NtAccessCheckAndAuditAlarm - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers 
#ifndef _NTSEAPI_H

//
// Audit alarm
//

/**
 * The NtAccessCheckAndAuditAlarm routine determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread.
 * If the security descriptor has a SACL with ACEs that apply to the client, the function generates any necessary audit messages in the security event log.
 *
 * @param SubsystemName A pointer to a null-terminated string specifying the name of the subsystem calling the function.
 * @param HandleId A pointer to a unique value representing the client's handle to the object.
 * @param ObjectTypeName A pointer to a null-terminated string specifying the type of object being created or accessed.
 * @param ObjectName A pointer to a null-terminated string specifying the name of the object being created or accessed.
 * @param SecurityDescriptor A pointer to the SECURITY_DESCRIPTOR structure against which access is checked.
 * @param DesiredAccess Access mask that specifies the access rights to check. This mask must have been mapped by the MapGenericMask function to contain no generic access rights.
 * @param GenericMapping A pointer to the GENERIC_MAPPING structure associated with the object for which access is being checked.
 * @param ObjectCreation Specifies a flag that determines whether the calling application will create a new object when access is granted.
 * @param GrantedAccess A pointer to an access mask that receives the granted access rights.
 * @param AccessStatus A pointer to a variable that receives the results of the access check.
 * @param GenerateOnClose A pointer to a flag set by the audit-generation routine when the function returns.
 * @return NTSTATUS Successful or errant status.
 * @sa https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-accesscheckandauditalarma
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAccessCheckAndAuditAlarm(
    _In_ PCUNICODE_STRING SubsystemName,
    _In_opt_ PVOID HandleId,
    _In_ PCUNICODE_STRING ObjectTypeName,
    _In_ PCUNICODE_STRING ObjectName,
    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ PGENERIC_MAPPING GenericMapping,
    _In_ BOOLEAN ObjectCreation,
    _Out_ PACCESS_MASK GrantedAccess,
    _Out_ PNTSTATUS AccessStatus,
    _Out_ PBOOLEAN GenerateOnClose
    );

#endif

View code on GitHub
#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwAccessCheckAndAuditAlarm(
    _In_ PCUNICODE_STRING SubsystemName,
    _In_opt_ PVOID HandleId,
    _In_ PCUNICODE_STRING ObjectTypeName,
    _In_ PCUNICODE_STRING ObjectName,
    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ PGENERIC_MAPPING GenericMapping,
    _In_ BOOLEAN ObjectCreation,
    _Out_ PACCESS_MASK GrantedAccess,
    _Out_ PNTSTATUS AccessStatus,
    _Out_ PBOOLEAN GenerateOnClose
    );

#endif

View code on GitHub

Function NtAccessCheckAndAuditAlarm doesn't work properly on NT40-SP6. For more information about alarms see description of similar function AccessCheckAndAuditAlarm in Microsoft SDK.

SubsystemName

???

ObjectHandle

Can be any valid HANDLE to object, or NULL.

ObjectTypeName

???

ObjectName

???

SecurityDescriptor

Pointer to "Absolute" SECURITY_DESCRIPTOR structure.

DesiredAccess

???

GenericMapping

Pointer to GENERIC_MAPPING structure valid for object specified above as ObjectHandle parameter.

ObjectCreation

???

GrantedAccess

Pointer to ACCESS_MASK value (?).

AccessStatus

Pointer to NTSTATUS value (?).

GenerateOnClose

Pointer to BOOLEAN value (?).

Function can be called only from impersonated thread. (See NtImpersonateThread for more information).

Documented by

Requirements

Privilege: SE_AUDIT_PRIVILEGE

See also

Edit description on GitHub