Geoff Chappell, Software Analyst
The RtlLengthRequiredSid function tells how much memory is required for a SID.
ULONG RtlLengthRequiredSid (ULONG SubAuthorityCount);
The SubAuthorityCount argument tells how many subauthority identifiers to allow for.
The function returns the size in bytes, else MAXULONG to indicate an error.
The RtlLengthRequiredSid function is exported by name from both the kernel and NTDLL in all Windows versions, i.e., in 3.10 and higher. It provides the low-level support for the documented high-level API function GetSidLengthRequired, which ADVAPI32 exports by name in all versions.
The RtlLengthRequiredSid function is documented but has not always been. The first known documentation is from the Installable File System (IFS) Kit for Windows 2000, which was not widely circulated. The function is declared in NTIFS.H if compiling for Windows 2000 or higher.
A SID has a fixed-size header, which Microsoft defines as a SID structure, and a variable-size continuation. The total size is eight bytes for the fixed-size portion before the SubAuthority array plus four bytes for each subauthority. The number of subauthorities is given by SubAuthorityCount in the header. Except as noted in the next paragraph, the function does nothing but perform this computation for a proposed SID that has SubAuthorityCount as its SubAuthorityCount.
Note that the function does not check that the given SubAuthorityCount would be too large for a valid SID. Note also that because SubAuthorityCount is 32 bits, the computation can overflow. This is defended in version 6.0 and higher: the function fails if SubAuthorityCount exceeds 0x3FFFFFF7.
The kernel-mode implementation is in a paged section and must not be called at DISPATCH_LEVEL or higher. Microsoft’s documentation explicitly permits as high as APC_LEVEL.
The NTIFS.H in the Windows Driver Kit (WDK) for Windows 10 duplicates the function’s brief computation as a macro named SECURITY_SID_SIZE. It may have been introduced just to help with annotations for static code analysis, but it allows the computation in non-paged code acting on a SID in locked memory at DISPATCH_LEVEL or higher.