Geoff Chappell - Software Analyst
Sets the integrity level for an open kernel object.
HRESULT SetKernelHandleIntegrityLevel ( HANDLE hObject, PVOID pIntegritySid);
The hObject argument provides a handle to an open kernel object.
The pIntegritySid argument provides the address of a SID that represents the desired integrity level.
The function returns zero for success, else an error code.
If not running on Windows Vista or higher, there is no operating-system support for integrity levels, and the function fails (returning S_FALSE).
The general idea is that if the object does not already have the integrity level represented by the given SID, the function creates a SYSTEM_MANDATORY_LABEL_ACE from the given SID, and sets it into the object’s SACL.
An object that does not have a SACL with a SYSTEM_MANDATORY_LABEL_ACE counts as having medium integrity already. Any failure to determine the integrity level, including because the object has a mandatory-label ACE with the ACE_INHERIT_ONLY flag, is not failure for the function but means only that the object has no integrity level to compare with the desired level.
If the function does proceed to setting the integrity level, it first validates the given SID. The new mandatory-label ACE is inheritable both by objects and containers, and has SYSTEM_MANDATORY_LABEL_NO_WRITE_UP as the access policy.
The SetKernelHandleIntegrityLevel function is exported from IERTUTIL as ordinal 52 in version 7.0 and higher.