ntoskrnl.exeT1069T1087T1106

NtQuerySecurityObject

Retrieves a self-relative SECURITY_DESCRIPTOR from any kernel object exposed via a handle.

Prototype

NTSTATUS NtQuerySecurityObject(
  HANDLE               Handle,
  SECURITY_INFORMATION SecurityInformation,
  PSECURITY_DESCRIPTOR SecurityDescriptor,
  ULONG                Length,
  PULONG               LengthNeeded
);

Arguments

Name	Type	Dir	Description
Handle	HANDLE	in	Handle to any securable object (file, registry key, process, token, named pipe, etc.) opened with READ_CONTROL.
SecurityInformation	SECURITY_INFORMATION	in	Bitmask of parts to retrieve: OWNER_SECURITY_INFORMATION \| GROUP_ \| DACL_ \| SACL_ \| LABEL_ \| ATTRIBUTE_.
SecurityDescriptor	PSECURITY_DESCRIPTOR	out	Caller-allocated buffer receiving the self-relative security descriptor.
Length	ULONG	in	Size of SecurityDescriptor in bytes.
LengthNeeded	PULONG	out	Receives the size actually written, or the size required on STATUS_BUFFER_TOO_SMALL.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x142	win10-1507
Win10 1607	0x148	win10-1607
Win10 1703	0x14E	win10-1703
Win10 1709	0x151	win10-1709
Win10 1803	0x153	win10-1803
Win10 1809	0x154	win10-1809
Win10 1903	0x155	win10-1903
Win10 1909	0x155	win10-1909
Win10 2004	0x15B	win10-2004
Win10 20H2	0x15B	win10-20h2
Win10 21H1	0x15B	win10-21h1
Win10 21H2	0x15C	win10-21h2
Win10 22H2	0x15C	win10-22h2
Win11 21H2	0x163	win11-21h2
Win11 22H2	0x166	win11-22h2
Win11 23H2	0x166	win11-23h2
Win11 24H2	0x168	win11-24h2
Server 2016	0x148	winserver-2016
Server 2019	0x154	winserver-2019
Server 2022	0x161	winserver-2022
Server 2025	0x168	winserver-2025

Kernel module

ntoskrnl.exe → NtQuerySecurityObject

Related APIs

GetSecurityInfoGetKernelObjectSecurityGetUserObjectSecurityGetFileSecurityWNtSetSecurityObjectNtAccessCheck

Syscall stub

4C 8B D1            mov r10, rcx
B8 68 01 00 00      mov eax, 0x168
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Universal accessor for security descriptors across object types. Reading the SACL requires SE_SECURITY_NAME (ACCESS_SYSTEM_SECURITY) — most callers therefore omit SACL_SECURITY_INFORMATION. Returns STATUS_BUFFER_TOO_SMALL with the required size in LengthNeeded; the standard pattern is a probe call with Length=0 followed by an allocation. Win32 wrappers GetSecurityInfo / GetKernelObjectSecurity / GetUserObjectSecurity all eventually land here.

Common malware usage

Reconnaissance step that almost always precedes a SetSecurityObject — the implant reads the current SDDL of a target (service registry key, scheduled task file, EDR install directory) to know what to merge or strip. Also used by privilege-discovery tooling like PowerSploit's Get-DomainObjectAcl-equivalent code to spot weak ACLs (e.g. a service registry key writable by Authenticated Users) that can be abused without touching anything. In credential-theft chains, NtQuerySecurityObject against an LSASS handle confirms which privileges and access bits the operator actually obtained.

Cobalt Strike (BOFs that pre-flight DACLs)Carbanak / FIN7 (service ACL surveys)Lazarus (LSASS handle inspection)

Detection opportunities

By itself extremely high volume — every Open dialog, every file Properties window, every UAC prompt calls this. The detection bar is *context*: NtQuerySecurityObject on `HKLM\SYSTEM\CurrentControlSet\Services\<EDR>` or on `lsass.exe` from a non-trusted process is interesting. Object-Access auditing (Event 4663 with `Accesses: Read SD`) covers most cases but is noisy until tuned. EDRs that mediate file/process opens see the READ_CONTROL on the handle that NtQuerySecurityObject depends on. Bluespawn-style detection focuses on the *paired* SetSecurityObject that follows.

Direct syscall examples

cProbe-then-alloc pattern

// Read the DACL of a service registry key in two calls.
ULONG needed = 0;
NTSTATUS st = NtQuerySecurityObject(hSvcKey, DACL_SECURITY_INFORMATION,
                                    NULL, 0, &needed);
if (st == STATUS_BUFFER_TOO_SMALL) {
    PVOID sd = RtlAllocateHeap(RtlProcessHeap(), 0, needed);
    st = NtQuerySecurityObject(hSvcKey, DACL_SECURITY_INFORMATION,
                               sd, needed, &needed);
    // Now walk the DACL and decide what to weaken.
}

asmx64 direct stub (Win11 24H2 SSN 0x168)

NtQuerySecurityObject PROC
    mov  r10, rcx
    mov  eax, 168h
    syscall
    ret
NtQuerySecurityObject ENDP

rustRead DACL of EDR install dir before tampering

// Cargo: ntapi = "0.4", windows-sys = "0.59"
let mut needed: u32 = 0;
let st = unsafe {
    NtQuerySecurityObject(h_dir,
        DACL_SECURITY_INFORMATION | OWNER_SECURITY_INFORMATION,
        null_mut(), 0, &mut needed)
};
assert_eq!(st, STATUS_BUFFER_TOO_SMALL as i32);
let mut buf = vec![0u8; needed as usize];
unsafe {
    NtQuerySecurityObject(h_dir,
        DACL_SECURITY_INFORMATION | OWNER_SECURITY_INFORMATION,
        buf.as_mut_ptr() as _, buf.len() as u32, &mut needed);
}

MITRE ATT&CK mappings

Last verified: 2026-05-20