1.11 Access to Driver-Managed Objects

IoCreateSymbolicLink 
Sets up a symbolic link object, aliasing a named device object to a user-visible name for the same device.
IoCreateUnprotectedSymbolicLink
Sets up a symbolic link object, aliasing a named device object to a user-visible name for the same device and allowing user-mode callers to affect the mode of the device (for example, parallel and serial drivers call this routine so users can redirect output).
IoGetFileObjectGenericMapping
Returns information about the mapping between generic access rights and specific access rights for file objects.
IoSetShareAccess 
Sets the access allowed to a given file object representing a device. (Only highest-level drivers can call this routine.)
IoCheckShareAccess 
Checks whether a request to open a file object specifies a desired access that is compatible with the current shared access permissions for the open file object. (Only highest-level drivers can call this routine.)
IoUpdateShareAccess 
Modifies the current share-access permissions on the given file object. (Only highest-level drivers can call this routine.)
IoRemoveShareAccess 
Restores the shared-access permissions on the given file object that were modified by a preceding call to IoUpdateShareAccess.
RtlLengthSecurityDescriptor 
Returns the size in bytes of a given security descriptor.
RtlValidSecurityDescriptor 
Returns whether a given security descriptor is valid.
RtlCreateSecurityDescriptor 
Initializes a new security descriptor to an absolute format with default values (in effect, with no security constraints).
RtlSetDaclSecurityDescriptor 
Sets the discretionary ACL information for a given security descriptor in absolute format.
SeAssignSecurity 
Builds a security descriptor for a new object, given the security descriptor of its parent directory (if any) and an originally requested security for the object.
SeDeassignSecurity 
Deallocates the memory associated with a security descriptor that was created with SeAssignSecurity.
SeAccessCheck 
Returns a Boolean indicating whether the requested access rights can be granted to an object protected by a security descriptor and, possibly, a current owner.
SeSinglePrivilegeCheck 
Returns a Boolean indicating whether the current thread has at least the given privilege level.