GetSD method of the __SystemSecurity class

The GetSD method gets the security descriptor for the namespace to which the user is connected. This method returns a security descriptor in binary byte array format. If you are writing a script, use the GetSecurityDescriptor method. For more information, see Securing WMI Namespaces and Changing Access Security on Securable Objects.

The user must have the READ_CONTROL permission. By default, administrators have that permission. The only part of the security descriptor that is actually used is the discretionary access control list (DACL). The DACL can contain both inherited and non-inherited ACEs. Both deny and allow ACEs are permitted.

If you are programming in C++, you can manipulate the binary security descriptor using SDDL, and the conversion methods ConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor.


  [out] uint8 SD[]


SD [out]

Security descriptor in binary byte array format.

Return value

This method returns an HRESULT indicating the status of the method call. The following list lists the return values that are of significance to GetSD. For scripting and Visual Basic applications, the result can be obtained from OutParameters.ReturnValue. For more information, see Constructing InParameters Objects and Parsing OutParameters Objects.


Method executed successfully.


Caller does not have sufficient rights to call this method.


Attempted to run this method on an unsupported system.


For more information about modifying namespace security programmatically or manually, see Securing WMI Namespaces.


The following script shows you how to use GetSD to obtain the current security descriptor for the Root\Cimv2 namespace and change it to the byte array shown in DisplaySD.

Set objServices = GetObject("winmgmts:root\cimv2")
Set CimV2 = objServices.Get("__SystemSecurity=@")
ReturnValue = Cimv2.GetSD(arrSD)

If Err <> 0 Then
   WScript.Echo "Method returned error " & ReturnValue
End If

DisplaySD = "SD = {"
For I = Lbound(arrSD) To Ubound(arrSD)

   DisplaySD = DisplaySD & arrSD(I)

   If I <> Ubound(arrSD) Then
      DisplaySD = DisplaySD & ","
   End If


DisplaySD = DisplaySD & "}"

WScript.Echo DisplaySD


Requirement Value
Minimum supported client
Windows Vista
Minimum supported server
Windows Server 2008
All WMI namespaces

See also

WMI System Classes


WMI Security Constants





Securing WMI Namespaces