Platform SDK: Access Control

GetFileSecurity

The GetFileSecurity function obtains specified information about the security of a file or directory. The information obtained is constrained by the caller's access rights and privileges.

Windows NT 4.0 and later: You can use the GetNamedSecurityInfo function.

BOOL GetFileSecurity(
  LPCTSTR lpFileName,                        // file name
  SECURITY_INFORMATION RequestedInformation, // request
  PSECURITY_DESCRIPTOR pSecurityDescriptor,  // SD
  DWORD nLength,                             // size of SD
  LPDWORD lpnLengthNeeded                    // required buffer size
);

Parameters

lpFileName
[in] Pointer to a null-terminated string specifying the file or directory for which security information is retrieved.
RequestedInformation
[in] Specifies a SECURITY_INFORMATION value that identifies the security information being requested.
pSecurityDescriptor
[out] Pointer to a buffer that receives a copy of the security descriptor of the object specified by the lpFileName parameter. The calling process must have the right to view the specified aspects of the object's security status. The SECURITY_DESCRIPTOR structure is returned in self-relative format.
nLength
[in] Specifies the size, in bytes, of the buffer pointed to by the pSecurityDescriptor parameter.
lpnLengthNeeded
[out] Pointer to a variable the function sets to zero if the file descriptor is copied successfully. If the buffer is too small for the security descriptor, this variable receives the number of bytes required. If this variable's value is greater than that of the nLength parameter when the function returns, none of the security descriptor is copied to the buffer.

Return Values

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.

Remarks

To read the owner, group, or DACL from the security descriptor for the specified file or directory, the DACL for the file or directory must grant READ_CONTROL access to the caller or the caller must be the owner of the file or directory.

To read the system access-control list (SACL) of a file or directory, the SE_SECURITY_NAME privilege must be enabled for the calling process.

Requirements

  Windows NT/2000: Requires Windows NT 3.1 or later.
  Header: Declared in Winbase.h; include Windows.h.
  Library: Use Advapi32.lib.
  Unicode: Implemented as Unicode and ANSI versions on Windows NT/2000.

See Also

Low-Level Access-Control Overview, Low-Level Access Control Functions, GetKernelObjectSecurity, GetPrivateObjectSecurity, GetUserObjectSecurity, SECURITY_DESCRIPTOR, SECURITY_INFORMATION, SetFileSecurity