BOOLEAN
SeAccessCheck(
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
IN BOOLEAN SubjectContextLocked,
IN ACCESS_MASK DesiredAccess,
IN ACCESS_MASK PreviouslyGrantedAccess,
OUT PPRIVILEGE_SET *Privileges,/* optional */
IN PGENERIC_MAPPING GenericMapping,
IN KPROCESSOR_MODE AccessMode,
OUT PACCESS_MASK GrantedAccess,
OUT PNTSTATUS AccessStatus
);
SeAccessCheck determines whether the requested access rights can be granted to an object protected by a security descriptor and an object owner.
Parameters
SecurityDescriptor
Points to the security descriptor protecting the object being accessed.
SubjectSecurityContext,
Points to the subject's captured security context.
SubjectContextLocked
Indicates whether the user's subject context is locked, so that it does not have to be locked again.
DesiredAccess
Specifies the access mask for rights that the caller is attempting to acquire.
PreviouslyGrantedAccess
Specifies the access rights already granted, for example, as a result of holding a privilege.
Privileges
Points to a set of buffered privileges used as part of the access validation. The buffer must be released by the caller with ExFreePool when the caller has consumed this information.
GenericMapping
Points to the generic mapping associated with this object type.
AccessMode
Specifies the access mode to be used in the check, one of UserMode or KernelMode.
GrantedAccess
Points to a returned access mask indicating the granted access.
AccessStatus
Points to the status value indicating why access was denied.
Return Value
If access is allowed, SeAccessCheck returns TRUE.
Comments
Network transport drivers call this routine.
SeAccessCheck might perform privilege tests for SeTakeOwnershipPrivilege and/or SeSecurityPrivilege, depending on the accesses being requested. It might perform additional privilege testing in future releases of Windows NT.
This routine also might check whether the subject is the owner of the object in order to grant WRITE_DAC access.
If this routine returns FALSE, the caller should use the returned AccessStatus as its return value. That is, the caller should avoid hardcoding a return value of STATUS_ACCESS_DENIED or any other specific STATUS_XXX value.
Callers of this routine must be running at IRQL PASSIVE_LEVEL.
See Also