[This is a preview of an interface that may appear in future releases of Windows.]
The GetSecurityInfoEx function retrieves a copy of the specified security information for an object identified by a handle.
GetSecurityInfoEx differs from the GetSecurityInfo function in that it allows you to retrieve access-control information for the properties on an object, as well as for the object itself. In addition, GetSecurityInfoEx uses provider-independent access flags, but GetSecurityInfo uses Windows NT-specific access flags.
DWORD GetSecurityInfoEx(
HANDLE hObject, |
// handle to the object |
SE_OBJECT_TYPE ObjectType, |
// type of object |
SECURITY_INFORMATION SecurityInfo, |
// type of security information to retrieve |
LPCTSTR lpProvider, |
// name of provider to handle request |
LPCTSTR lpProperty, |
// GUID string of a property on the object |
PACTRL_ACCESS *ppAccessList, |
// receives a pointer to access-control info |
PACTRL_AUDIT *ppAuditList, |
// receives a pointer to audit-control info |
LPTSTR *lppOwner, |
// receives the name of the object’s owner |
LPTSTR *lppGroup |
// receives the name of the object’s primary group |
); |
Value |
Meaning |
OWNER_SECURITY_INFORMATION |
If this flag is set, the lppOwner pointer receives a pointer to a null-terminated string that names the object’s owner. |
GROUP_SECURITY_INFORMATION |
If this flag is set, the lppGroup pointer receives a pointer to a null-terminated string that names the object’s primary group. |
DACL_SECURITY_INFORMATION |
If this flag is set, the ppAccessList pointer receives a pointer to a structure that describes discretionary access-control list (DACL) information for the object or for the property identified by the lpProperty parameter. |
SACL_SECURITY_INFORMATION |
If this flag is set, the ppAuditList pointer receives a pointer to a structure that describes system access-control list (SACL) information for the object or for the property identified by the lpProperty parameter. |
If ObjectType specifies SE_DS_OBJECT_ALL, lpProperty is ignored and the function retrieves access-control information for the object and all its properties.
The SE_DS_OBJECT object type supports setting and retrieving access-control information for the properties on an object. For other object types that do not support access-control for object properties, lpProperty must be NULL. ppAccessList
Pointer to a variable that receives a pointer to an ACTRL_ACCESS structure. The structure describes discretionary access-control information for the object or for the property identified by the lpProperty parameter. The returned pointer is valid only if you set the DACL_SECURITY_INFORMATION flag. Call the LocalFree function to free the returned buffer. This parameter can be NULL if you do not need the DACL information.
If the ObjectType parameter specifies SE_DS_OBJECT_ALL, the pPropertyAccessList
member of the ACTRL_ACCESS structure points to an array of ACTRL_PROPERTY_ENTRY
structures. Each structure contains access-control information for the object
or for a property on the object. Otherwise, pPropertyAccessList points
to a single ACTRL_PROPERTY_ENTRY structure for the object or the
specified property.
If the ObjectType parameter specifies SE_DS_OBJECT_ALL, the pPropertyAccessList
member of the ACTRL_AUDIT structure points to an array of ACTRL_PROPERTY_ENTRY
structures. Each structure contains audit-control information for the object
or for a property on the object. Otherwise, pPropertyAccessList points
to a single ACTRL_PROPERTY_ENTRY structure for the object or the
specified property.
If the function succeeds, the return value is ERROR_SUCCESS.
If the function fails, the return value can be one of the following error codes.
Value |
Meaning |
ERROR_NOT_ENOUGH_MEMORY |
A memory allocation failed |
ERROR_INVALID_PARAMETER |
An invalid parameter was specified. |
ERROR_BAD_PROVIDER |
The lpProvider parameter specified an invalid provider name. |
To read the owner, group, or DACL from the object’s security descriptor, the calling process must have been granted READ_CONTROL access when the handle was opened. To get READ_CONTROL access, the caller must be the owner of the object or the object's DACL must grant the access.
To read the SACL from the security descriptor, the calling process must have been granted ACCESS_SYSTEM_SECURITY access when the handle was opened. The proper way to get this access is to enable the SE_SECURITY_NAME privilege in the caller's current token, open the handle for ACCESS_SYSTEM_SECURITY access, and then disable the privilege.
Call the LocalFreefunction to free any pointers returned by the ppAccessList, ppAccessList, lppOwner, or lppOwner parameters.
Currently, the import library for the GetSecurityInfoEx function is ACCSRC.LIB. This is temporary. Eventually, the import library will be ADVAPI32.LIB. Meanwhile, any source code that links with the ACCSRC.LIB library must call the AccProvInit macro as follows:
DWORD dwErrcode; AccProvInit(dwErrcode); if(dwErrcode != ERROR_SUCCESS) { // Consider this an error... }
ACTRL_ACCESS, ACTRL_AUDIT, ACTRL_PROPERTY_ENTRY, GetNamedSecurityInfoEx, LocalFree, SE_OBJECT_TYPE, SECURITY_INFORMATION, SetNamedSecurityInfoEx, SetSecurityInfoEx