Local Service application can't use GetNamedSecurityInfo when Win10 OS upgraded to Version 20H2

Question

I wrote a service program running as a local service account.
This service used to use GetNamedSecurityInfo to obtain folder related access rights and it works fine. Recently, I upgraded to 20h2 version of win10 and found that there were some different return values in this interface.

I use the sample code https://learn.microsoft.com/en-us/windows/win32/api/aclapi/nf-aclapi-geteffectiverightsfromacla
to get folder C:\Users\Admin\Documents\NewFolder Local Service access permission.
NewFolder has no local service permission.
The previous version was win10 2004, I never get error from GetNamedSecurityInfo, and AuthzAccessCheck can get accessMask without error.

After win10 upgrade to 20H2, I get errorcode = 5 when call GetNamedSecurityInfo,

Any comments or something I don't know?

Answer 1

I tested the sample, and GetNamedSecurityInfo can get folder C:\Users\Admin\Documents\NewFolder Local Service access permission. This may be related to the permissions in your system. Refer to: GetNamedSecurityInfo returns ERROR_ACCESS_DENIED(5) when writting owner of a remote Windows shared folder

Answer 2

Thanks, I found that this is my machine configuration problem. If I don't have partial permissions under the users folder, calling GetNamedSecurityInfo will return 5,