| UID | tech.root | title | ms.date | targetos | description | prerelease | req.assembly | req.construct-type | req.ddi-compliance | req.header | req.idl | req.include-header | req.irql | req.kmdf-ver | req.lib | req.dll | req.max-support | req.namespace | req.redist | req.target-min-winverclnt | req.target-min-winversvr | req.target-type | req.type-library | req.umdf-ver | req.unicode-ansi | topic_type | api_type | api_location | api_name | f1_keywords | dev_langs | ms.custom | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
NF:ntifs.NtPrivilegeCheck |
kernel |
NtPrivilegeCheck function (ntifs.h) |
10/06/2022 |
Windows |
The NtPrivilegeCheck routine determines whether a specified set of privileges is enabled in the subject's access token. |
false |
function |
ntifs.h |
NtosKrnl.lib |
NtosKrnl.exe |
Windows XP |
|
|
|
|
|
|
engagement-fy23 |
NtPrivilegeCheck is reserved for system use.
A handle to a token object representing a client attempting access. This handle must be obtained from a communication session layer, such as from an LPC Port or Local Named Pipe, to prevent possible security policy violations.
Pointer to a PRIVILEGE_SET structure. The Privilege member of this structure is an array of LUID_AND_ATTRIBUTES structures. Before calling SePrivilegeCheck, use the Privilege array to indicate the set of privileges to check. Set the Control member to PRIVILEGE_SET_ALL_NECESSARY if all of the privileges must be enabled; or set it to zero if it is sufficient that any one of the privileges be enabled.
Receives a boolean flag indicating whether the client has all the specified privileges. A value of TRUE indicates the client has all the specified privileges; otherwise a value of FALSE is returned.
NtPrivilegeCheck returns STATUS_SUCCESS on successful completion. Otherwise, it returns an error code, such as the following.
| Return code | Description |
|---|---|
| STATUS_PRIVILEGE_NOT_HELD | The caller does not have sufficient privilege to use this privileged system service. |
An access token contains a list of the privileges held by the account associated with the token. These privileges can be enabled or disabled; most are disabled by default. NtPrivilegeCheck checks only for enabled privileges. To get a list of all the enabled and disabled privileges held by an access token, call SeQueryInformationToken.
For more information about security and access control, see Windows security model for driver developers and the documentation on these topics in the Windows SDK.