SeAccessCheck

BOOLEAN
    SeAccessCheck(
        IN PSECURITY_DESCRIPTOR  SecurityDescriptor,
        IN PSECURITY_SUBJECT_CONTEXT  SubjectSecurityContext,
        IN BOOLEAN  SubjectContextLocked,
        IN ACCESS_MASK  DesiredAccess,
        IN ACCESS_MASK  PreviouslyGrantedAccess,
        OUT PPRIVILEGE_SET  *Privileges,                /* optional */
        IN PGENERIC_MAPPING  GenericMapping,
        IN KPROCESSOR_MODE  AccessMode,
        OUT PACCESS_MASK  GrantedAccess,
        OUT PNTSTATUS  AccessStatus
        );

SeAccessCheck determines whether the requested access rights can be granted to an object protected by a security descriptor and an object owner.

Parameters

SecurityDescriptor

Points to the security descriptor protecting the object being accessed.

SubjectSecurityContext,

Points to the subject’s captured security context.

SubjectContextLocked

Indicates whether the user’s subject context is locked, so that it does not have to be locked again.

DesiredAccess

Specifies the access mask for rights that the caller is attempting to acquire.

PreviouslyGrantedAccess

Specifies the access rights already granted, for example, as a result of holding a privilege.

Privileges

Points to a set of buffered privileges used as part of the access validation. The buffer must be released by the caller with ExFreePool when the caller has consumed this information.

GenericMapping

Points to the generic mapping associated with this object type.

AccessMode

Specifies the access mode to be used in the check, one of UserMode or KernelMode.

GrantedAccess

Points to a returned access mask indicating the granted access.

AccessStatus

Points to the status value indicating why access was denied.

Return Value

If access is allowed, SeAccessCheck returns TRUE.

Comments

Network transport drivers call this routine.

SeAccessCheck might perform privilege tests for SeTakeOwnershipPrivilege and/or SeSecurityPrivilege, depending on the accesses being requested. It might perform additional privilege testing in future releases of Windows NT.

This routine also might check whether the subject is the owner of the object in order to grant WRITE_DAC access.

If this routine returns FALSE, the caller should use the returned AccessStatus as its return value. That is, the caller should avoid hardcoding a return value of STATUS_ACCESS_DENIED or any other specific STATUS_XXX value.

Callers of this routine must be running at IRQL PASSIVE_LEVEL.

See Also

ExFreePool, IoGetFileObjectGenericMapping