ntoskrnl.exeT1087.002T1069.002T1106

NtAccessCheckByType

Performs a security access check against a security descriptor honoring a typed object hierarchy (OBJECT_TYPE_LIST).

Prototype

NTSTATUS NtAccessCheckByType(
  PSECURITY_DESCRIPTOR  SecurityDescriptor,
  PSID                  PrincipalSelfSid,
  HANDLE                ClientToken,
  ACCESS_MASK           DesiredAccess,
  POBJECT_TYPE_LIST     ObjectTypeList,
  ULONG                 ObjectTypeListLength,
  PGENERIC_MAPPING      GenericMapping,
  PPRIVILEGE_SET        PrivilegeSet,
  PULONG                PrivilegeSetLength,
  PACCESS_MASK          GrantedAccess,
  PNTSTATUS             AccessStatus
);

Arguments

Name	Type	Dir	Description
SecurityDescriptor	PSECURITY_DESCRIPTOR	in	Security descriptor of the typed object being checked. Must contain owner, group and DACL.
PrincipalSelfSid	PSID	in	Optional SID substituted for PRINCIPAL_SELF entries in the DACL (e.g. AD account self-ACE).
ClientToken	HANDLE	in	Impersonation token of the client whose access is being evaluated.
DesiredAccess	ACCESS_MASK	in	Bitmask of requested rights (specific + standard + generic; MAXIMUM_ALLOWED supported).
ObjectTypeList	POBJECT_TYPE_LIST	in	Array describing the object-type hierarchy (root + children). Each level may grant a different subset of DesiredAccess.
ObjectTypeListLength	ULONG	in	Number of OBJECT_TYPE_LIST entries. Capped at 256 by the kernel.
GenericMapping	PGENERIC_MAPPING	in	Maps GENERIC_READ/WRITE/EXECUTE/ALL to object-specific rights.
PrivilegeSet	PPRIVILEGE_SET	out	Receives privileges used during the check (e.g. SeSecurityPrivilege for SACL access).
PrivilegeSetLength	PULONG	in/out	On entry: size of PrivilegeSet buffer; on exit: bytes actually used / required.
GrantedAccess	PACCESS_MASK	out	Receives the access mask actually granted (subset of DesiredAccess).
AccessStatus	PNTSTATUS	out	Receives STATUS_SUCCESS if access is granted, STATUS_ACCESS_DENIED otherwise.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x63	win10-1507
Win10 1607	0x63	win10-1607
Win10 1703	0x63	win10-1703
Win10 1709	0x63	win10-1709
Win10 1803	0x63	win10-1803
Win10 1809	0x63	win10-1809
Win10 1903	0x63	win10-1903
Win10 1909	0x63	win10-1909
Win10 2004	0x63	win10-2004
Win10 20H2	0x63	win10-20h2
Win10 21H1	0x63	win10-21h1
Win10 21H2	0x63	win10-21h2
Win10 22H2	0x63	win10-22h2
Win11 21H2	0x63	win11-21h2
Win11 22H2	0x63	win11-22h2
Win11 23H2	0x63	win11-23h2
Win11 24H2	0x63	win11-24h2
Server 2016	0x63	winserver-2016
Server 2019	0x63	winserver-2019
Server 2022	0x63	winserver-2022
Server 2025	0x63	winserver-2025

Kernel module

ntoskrnl.exe → NtAccessCheckByType

Related APIs

AccessCheckByTypeAccessCheckByTypeResultListAccessCheckByTypeAndAuditAlarmNtAccessCheckMapGenericMaskGetEffectiveRightsFromAclW

Syscall stub

4C 8B D1            mov r10, rcx
B8 63 00 00 00      mov eax, 0x63
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Extended cousin of `NtAccessCheck` that understands a *typed object hierarchy*. Where `NtAccessCheck` evaluates one DACL against one DesiredAccess, `NtAccessCheckByType` walks an `OBJECT_TYPE_LIST` (root → child types, identified by GUID) and may grant the requested access at the parent level while denying it at a specific child type — the model AD uses for fine-grained permissions like 'Read All Properties' versus 'Read PasswordLastSet'. Object-specific ACEs (`ACCESS_ALLOWED_OBJECT_ACE`, `ACCESS_DENIED_OBJECT_ACE`) carry a GUID matching one of the OBJECT_TYPE_LIST entries. The syscall number `0x63` is stable from Windows 10 1507 all the way through Server 2025 and Win11 24H2 — one of the most stable syscalls in the table.

Common malware usage

Weak malware signal — this is a self-service security primitive used by **server-side software**, not malware. It appears in Active Directory authorization paths (lsass.exe, dsamain.exe), in COM+/Component Services (catsrv.dll), in Authorization Manager (azroles.dll), and in some MS-SQL access broker code. Documented offensive uses are limited to: (1) AD privilege-mapping reconnaissance, where an attacker calls AccessCheckByType locally against the user's own token plus a domain-controller-fetched security descriptor to enumerate exactly which AD attributes the current principal can read/write — equivalent to BloodHound's user-rights collection but client-side and without network noise; (2) some COM-based UAC bypass research has used it to verify that an exploit chain actually flips a previously-denied access bit. There is no documented major-malware-family use as a primary primitive.

BloodHound-style recon tooling (local variants)Targeted AD enumeration utilities

Detection opportunities

Telemetry signal is essentially zero for the syscall itself — too noisy in legitimate AD and COM+ workloads to alarm on. Defenders instead focus on: object-access auditing (Event ID 4663) at the resource owners (AD via 4662 'object operation', COM+ via Component Services audit), which fires *after* the AccessCheckByType decision. ETW Microsoft-Windows-Security-Auditing covers the AD-side audit category. For COM and Authorization Manager apps, custom AppLog ETW providers may emit access-check verdicts. From an EDR perspective, AccessCheckByType called by a non-server process targeting an AD object descriptor (recognizable from the GUIDs in the OBJECT_TYPE_LIST) is a weak BloodHound-style recon indicator.

Direct syscall examples

asmx64 direct stub (all builds)

; Direct syscall stub for NtAccessCheckByType (SSN 0x63 stable across all builds)
NtAccessCheckByType PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 63h          ; SSN — stable everywhere
    syscall
    ret
NtAccessCheckByType ENDP

cAD attribute-level access check (server-side pattern)

// AD authorization sample: the caller wants to read the 'unicodePwd' attribute
// on a user object. OBJECT_TYPE_LIST has the user class at level 0 and the
// attribute at level 1; AccessCheckByType returns per-level masks.
#include <windows.h>
#include <accctrl.h>
#include <aclapi.h>

BOOL CheckCanReadAttribute(PSECURITY_DESCRIPTOR sd, HANDLE clientToken,
                           const GUID* classGuid, const GUID* attrGuid)
{
    OBJECT_TYPE_LIST otl[2] = {
        { ACCESS_OBJECT_GUID, 0, (GUID*)classGuid },
        { ACCESS_PROPERTY_GUID, 0, (GUID*)attrGuid },
    };
    GENERIC_MAPPING gm = { 0x20094, 0x20028, 0, 0xF01FF };
    PRIVILEGE_SET ps; ULONG psLen = sizeof(ps);
    ACCESS_MASK granted = 0; BOOL accessStatus = FALSE;

    return AccessCheckByType(sd, NULL, clientToken, ACTRL_DS_READ_PROP,
        otl, 2, &gm, &ps, &psLen, &granted, &accessStatus) && accessStatus;
}

cLocal AD-rights enumeration (red-team recon)

// Variant: caller passes its own impersonation token plus a DC-fetched SD
// for a target object and probes a list of attribute GUIDs to discover the
// effective rights without round-tripping LDAP queries to the DC.
#include <windows.h>
#include <stdio.h>

void EnumerateLocalRights(PSECURITY_DESCRIPTOR sd, HANDLE myToken,
                          const GUID* classGuid,
                          const GUID* attrGuids, size_t n)
{
    for (size_t i = 0; i < n; ++i) {
        if (CheckCanReadAttribute(sd, myToken, classGuid, &attrGuids[i])) {
            wprintf(L"+ readable attr %zu\n", i);
        }
    }
}

MITRE ATT&CK mappings

Last verified: 2026-05-20