following values: `SE_FILE_OBJECT`, `SE_REGISTRY_KEY`, `SE_SERVICE`, etc.
`pObjectName`	A pointer to a null-terminated string that identifies the security object. This is a string representation of the object's name.
`SecurityInfo`	A bitmask of SECURITY_INFORMATION flags that indicate which parts of the security descriptor to set. This parameter can be a combination of the following values: `OWNER_SECURITY_INFORMATION`, `GROUP_SECURITY_INFORMATION`, `DACL_SECURITY_INFORMATION`, `SACL_SECURITY_INFORMATION`.
`psidOwner`	A pointer to a security identifier (SID) that identifies the new owner of the object. If `psidOwner` is `NULL`, the owner is not modified.
`psidGroup`	A pointer to a SID that identifies the primary group of the object. If `psidGroup` is `NULL`, the primary group is not modified.
`psidDacl`	A pointer to a Discretionary Access Control List (DACL). If `psidDacl` is `NULL`, the DACL is not modified.
`psidSacl`	A pointer to a System Access Control List (SACL). If `psidSacl` is `NULL`, the SACL is not modified.

Return Value

If the function succeeds, the return value is TRUE.

If the function fails, the return value is FALSE. To get extended error information, call GetLastError.

Remarks

The SetSecurityInfo function allows fine-grained control over the security settings of various Windows objects. When specifying a security information part, the corresponding parameter must not be NULL. For example, if SECURITY_INFORMATION includes OWNER_SECURITY_INFORMATION, then psidOwner must point to a valid SID.

If you are setting the DACL (Discretionary Access Control List) to NULL, it means that no access is allowed to any user or group. If you want to grant full control to everyone, you need to construct an appropriate DACL.

For more advanced security operations and to handle complex access control scenarios, consider using the SetEntriesInAcl function to modify ACEs (Access Control Entries) within a DACL.

Example

This example demonstrates how to change the owner of a file.


#include <windows.h>
#include <aclapi.h>
#include <sddl.h>

int main() {
    LPCWSTR pszObjectName = L"C:\\Temp\\MyFile.txt";
    SE_OBJECT_TYPE ObjectType = SE_FILE_OBJECT;
    SECURITY_INFORMATION SecurityInfo = OWNER_SECURITY_INFORMATION;

    // Get the SID for the user "BUILTIN\\Administrators"
    PSID psidOwner = NULL;
    if (ConvertStringSidToSid(L"S-1-5-32-544", &psidOwner)) {
        if (SetSecurityInfo(
            ObjectType,
            pszObjectName,
            SecurityInfo,
            psidOwner,  // New owner SID
            NULL,       // Group (not changing)
            NULL,       // DACL (not changing)
            NULL        // SACL (not changing)
        )) {
            // Successfully set owner
            wprintf(L"Successfully changed owner of %s.\n", pszObjectName);
        } else {
            // Handle error
            DWORD dwError = GetLastError();
            wprintf(L"Failed to set security info. Error code: %lu\n", dwError);
        }
        LocalFree(psidOwner); // Free the allocated SID
    } else {
        // Handle SID conversion error
        DWORD dwError = GetLastError();
        wprintf(L"Failed to convert SID string. Error code: %lu\n", dwError);
    }

    return 0;
}

Microsoft Docs