securitybaseapi.h header
This header is used by multiple technologies. For more information, see:
securitybaseapi.h contains the following programming interfaces:
Functions
| AccessCheck Determines whether a security descriptor grants a specified set of access rights to the client identified by an access token. (AccessCheck) |
| AccessCheckAndAuditAlarmW Determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread. |
| AccessCheckByType Determines whether a security descriptor grants a specified set of access rights to the client identified by an access token. (AccessCheckByType) |
| AccessCheckByTypeAndAuditAlarmW Determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread. (AccessCheckByTypeAndAuditAlarmW) |
| AccessCheckByTypeResultList Determines whether a security descriptor grants a specified set of access rights to the client identified by an access token. (AccessCheckByTypeResultList) |
| AccessCheckByTypeResultListAndAuditAlarmByHandleW The AccessCheckByTypeResultListAndAuditAlarmByHandleW (Unicode) function (securitybaseapi.h) determines whether a security descriptor grants access rights to the client that the calling thread is impersonating. |
| AccessCheckByTypeResultListAndAuditAlarmW Determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread. (AccessCheckByTypeResultListAndAuditAlarmW) |
| AddAccessAllowedAce Adds an access-allowed access control entry (ACE) to an access control list (ACL). The access is granted to a specified security identifier (SID). |
| AddAccessAllowedAceEx Adds an access-allowed access control entry (ACE) to the end of a discretionary access control list (DACL). (AddAccessAllowedAceEx) |
| AddAccessAllowedObjectAce Adds an access-allowed access control entry (ACE) to the end of a discretionary access control list (DACL). (AddAccessAllowedObjectAce) |
| AddAccessDeniedAce Adds an access-denied access control entry (ACE) to an access control list (ACL). The access is denied to a specified security identifier (SID). |
| AddAccessDeniedAceEx Adds an access-denied access control entry (ACE) to the end of a discretionary access control list (DACL). |
| AddAccessDeniedObjectAce Adds an access-denied access control entry (ACE) to the end of a discretionary access control list (DACL). The new ACE can deny access to an object, or to a property set or property on an object. |
| AddAce Adds one or more access control entries (ACEs) to a specified access control list (ACL). |
| AddAuditAccessAce Adds a system-audit access control entry (ACE) to a system access control list (ACL). The access of a specified security identifier (SID) is audited. |
| AddAuditAccessAceEx Adds a system-audit access control entry (ACE) to the end of a system access control list (SACL). (AddAuditAccessAceEx) |
| AddAuditAccessObjectAce Adds a system-audit access control entry (ACE) to the end of a system access control list (SACL). (AddAuditAccessObjectAce) |
| AddMandatoryAce Adds a SYSTEM_MANDATORY_LABEL_ACE access control entry (ACE) to the specified system access control list (SACL). |
| AddResourceAttributeAce Adds a SYSTEM_RESOURCE_ATTRIBUTE_ACEaccess control entry (ACE) to the end of a system access control list (SACL). |
| AddScopedPolicyIDAce Adds a SYSTEM_SCOPED_POLICY_ID_ACEaccess control entry (ACE) to the end of a system access control list (SACL). |
| AdjustTokenGroups Enables or disables groups already present in the specified access token. Access to TOKEN_ADJUST_GROUPS is required to enable or disable groups in an access token. |
| AdjustTokenPrivileges Enables or disables privileges in the specified access token. Enabling or disabling privileges in an access token requires TOKEN_ADJUST_PRIVILEGES access. |
| AllocateAndInitializeSid Allocates and initializes a security identifier (SID) with up to eight subauthorities. |
| AllocateLocallyUniqueId Allocates a locally unique identifier (LUID). |
| AreAllAccessesGranted Checks whether a set of requested access rights has been granted. The access rights are represented as bit flags in an access mask. |
| AreAnyAccessesGranted Tests whether any of a set of requested access rights has been granted. The access rights are represented as bit flags in an access mask. |
| CheckTokenCapability Checks the capabilities of a given token. |
| CheckTokenMembership Determines whether a specified security identifier (SID) is enabled in an access token. |
| CheckTokenMembershipEx Determines whether the specified SID is enabled in the specified token. |
| ConvertToAutoInheritPrivateObjectSecurity Converts a security descriptor and its access control lists (ACLs) to a format that supports automatic propagation of inheritable access control entries (ACEs). |
| CopySid Copies a security identifier (SID) to a buffer. |
| CreatePrivateObjectSecurity Allocates and initializes a self-relative security descriptor for a new private object. A protected server calls this function when it creates a new private object. |
| CreatePrivateObjectSecurityEx Allocates and initializes a self-relative security descriptor for a new private object created by the resource manager calling this function. (CreatePrivateObjectSecurityEx) |
| CreatePrivateObjectSecurityWithMultipleInheritance Allocates and initializes a self-relative security descriptor for a new private object created by the resource manager calling this function. (CreatePrivateObjectSecurityWithMultipleInheritance) |
| CreateRestrictedToken Creates a new access token that is a restricted version of an existing access token. The restricted token can have disabled security identifiers (SIDs), deleted privileges, and a list of restricting SIDs. |
| CreateWellKnownSid Creates a SID for predefined aliases. |
| CveEventWrite A tracing function for publishing events when an attempted security vulnerability exploit is detected in your user-mode application. |
| DeleteAce Deletes an access control entry (ACE) from an access control list (ACL). |
| DeriveCapabilitySidsFromName This function constructs two arrays of SIDs out of a capability name. One is an array group SID with NT Authority, and the other is an array of capability SIDs with AppAuthority. |
| DestroyPrivateObjectSecurity Deletes a private object's security descriptor. |
| DuplicateToken Creates a new access token that duplicates one already in existence. |
| DuplicateTokenEx Creates a new access token that duplicates an existing token. This function can create either a primary token or an impersonation token. |
| EqualDomainSid Determines whether two SIDs are from the same domain. |
| EqualPrefixSid Tests two security-identifier (SID) prefix values for equality. A SID prefix is the entire SID except for the last subauthority value. |
| EqualSid Tests two security identifier (SID) values for equality. Two SIDs must match exactly to be considered equal. |
| FindFirstFreeAce Retrieves a pointer to the first free byte in an access control list (ACL). |
| FreeSid Frees a security identifier (SID) previously allocated by using the AllocateAndInitializeSid function. |
| GetAce Obtains a pointer to an access control entry (ACE) in an access control list (ACL). |
| GetAclInformation Retrieves information about an access control list (ACL). |
| GetAppContainerAce Retrieves a value that indicates whether a package or capability SID is present. |
| GetCachedSigningLevel Retrieves the cached signing level. |
| GetFileSecurityW Obtains specified information about the security of a file or directory. The information obtained is constrained by the caller's access rights and privileges. (GetFileSecurityW) |
| GetKernelObjectSecurity Retrieves a copy of the security descriptor that protects a kernel object. |
| GetLengthSid Returns the length, in bytes, of a valid security identifier (SID). |
| GetPrivateObjectSecurity Retrieves information from a private object's security descriptor. |
| GetSecurityDescriptorControl Retrieves a security descriptor control and revision information. |
| GetSecurityDescriptorDacl Retrieves a pointer to the discretionary access control list (DACL) in a specified security descriptor. |
| GetSecurityDescriptorGroup Retrieves the primary group information from a security descriptor. |
| GetSecurityDescriptorLength Returns the length, in bytes, of a structurally valid security descriptor. The length includes the length of all associated structures. |
| GetSecurityDescriptorOwner Retrieves the owner information from a security descriptor. |
| GetSecurityDescriptorRMControl Retrieves the resource manager control bits. |
| GetSecurityDescriptorSacl Retrieves a pointer to the system access control list (SACL) in a specified security descriptor. |
| GetSidIdentifierAuthority Returns a pointer to the SID_IDENTIFIER_AUTHORITY structure in a specified security identifier (SID). |
| GetSidLengthRequired Returns the length, in bytes, of the buffer required to store a SID with a specified number of subauthorities. |
| GetSidSubAuthority Returns a pointer to a specified subauthority in a security identifier (SID). The subauthority value is a relative identifier (RID). |
| GetSidSubAuthorityCount Returns a pointer to the member in a security identifier (SID) structure that contains the subauthority count. |
| GetTokenInformation Retrieves a specified type of information about an access token. The calling process must have appropriate access rights to obtain the information. |
| GetWindowsAccountDomainSid Receives a security identifier (SID) and returns a SID representing the domain of that SID. |
| ImpersonateAnonymousToken Enables the specified thread to impersonate the system's anonymous logon token. |
| ImpersonateLoggedOnUser Lets the calling thread impersonate the security context of a logged-on user. The user is represented by a token handle. |
| ImpersonateSelf Obtains an access token that impersonates the security context of the calling process. The token is assigned to the calling thread. |
| InitializeAcl Initializes a new ACL structure. |
| InitializeSecurityDescriptor Initializes a new security descriptor. |
| InitializeSid Initializes a security identifier (SID). |
| IsTokenRestricted Indicates whether a token contains a list of restricted security identifiers (SIDs). |
| IsValidAcl Validates an access control list (ACL). |
| IsValidSecurityDescriptor Determines whether the components of a security descriptor are valid. |
| IsValidSid Validates a security identifier (SID) by verifying that the revision number is within a known range, and that the number of subauthorities is less than the maximum. |
| IsWellKnownSid Compares a SID to a well-known SID and returns TRUE if they match. |
| MakeAbsoluteSD Creates a security descriptor in absolute format by using a security descriptor in self-relative format as a template. |
| MakeSelfRelativeSD Creates a security descriptor in self-relative format by using a security descriptor in absolute format as a template. |
| MapGenericMask Maps the generic access rights in an access mask to specific and standard access rights. The function applies a mapping supplied in a GENERIC_MAPPING structure. |
| ObjectCloseAuditAlarmW Generates an audit message in the security event log when a handle to a private object is deleted. (ObjectCloseAuditAlarmW) |
| ObjectDeleteAuditAlarmW The ObjectDeleteAuditAlarmW (Unicode) function (securitybaseapi.h) generates audit messages when an object is deleted. |
| ObjectOpenAuditAlarmW Generates audit messages when a client application attempts to gain access to an object or to create a new one. (ObjectOpenAuditAlarmW) |
| ObjectPrivilegeAuditAlarmW Generates an audit message in the security event log. (ObjectPrivilegeAuditAlarmW) |
| PrivilegeCheck Determines whether a specified set of privileges are enabled in an access token. |
| PrivilegedServiceAuditAlarmW Generates an audit message in the security event log. (PrivilegedServiceAuditAlarmW) |
| QuerySecurityAccessMask Creates an access mask that represents the access permissions necessary to query the specified object security information. |
| RevertToSelf Terminates the impersonation of a client application. |
| SetAclInformation Sets information about an access control list (ACL). |
| SetCachedSigningLevel Sets the cached signing level. |
| SetFileSecurityW The SetFileSecurityW (Unicode) function (securitybaseapi.h) sets the security of a file or directory object. |
| SetKernelObjectSecurity Sets the security of a kernel object. |
| SetPrivateObjectSecurity Modifies a private object's security descriptor. |
| SetPrivateObjectSecurityEx Modifies the security descriptor of a private object maintained by the resource manager calling this function. |
| SetSecurityAccessMask Creates an access mask that represents the access permissions necessary to set the specified object security information. |
| SetSecurityDescriptorControl Sets the control bits of a security descriptor. The function can set only the control bits that relate to automatic inheritance of ACEs. |
| SetSecurityDescriptorDacl Sets information in a discretionary access control list (DACL). If a DACL is already present in the security descriptor, the DACL is replaced. |
| SetSecurityDescriptorGroup Sets the primary group information of an absolute-format security descriptor, replacing any primary group information already present in the security descriptor. |
| SetSecurityDescriptorOwner Sets the owner information of an absolute-format security descriptor. It replaces any owner information already present in the security descriptor. |
| SetSecurityDescriptorRMControl Sets the resource manager control bits in the SECURITY_DESCRIPTOR structure. |
| SetSecurityDescriptorSacl Sets information in a system access control list (SACL). If there is already a SACL present in the security descriptor, it is replaced. |
| SetTokenInformation Sets various types of information for a specified access token. |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for