NtAccessCheck - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers
#ifndef _NTSEAPI_H

//
// Access checking
//
/**
 * The NtAccessCheck routine determines whether a security descriptor grants a specified set of access rights to the client represented by an access token.
 *
 * @param SecurityDescriptor Pointer to the SECURITY_DESCRIPTOR structure against which access is checked.
 * @param ClientToken Handle to the access token representing the client. The handle must have TOKEN_QUERY access.
 * @param DesiredAccess Access mask that specifies the access rights to check.
 * @param GenericMapping Pointer to the GENERIC_MAPPING structure associated with the object for which access is being checked.
 * @param PrivilegeSet Pointer to a PRIVILEGE_SET structure that receives the privileges required to access the object. The buffer must be large enough to hold the privilege set.
 * @param PrivilegeSetLength Pointer to a variable that specifies the size, in bytes, of the PrivilegeSet buffer. On input, this is the size of the buffer; on output, it receives the number of bytes required.
 * @param GrantedAccess Pointer to an access mask that receives the granted access rights.
 * @param AccessStatus Pointer to a variable that receives the results of the access check.
 * @return NTSTATUS code indicating success or failure.
 * @sa https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-accesscheck
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAccessCheck(
    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
    _In_ HANDLE ClientToken,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ PGENERIC_MAPPING GenericMapping,
    _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
    _Inout_ PULONG PrivilegeSetLength,
    _Out_ PACCESS_MASK GrantedAccess,
    _Out_ PNTSTATUS AccessStatus
    );

#endif

View code on GitHub
#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwAccessCheck(
    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
    _In_ HANDLE ClientToken,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ PGENERIC_MAPPING GenericMapping,
    _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
    _Inout_ PULONG PrivilegeSetLength,
    _Out_ PACCESS_MASK GrantedAccess,
    _Out_ PNTSTATUS AccessStatus
    );

#endif

View code on GitHub

Function NtAccessCheck should be used by server applications working in SYSTEM context for check access to object for connected client's token. See similar Win32 API AccessCheck in Microsoft SDK.

SecurityDescriptor

Pointer to SECURITY_DESCRIPTOR structure.

ClientToken

HANDLE to client's Token Object opened with TOKEN_QUERY access.

DesiredAccess

ACCESS_MASK required by client.

GenericMapping

Pointer to GENERIC_MAPPING structure. Caller can take it in a call to NtQueryObject.

RequiredPrivilegesBuffer

Function fills this buffer with structure PRIVILEGE_SET contains required privileges.

BufferLength

Pointer to ULONG value. On input this value means size of RequiredPrivilegesBuffer buffer. If buffer was to small, required buffer size is available on output.

GrantedAccess

Pointer to ACCESS_MASK value receiving granted access for object.

AccessStatus

Result of access check, in typical NTSTATUS format.

Documented by

See also