The QueryServiceObjectSecurity function retrieves a copy of the security descriptor protecting a service object.
BOOL QueryServiceObjectSecurity(
| SC_HANDLE hService, | // handle of service |
| SECURITY_INFORMATION dwSecurityInformation, | // type of security information requested |
| PSECURITY_DESCRIPTOR lpSecurityDescriptor, | // address of security descriptor |
| DWORD cbBufSize, | // size of security descriptor buffer |
| LPDWORD pcbBytesNeeded | // address of variable for bytes needed |
| ); |
Parameters
hService
Identifies the service. This handle is returned by the OpenService or CreateService function, and it must have READ_CONTROL access.
dwSecurityInformation
Specifies the security information being requested. Any or all of the following flags can be specified:
| Value | Meaning |
| OWNER_SECURITY_INFORMATION | Requests the object's owner security identifier (SID). |
| GROUP_SECURITY_INFORMATION | Requests the object's primary group SID. |
| DACL_SECURITY_INFORMATION | Requests the object's discretionary access control list (ACL). |
| SACL_SECURITY_INFORMATION | Requests the object's system ACL. The calling process must have the SE_SECURITY_NAME privilege. For more information about privileges, see Privileges. |
lpSecurityDescriptor
Points to a buffer that receives a copy of the security descriptor of the specified service object. The calling process must have the appropriate access to view the specified aspects of the object's security descriptor. The SECURITY_DESCRIPTOR structure is returned in self-relative format.
cbBufSize
Specifies the size, in bytes, of the buffer pointed to by the lpSecurityDescriptor parameter.
pcbBytesNeeded
Points to a variable that receives the number of bytes needed to return all the requested security descriptor information.
Return Values
If the function succeeds, the return value is nonzero.
If the function fails, the return value is zero. To get extended error information, call GetLastError.
Errors
The following error codes may be set by the service control manager. Other error codes may be set by the registry functions that are called by the service control manager.
| Value | Meaning |
| ERROR_ACCESS_DENIED | The specified handle was not opened with READ_CONTROL access, or the calling process is not the owner of the object. |
| ERROR_INVALID_HANDLE | The specified handle is invalid. |
| ERROR_INSUFFICIENT_BUFFER | There is more security descriptor information than would fit into the lpSecurityDescriptor buffer. The number of bytes required to get all the information is returned in the pcbBytesNeeded parameter. Nothing is written to the lpSecurityDescriptor buffer. |
| ERROR_INVALID_PARAMETER | The specified security information is invalid. |
Remarks
The initial security descriptor of a service object is created by the service control manager, based on the security descriptor of the process that called the CreateService function to create the service. The security descriptor can be changed by calling the SetServiceObjectSecurity function.
See Also
CreateService, OpenService, SECURITY_DESCRIPTOR, SetServiceObjectSecurity