NtPrivilegedServiceAuditAlarm - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers 
#ifndef _NTSEAPI_H

/**
 * The NtPrivilegedServiceAuditAlarm routine generates an audit message in the security event log when a privileged service is accessed.
 *
 * @param SubsystemName A pointer to a UNICODE_STRING specifying the name of the subsystem calling the function.
 * @param ServiceName A pointer to a UNICODE_STRING specifying the name of the service being accessed.
 * @param ClientToken Handle to the access token representing the client.
 * @param Privileges A pointer to a PRIVILEGE_SET structure that specifies the privileges used to access the service.
 * @param AccessGranted Specifies a flag that determines whether access was granted.
 * @return NTSTATUS Successful or errant status.
 * @sa https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-privilegedserviceauditalarma
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtPrivilegedServiceAuditAlarm(
    _In_ PCUNICODE_STRING SubsystemName,
    _In_ PCUNICODE_STRING ServiceName,
    _In_ HANDLE ClientToken,
    _In_ PPRIVILEGE_SET Privileges,
    _In_ BOOLEAN AccessGranted
    );

#endif

View code on GitHub
#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwPrivilegedServiceAuditAlarm(
    _In_ PCUNICODE_STRING SubsystemName,
    _In_ PCUNICODE_STRING ServiceName,
    _In_ HANDLE ClientToken,
    _In_ PPRIVILEGE_SET Privileges,
    _In_ BOOLEAN AccessGranted
    );

#endif

View code on GitHub

Function NtPrivilegedServiceAuditAlarm doesn't work on NT40-SP6. For more information see description of PrivilegedServiceAuditAlarm in Microsoft SDK.

SubsystemName

???

ServiceName

???

ClientToken

HANDLE to Token Object opened with TOKEN_QUERY access.

ClientPrivileges

Pointer to PRIVILEGE_SET structure contains valid data.

AccessGranted

???

Documented by

Requirements

Privilege: SE_AUDIT_PRIVILEGE

See also

Edit description on GitHub