SeCreateClientSecurityFromSubjectContext function (ntifs.h)
The SeCreateClientSecurityFromSubjectContext routine retrieves the access token for a security subject context and uses the result to initialize a security client context with the information needed to call SeImpersonateClientEx.
Syntax
NTSTATUS SeCreateClientSecurityFromSubjectContext(
[in] PSECURITY_SUBJECT_CONTEXT SubjectContext,
[in] PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos,
[in] BOOLEAN ServerIsRemote,
[out] PSECURITY_CLIENT_CONTEXT ClientContext
);
Parameters
[in] SubjectContext
Pointer to the security subject context of the client to be impersonated.
[in] ClientSecurityQos
Pointer to a caller-allocated SECURITY_QUALITY_OF_SERVICE structure indicating what form of impersonation is to be performed.
[in] ServerIsRemote
Set to TRUE if the server of the client's request is remote.
[out] ClientContext
Pointer to a caller-allocated SECURITY_CLIENT_CONTEXT structure to be initialized.
Return value
SeCreateClientSecurityFromSubjectContext returns STATUS_SUCCESS when it successfully initializes the security client context.
It returns STATUS_BAD_IMPERSONATION_LEVEL when the client to be impersonated is currently impersonating a client of its own, and one of the following is true:
The client's effective token cannot be passed on for use by another server, because its impersonation level is SecurityAnonymous or SecurityIdentification.
ServerIsRemote is TRUE, and the client thread is impersonating its client at other than SecurityDelegation level.
Remarks
SeCreateClientSecurityFromSubjectContext initializes a client security context block to represent a client's security context.
If the ContextTrackingMode member of ClientSecurityQos is set to SECURITY_DYNAMIC_TRACKING and ServerIsRemote is set to FALSE, SeCreateClientSecurityFromSubjectContext uses a reference to the client's effective token. Otherwise, SeCreateClientSecurityFromSubjectContext creates a copy of the client's token.
Each call to SeCreateClientSecurityFromSubjectContext must be matched by a subsequent call to SeDeleteClientSecurity.
For more information about security and access control, see Windows security model for driver developers and the documentation on these topics in the Windows SDK.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows 2000 |
| Target Platform | Universal |
| Header | ntifs.h (include Ntifs.h) |
| Library | NtosKrnl.lib |
| DLL | NtosKrnl.exe |
| IRQL | PASSIVE_LEVEL |
See also
[SECURITY_SUBJECT_CONTEXT/(/windows-hardware/drivers/kernel/eprocess##security_subject_context)
[SeDeleteClientSecurity/(nf-ntifs-sedeleteclientsecurity.md)
[SeImpersonateClientEx/(nf-ntifs-seimpersonateclientex.md)
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for