#ifndef _NTSEAPI_H

// Audit alarm

NTSYSCALLAPI
NTSTATUS
NTAPI
NtAccessCheckAndAuditAlarm(
    _In_ PUNICODE_STRING SubsystemName,
    _In_opt_ PVOID HandleId,
    _In_ PUNICODE_STRING ObjectTypeName,
    _In_ PUNICODE_STRING ObjectName,
    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ PGENERIC_MAPPING GenericMapping,
    _In_ BOOLEAN ObjectCreation,
    _Out_ PACCESS_MASK GrantedAccess,
    _Out_ PNTSTATUS AccessStatus,
    _Out_ PBOOLEAN GenerateOnClose
    );

#endif
View code on GitHub

#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwAccessCheckAndAuditAlarm(
    _In_ PUNICODE_STRING SubsystemName,
    _In_opt_ PVOID HandleId,
    _In_ PUNICODE_STRING ObjectTypeName,
    _In_ PUNICODE_STRING ObjectName,
    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ PGENERIC_MAPPING GenericMapping,
    _In_ BOOLEAN ObjectCreation,
    _Out_ PACCESS_MASK GrantedAccess,
    _Out_ PNTSTATUS AccessStatus,
    _Out_ PBOOLEAN GenerateOnClose
    );

#endif
View code on GitHub

Function NtAccessCheckAndAuditAlarm doesn't work properly on NT40-SP6. For more information about alarms see description of similar function AccessCheckAndAuditAlarm in Microsoft SDK.

SubsystemName

???

ObjectHandle

Can be any valid HANDLE to object, or NULL.

ObjectTypeName

???

ObjectName

???

SecurityDescriptor

Pointer to "Absolute" SECURITY_DESCRIPTOR structure.

DesiredAccess

???

GenericMapping

Pointer to GENERIC_MAPPING structure valid for object specified above as ObjectHandle parameter.

ObjectCreation

???

GrantedAccess

Pointer to ACCESS_MASK value (?).

AccessStatus

Pointer to NTSTATUS value (?).

GenerateOnClose

Pointer to BOOLEAN value (?).

Function can be called only from impersonated thread. (See NtImpersonateThread for more information).

Documented by

Tomasz Nowak

Requirements

Privilege: SE_AUDIT_PRIVILEGE

NtAccessCheckAndAuditAlarm - NtDoc