#ifndef _NTSEAPI_H

/**
 * The NtAccessCheckByTypeResultListAndAuditAlarmByHandle routine determines whether a security descriptor grants a specified set of access rights to the client represented by a specified access token.
 * It also generates audit messages for each object type in the hierarchy, and returns the results for each object type in a list.
 *
 * @param SubsystemName A pointer to a UNICODE_STRING specifying the name of the subsystem calling the function.
 * @param HandleId A pointer to a unique value representing the client's handle to the object.
 * @param ClientToken Handle to the access token representing the client.
 * @param ObjectTypeName A pointer to a UNICODE_STRING specifying the type of object being created or accessed.
 * @param ObjectName A pointer to a UNICODE_STRING specifying the name of the object being created or accessed.
 * @param SecurityDescriptor A pointer to the SECURITY_DESCRIPTOR structure against which access is checked.
 * @param PrincipalSelfSid A pointer to a SID structure representing the principal self SID, or NULL.
 * @param DesiredAccess Access mask that specifies the access rights to check.
 * @param AuditType Specifies the type of audit event to be generated.
 * @param Flags Audit event flags.
 * @param ObjectTypeList A pointer to an array of OBJECT_TYPE_LIST structures that specify the hierarchy of object types for the object being accessed.
 * @param ObjectTypeListLength The number of elements in the ObjectTypeList array.
 * @param GenericMapping A pointer to the GENERIC_MAPPING structure associated with the object for which access is being checked.
 * @param ObjectCreation Specifies a flag that determines whether the calling application will create a new object when access is granted.
 * @param GrantedAccess A pointer to an array of access masks that receive the granted access rights for each object type.
 * @param AccessStatus A pointer to an array of NTSTATUS values that receive the results of the access check for each object type.
 * @param GenerateOnClose A pointer to a flag set by the audit-generation routine when the function returns.
 * @return NTSTATUS Successful or errant status.
 * @sa https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-accesscheckbytyperesultlistandauditalarmbyhandlea
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAccessCheckByTypeResultListAndAuditAlarmByHandle(
    _In_ PCUNICODE_STRING SubsystemName,
    _In_opt_ PVOID HandleId,
    _In_ HANDLE ClientToken,
    _In_ PCUNICODE_STRING ObjectTypeName,
    _In_ PCUNICODE_STRING ObjectName,
    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
    _In_opt_ PSID PrincipalSelfSid,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ AUDIT_EVENT_TYPE AuditType,
    _In_ ULONG Flags,
    _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
    _In_ ULONG ObjectTypeListLength,
    _In_ PGENERIC_MAPPING GenericMapping,
    _In_ BOOLEAN ObjectCreation,
    _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
    _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus,
    _Out_ PBOOLEAN GenerateOnClose
    );

#endif
View code on GitHub

#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwAccessCheckByTypeResultListAndAuditAlarmByHandle(
    _In_ PCUNICODE_STRING SubsystemName,
    _In_opt_ PVOID HandleId,
    _In_ HANDLE ClientToken,
    _In_ PCUNICODE_STRING ObjectTypeName,
    _In_ PCUNICODE_STRING ObjectName,
    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
    _In_opt_ PSID PrincipalSelfSid,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ AUDIT_EVENT_TYPE AuditType,
    _In_ ULONG Flags,
    _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
    _In_ ULONG ObjectTypeListLength,
    _In_ PGENERIC_MAPPING GenericMapping,
    _In_ BOOLEAN ObjectCreation,
    _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
    _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus,
    _Out_ PBOOLEAN GenerateOnClose
    );

#endif
View code on GitHub