Geoff Chappell - Software Analyst
Sets the integrity level for an open file.
HRESULT
SetFileHandleIntegrityLevel (
HANDLE hFile,
PVOID pIntegritySid);
The hFile argument provides a handle to an open file (or directory).
The pIntegritySid argument provides the address of a SID that represents the desired integrity level.
The function returns zero for success, else an error code.
If not running on Windows Vista or higher, there is no operating-system support for integrity levels, and the function fails (returning S_FALSE).
The general idea is that if the file does not already have the integrity level represented by the given SID, the function creates a SYSTEM_MANDATORY_LABEL_ACE from the given SID, and sets it into the file’s SACL.
A file that does not have a SACL with a SYSTEM_MANDATORY_LABEL_ACE counts as having medium integrity already. Any failure to determine the integrity level, including because the file has a mandatory-label ACE with the ACE_INHERIT_ONLY flag, is not failure for the function but means only that the file has no integrity level to compare with the desired level.
If the function does proceed to setting the integrity level, it first validates the given SID. The new mandatory-label ACE is inheritable both by files and subfolders, and has SYSTEM_MANDATORY_LABEL_NO_WRITE_UP as the access policy.
The SetFileHandleIntegrityLevel function is exported from IERTUTIL as ordinal 39 in version 7.0 and higher.