WldpCanExecuteFile function (wldp.h)
Queries whether the execution policy allows execution of the code in the supplied file.
Syntax
HRESULT WldpCanExecuteFile(
[in] REFGUID host,
[in] WLDP_EXECUTION_EVALUATION_OPTIONS options,
[in] HANDLE fileHandle,
[in, optional] PCWSTR auditInfo,
[out] WLDP_EXECUTION_POLICY *result
);
Parameters
[in] host
A GUID specifying the calling program. For the list of pre-defined GUIDs that can be used for this parameter, see WLDP Host GUIDs. For hosts for which a specific value is not defined, use GUID WLDP_HOST_GUID_OTHER.
[in] options
A value from the WLDP_EXECUTION_EVALUATION_OPTIONS specifying options for the execution authorization request.
[in] fileHandle
The handle to the file being validated for execution approval.
Important
Callers should only pass open file handles to WldpCanExecuteFile and should not cache the security authorization on a specific file. It should be assumed that authorization to run a particular file is revoked when its file handle is closed. These measures are necessary to prevent TOC/TOU vulnerabilities that could subvert script enforcement policy.
[in, optional] auditInfo
A string that should include relevant contextual information for the caller to use in debugging. If an authorization request fails this string will be recorded in the event log, under “Applocker/MSI and Scripts/Operational”. Callers should note that, while the AuditInfo is not size limited, the string should be less than 4K bytes in size because it will be placed in the event log.
[out] result
Receives a pointer to a value from the WLDP_EXECUTION_POLICY enumeration, indicating the execution policy result of the query.
Return value
Returns S_OK on success and a failure code otherwise.
Remarks
This method is provided as a replacement for WldpGetLockdownPolicy. This interface is differentiated from WldpGetLockdownPolicy in the following ways:
- Encourages callers to ensure that the subject (file, buffer, or stream) passes os execution policy.
- Allows calling apps to provide additional audit information for diagnostic purposes.
- Allows verification of buffers and streams of code.
- Simplifies the calling pattern.
- Supports fine grained execution policies like for example interactive mode in cmd or powershell
Requirements
Requirement | Value |
---|---|
Minimum supported client | Windows 11, Build 22621 |
Minimum supported server | Windows 11, Build 22621 |
Header | wldp.h |
Library | wldp.lib |
DLL | wldp.dll |