SeCaptureSubjectContext - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
// ntifs.h
VOID SeCaptureSubjectContext(
[out] PSECURITY_SUBJECT_CONTEXT SubjectContext
);
View the official Windows Driver Kit DDI reference// wdm.h
VOID SeCaptureSubjectContext(
[out] PSECURITY_SUBJECT_CONTEXT SubjectContext
);
View the official Windows Driver Kit DDI referenceNo description available.
SeCaptureSubjectContext takes a snapshot of the calling thread's context for access validation and auditing. See also SeCaptureSubjectContextEx.
SubjectContext [out][out] Pointer to an opaque caller-allocated SECURITY_SUBJECT_CONTEXT structure. SeCaptureSubjectContext will write the snapshot of the calling thread's security profile, which contains references to access tokens, in this structure. Drivers must not modify or try to directly access any members of this structure to make security decisions. Instead, to avoid security issues in authorization, pass this opaque structure in calls to SeAccessCheck or SePrivilegeCheck.
You must call SeCaptureSubjectContext before performing services such as access validation or generating audit messages. This is necessary to provide a consistent security context to routines such as the following:
After access validation, privilege checking, and audit generation services have been performed, release the captured context as soon as possible by calling SeReleaseSubjectContext.
SeCaptureSubjectContext locks tokens as necessary while taking the snapshot of the calling thread's security context.
On return, references to access tokens are contained in the structure that SubjectContext points to. The contents of that structure can change. To prevent this, call SeLockSubjectContext to lock the primary access token and any impersonation tokens associated with the structure. For example, when using routines that query token information more than once in the same security context (such as the ones previously listed), lock the subject context with SeLockSubjectContext to obtain consistent results.
For more information about security and access control, see Windows security model for driver developers and the documentation on these topics in the Windows SDK.
The SeCaptureSubjectContext routine captures the security context of the calling thread for access validation and auditing.
SubjectContext [out]Pointer to a caller-allocated SECURITY_SUBJECT_CONTEXT structure.
The SeCaptureSubjectContext routine returns a pointer to a SECURITY_SUBJECT_CONTEXT structure, which contains references to access tokens. The contents of that structure can change. The SeLockSubjectContext routine locks the primary access token and any impersonation tokens associated with the structure.
When using routines that query token information, such as SeQueryAuthenticationIdToken, SeQuerySubjectContextToken, SeQueryInformationToken, and SePrivilegeCheck, more than once in the same security context, lock the subject context with SeLockSubjectContext to obtain consistent results.
File systems must call SeCaptureSubjectContext before performing access validation or generating audit messages. This is necessary to provide a consistent security context to routines such as SeQueryAuthenticationIdToken, SeQuerySubjectContextToken, and SePrivilegeCheck. After these operations have been performed, the captured context should be released as soon as possible by calling SeReleaseSubjectContext.
For more information about security and access control, see the documentation on these topics in the Microsoft Windows SDK.