WldpCanExecuteFile function (wldp.h)

Queries whether the execution policy allows execution of the code in the supplied file.

Syntax

HRESULT WldpCanExecuteFile(
  [in]           REFGUID                           host,
  [in]           WLDP_EXECUTION_EVALUATION_OPTIONS options,
  [in]           HANDLE                            fileHandle,
  [in, optional] PCWSTR                            auditInfo,
  [out]          WLDP_EXECUTION_POLICY             *result
);

Parameters

[in] host

A GUID specifying the calling program. For the list of pre-defined GUIDs that can be used for this parameter, see WLDP Host GUIDs. For hosts for which a specific value is not defined, use GUID WLDP_HOST_GUID_OTHER.

[in] options

A value from the WLDP_EXECUTION_EVALUATION_OPTIONS specifying options for the execution authorization request.

[in] fileHandle

The handle to the file being validated for execution approval.

Important

Callers should only pass open file handles to WldpCanExecuteFile and should not cache the security authorization on a specific file. It should be assumed that authorization to run a particular file is revoked when its file handle is closed. These measures are necessary to prevent TOC/TOU vulnerabilities that could subvert script enforcement policy.

[in, optional] auditInfo

A string that should include relevant contextual information for the caller to use in debugging. If an authorization request fails this string will be recorded in the event log, under “Applocker/MSI and Scripts/Operational”. Callers should note that, while the AuditInfo is not size limited, the string should be less than 4K bytes in size because it will be placed in the event log.

[out] result

Receives a pointer to a value from the WLDP_EXECUTION_POLICY enumeration, indicating the execution policy result of the query.

Return value

Returns S_OK on success and a failure code otherwise.

Remarks

This method is provided as a replacement for WldpGetLockdownPolicy. This interface is differentiated from WldpGetLockdownPolicy in the following ways:

  • Encourages callers to ensure that the subject (file, buffer, or stream) passes os execution policy.
  • Allows calling apps to provide additional audit information for diagnostic purposes.
  • Allows verification of buffers and streams of code.
  • Simplifies the calling pattern.
  • Supports fine grained execution policies like for example interactive mode in cmd or powershell

Requirements

Requirement Value
Minimum supported client Windows 11, Build 22621
Minimum supported server Windows 11, Build 22621
Header wldp.h
Library wldp.lib
DLL wldp.dll

See also