DeriveCapabilitySidsFromName function (securitybaseapi.h)

This function constructs two arrays of SIDs out of a capability name. One is an array group SID with NT Authority, and the other is an array of capability SIDs with AppAuthority.


BOOL DeriveCapabilitySidsFromName(
  [in]  LPCWSTR CapName,
  [out] PSID    **CapabilityGroupSids,
  [out] DWORD   *CapabilityGroupSidCount,
  [out] PSID    **CapabilitySids,
  [out] DWORD   *CapabilitySidCount


[in] CapName

Name of the capability in string form.

[out] CapabilityGroupSids

The GroupSids with NTAuthority.

[out] CapabilityGroupSidCount

The count of GroupSids in the array.

[out] CapabilitySids

CapabilitySids with AppAuthority.

[out] CapabilitySidCount

The count of CapabilitySid with AppAuthority.

Return value

If the function succeeds, it returns TRUE.

If the function fails, it returns FALSE. To get extended error information, call GetLastError.


The caller is expected to free the individual SIDs returned in each array by calling LocalFree, as well as memory allocated for the array itself.

The SID computed for the application capability of legacy capabilities (published prior to Win10) will be the same as the published SIDs but the SID for the service group capability SID will be hash based.


Minimum supported client Windows XP [desktop apps | UWP apps]
Minimum supported server Windows Server 2003 [desktop apps | UWP apps]
Target Platform Windows
Header securitybaseapi.h (include Windows.h)
Library Advapi32.lib
DLL Kernel32.dll