NtSetSecurityObject - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTOBAPI_H
//
// Objects, handles
//
#if (PHNT_MODE != PHNT_MODE_KERNEL)
/**
* The NtSetSecurityObject routine sets an object's security state.
*
* @param Handle Handle for the object whose security state is to be set.
* @param SecurityInformation A SECURITY_INFORMATION value specifying the information to be set.
* @param SecurityDescriptor Pointer to the security descriptor to be set for the object.
* @return NTSTATUS Successful or errant status.
* @sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-zwsetsecurityobject
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetSecurityObject(
_In_ HANDLE Handle,
_In_ SECURITY_INFORMATION SecurityInformation,
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor
);
View code on GitHub#ifndef _NTZWAPI_H
NTSYSCALLAPI
NTSTATUS
NTAPI
ZwSetSecurityObject(
_In_ HANDLE Handle,
_In_ SECURITY_INFORMATION SecurityInformation,
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor
);
View code on GitHub// ntifs.h
__kernel_entry NTSYSCALLAPI NTSTATUS NtSetSecurityObject(
[in] HANDLE Handle,
[in] SECURITY_INFORMATION SecurityInformation,
[in] PSECURITY_DESCRIPTOR SecurityDescriptor
);
View the official Windows Driver Kit DDI reference// ntifs.h
NTSYSAPI NTSTATUS ZwSetSecurityObject(
[in] HANDLE Handle,
[in] SECURITY_INFORMATION SecurityInformation,
[in] PSECURITY_DESCRIPTOR SecurityDescriptor
);
View the official Windows Driver Kit DDI referenceNo description available.
The NtSetSecurityObject routine sets an object's security state.
Handle [in]Handle for the object whose security state is to be set. This handle must have the access specified in the Meaning column of the table shown in the description of the SecurityInformation parameter.
SecurityInformation [in]SECURITY_INFORMATION value specifying the information to be set as a combination of one or more of the following.
| Value | Meaning |
|---|---|
| OWNER_SECURITY_INFORMATION | Indicates the owner identifier of the object is to be set. Requires WRITE_OWNER access. |
| GROUP_SECURITY_INFORMATION | Indicates the primary group identifier of the object is to be set. Requires WRITE_OWNER access. |
| SACL_SECURITY_INFORMATION | Indicates the system ACL (SACL) of the object is to be set. Requires ACCESS_SYSTEM_SECURITY access. |
| DACL_SECURITY_INFORMATION | Indicates the discretionary access control list (DACL) of the object is to be set. Requires WRITE_DAC access. |
SecurityDescriptor [in]Pointer to the security descriptor to be set for the object.
NtSetSecurityObject returns STATUS_SUCCESS or an appropriate error status. Possible error status codes include the following:
| Return code | Description |
|---|---|
| STATUS_ACCESS_DENIED | The caller did not have the required access. |
| STATUS_ACCESS_VIOLATION | SecurityDescriptor was a NULL pointer. |
| STATUS_INSUFFICIENT_RESOURCES | The object's security descriptor could not be captured. |
| STATUS_INVALID_ACL | The object's security descriptor contained an invalid ACL. |
| STATUS_INVALID_HANDLE | Handle is not a valid handle. |
| STATUS_INVALID_SECURITY_DESCR | SecurityDescriptor did not point to a valid security descriptor. |
| STATUS_INVALID_SID | The object's security descriptor contained an invalid SID. |
| STATUS_OBJECT_TYPE_MISMATCH | Handle is not a handle of the expected type. |
| STATUS_UNKNOWN_REVISION | The revision level of the object's security descriptor was unknown or not supported. |
A security descriptor can be in absolute or self-relative form. In self-relative form, all members of the structure are located contiguously in memory. In absolute form, the structure only contains pointers to the members. For more information, see Absolute and Self-Relative Security Descriptors.
For more information about security and access control, see Windows security model for driver developers and the documentation on these topics in the Windows SDK.
Minifilters should use FltSetSecurityObject instead of NtSetSecurityObject.
Callers of NtSetSecurityObject must be running at IRQL = PASSIVE_LEVEL and with special kernel APCs enabled.
[!NOTE] If the call to the NtSetSecurityObject function occurs in user mode, you should use the name "NtSetSecurityObject" instead of "ZwSetSecurityObject".
For calls from kernel-mode drivers, the Nt*Xxx* and Zw*Xxx* versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the Nt*Xxx* and Zw*Xxx* versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines.
Using Nt and Zw Versions of the Native System Services Routines
ZwSetSecurityObject
The ZwSetSecurityObject routine sets an object's security state.
Handle [in]Handle for the object whose security state is to be set. This handle must have the access specified in the Meaning column of the table shown in the description of the SecurityInformation parameter.
SecurityInformation [in]A SECURITY_INFORMATIONvalue specifying the information to be set. Can be a combination of one or more of the following values.
| Value | Meaning |
|---|---|
| DACL_SECURITY_INFORMATION | Indicates the discretionary access control list (DACL) of the object is to be set. Requires WRITE_DAC access. |
| GROUP_SECURITY_INFORMATION | Indicates the primary group identifier of the object is to be set. Requires WRITE_OWNER access. |
| OWNER_SECURITY_INFORMATION | Indicates the owner identifier of the object is to be set. Requires WRITE_OWNER access. |
| SACL_SECURITY_INFORMATION | Indicates the system ACL (SACL) of the object is to be set. Requires ACCESS_SYSTEM_SECURITY access. |
SecurityDescriptor [in]Pointer to the security descriptor to be set for the object.
ZwSetSecurityObject returns STATUS_SUCCESS or an appropriate error status. Possible error status codes include the following:
| Return code | Description |
|---|---|
| STATUS_ACCESS_DENIED | Handle does not have the required access rights. |
| STATUS_ACCESS_VIOLATION | SecurityDescriptor is a NULL pointer. |
| STATUS_INSUFFICIENT_RESOURCES | The object's security descriptor could not be captured. |
| STATUS_INVALID_ACL | The object's security descriptor contains an invalid ACL. |
| STATUS_INVALID_HANDLE | Handle is not a valid handle. |
| STATUS_INVALID_SECURITY_DESCR | SecurityDescriptor does not point to a valid security descriptor. |
| STATUS_INVALID_SID | The object's security descriptor contains an invalid SID. |
| STATUS_OBJECT_TYPE_MISMATCH | Handle is not a handle of the expected type. |
| STATUS_UNKNOWN_REVISION | The revision level of the object's security descriptor is unknown or is not supported. |
A security descriptor can be in absolute or self-relative form. In self-relative form, all members of the structure are located contiguously in memory. In absolute form, the structure only contains pointers to the members. For more information, see "Absolute and Self-Relative Security Descriptors" in the Security section of the Windows SDK documentation.
For more information about security and access control, see Windows security model for driver developers and the documentation on these topics in the Windows SDK.
Minifilters should use FltSetSecurityObject instead of ZwSetSecurityObject.
Callers of ZwSetSecurityObject must be running at IRQL = PASSIVE_LEVEL and with special kernel APCs enabled.
[!NOTE] If the call to the ZwSetSecurityObject function occurs in user mode, you should use the name "NtSetSecurityObject" instead of "ZwSetSecurityObject".
For calls from kernel-mode drivers, the Nt*Xxx* and Zw*Xxx* versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the Nt*Xxx* and Zw*Xxx* versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines.
Using Nt and Zw Versions of the Native System Services Routines
This function is documented in Windows Driver Kit here and here.
Function NtSetSecurityDescriptor writes object's Security Descriptor.
HANDLE to object of any type. Must be opened with WRITE_DAC or WRITE_OWNER access depending on SecurityInformationClass parameter.
See NtQuerySecurityObject for possible values.
Pointer to user's allocated SECURITY_DESCRIPTOR to set.