AmsiScanBuffer function (amsi.h)

Scans a buffer-full of content for malware.


HRESULT AmsiScanBuffer(
  [in]           HAMSICONTEXT amsiContext,
  [in]           PVOID        buffer,
  [in]           ULONG        length,
  [in]           LPCWSTR      contentName,
  [in, optional] HAMSISESSION amsiSession,
  [out]          AMSI_RESULT  *result


[in] amsiContext

The handle of type HAMSICONTEXT that was initially received from AmsiInitialize.

[in] buffer

The buffer from which to read the data to be scanned.

[in] length

The length, in bytes, of the data to be read from buffer.

[in] contentName

The filename, URL, unique script ID, or similar of the content being scanned.

[in, optional] amsiSession

If multiple scan requests are to be correlated within a session, set session to the handle of type HAMSISESSION that was initially received from AmsiOpenSession. Otherwise, set session to nullptr.

[out] result

The result of the scan. See AMSI_RESULT.

An app should use AmsiResultIsMalware to determine whether the content should be blocked.

Return value

If this function succeeds, it returns S_OK. Otherwise, it returns an HRESULT error code.


Minimum supported client Windows 10 [desktop apps only]
Minimum supported server Windows Server 2016 [desktop apps only]
Target Platform Windows
Header amsi.h
Library Amsi.lib
DLL Amsi.dll

See also