Platform SDK: Access Control

QueryServiceObjectSecurity

The QueryServiceObjectSecurity function retrieves a copy of the security descriptor associated with a service object.

Windows NT 4.0 and later: You can use the GetNamedSecurityInfo function.

BOOL QueryServiceObjectSecurity(
  SC_HANDLE hService,                         // handle to service
  SECURITY_INFORMATION dwSecurityInformation, // request
  PSECURITY_DESCRIPTOR lpSecurityDescriptor,  // SD
  DWORD cbBufSize,                            // size of SD 
  LPDWORD pcbBytesNeeded                      // bytes needed
);

Parameters

hService

[in] Handle to the service. This handle is returned by the OpenService or CreateService function, and it must have READ_CONTROL access.

dwSecurityInformation

[in] Specifies the security information being requested. This parameter can be a combination of the following values.

Value	Meaning
DACL_SECURITY_INFORMATION	Requests the object's discretionary access control list (ACL).
GROUP_SECURITY_INFORMATION	Requests the object's primary group SID.
OWNER_SECURITY_INFORMATION	Requests the object's owner security identifier (SID).
SACL_SECURITY_INFORMATION	Requests the object's system ACL. The calling process must have the SE_SECURITY_NAME privilege. The proper way to obtain this access is to enable the SE_SECURITY_NAME privilege in the caller's current access token, open the handle for ACCESS_SYSTEM_SECURITY access, and then disable the privilege.

lpSecurityDescriptor

[out] Pointer to a buffer that receives a copy of the security descriptor of the specified service object. The calling process must have the appropriate access to view the specified aspects of the object's security descriptor. The SECURITY_DESCRIPTOR structure is returned in self-relative format.

cbBufSize

[in] Specifies the size, in bytes, of the buffer pointed to by the lpSecurityDescriptor parameter.

pcbBytesNeeded

[out] Pointer to a variable that receives the number of bytes needed to return all the requested security descriptor information, if the function fails.

Return Values

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.

Errors

The following error codes may be set by the service control manager. Other error codes may be set by the registry functions that are called by the service control manager.

Value	Meaning
ERROR_ACCESS_DENIED	The specified handle was not opened with READ_CONTROL access, or the calling process is not the owner of the object.
ERROR_INVALID_HANDLE	The specified handle is invalid.
ERROR_INSUFFICIENT_BUFFER	There is more security descriptor information than would fit into the lpSecurityDescriptor buffer. The number of bytes required to get all the information is returned in the pcbBytesNeeded parameter. Nothing is written to the lpSecurityDescriptor buffer.
ERROR_INVALID_PARAMETER	The specified security information is invalid.

Remarks

When a service is created, the service control manager assigns a default security descriptor to the service object. To retrieve a copy of the security descriptor for a service object, call the QueryServiceObjectSecurity function. To change the security descriptor, call the SetServiceObjectSecurity function. For a description of the default security descriptor for a service object, see Service Security.

To read the owner, group, or DACL from the service object's security descriptor, the calling process must have been granted READ_CONTROL access when the handle was opened. To get READ_CONTROL access, the caller must be the owner of the object or the object's DACL must grant the access.

To read the SACL from the security descriptor, the calling process must have been granted ACCESS_SYSTEM_SECURITY access when the handle was opened. The proper way to get this access is to enable the SE_SECURITY_NAME privilege in the caller's current token, open the handle for ACCESS_SYSTEM_SECURITY access, and then disable the privilege.

Requirements