RtlRemovePrivileges - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTRTL_H
// private
NTSYSAPI
NTSTATUS
NTAPI
RtlRemovePrivileges(
_In_ HANDLE TokenHandle,
_In_ PULONG PrivilegesToKeep,
_In_ ULONG PrivilegeCount
);
View code on GitHubRemoves all privileges from the token except for the specified ones.
TokenHandle - a handle to the token to modify. The handle must grant TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES access.PrivilegesToKeep - a pointer to an array of privilege IDs to keep.PrivilegeCount - the number of elements passed in the PrivilegesToKeep parameter.STATUS_NOT_ALL_ASSIGNED - this successful status indicates that not all of the requested privileges were adjusted, such as when they are not present.Note that this function does not support token pseudo-handles such as NtCurrentProcessToken. If you want to adjust the current process/thread token, you need to open it first.
This function enumerates available privileges via NtQueryInformationToken with TokenPrivileges and then modifies them via NtAdjustPrivilegesToken.