SeValidSecurityDescriptor function (wdm.h)

Article
02/22/2024

The SeValidSecurityDescriptor routine returns whether a given security descriptor is structurally valid.

Syntax

BOOLEAN SeValidSecurityDescriptor(
  [in] ULONG                Length,
  [in] PSECURITY_DESCRIPTOR SecurityDescriptor
);

Parameters

[in] Length

Specifies the size in bytes of the given security descriptor.

[in] SecurityDescriptor

Pointer to the self-relative SECURITY_DESCRIPTOR, which must be buffered somewhere in system space.

Return value

SeValidSecurityDescriptor returns TRUE if the buffered security descriptor is structurally valid.

Remarks

SeValidSecurityDescriptor does not enforce policy. It simply checks that the given security descriptor data is formatted correctly. In particular, it checks the revision information, self relativity, owner, alignment, and, if available, SID, group, DACL, ACL, and/or SACL do not overflow the given Length. Consequently, callers of SeValidSecurityDescriptor cannot assume that a returned TRUE implies that the given security descriptor necessarily has valid contents.

If SeValidSecurityDescriptor returns TRUE, the given security descriptor can be passed on to another kernel-mode component because it is structurally valid. Otherwise, passing a structurally invalid security descriptor to be manipulated by another kernel-mode component can cause undefined results or even a system bug check.

To validate a security descriptor that was passed in from user mode, call RtlValidSecurityDescriptor rather than SeValidSecurityDescriptor.

Requirements

Requirement	Value
Minimum supported client	Available in Windows 2000 and later versions of Windows.
Target Platform	Universal
Header	wdm.h (include Wdm.h, Ntddk.h, Ntifs.h)
Library	NtosKrnl.lib
DLL	NtosKrnl.exe
IRQL	PASSIVE_LEVEL
DDI compliance rules	HwStorPortProhibitedDDIs(storport), PowerIrpDDis(wdm)