Geoff Chappell, Software Analyst
The RtlLengthSid function reads enough of a supposed SID to compute what size if must have if the SID is valid.
ULONG RtlLengthSid (PSID Sid);
The Sid argument provides the address of the SID.
The function returns the size in bytes.
The RtlLengthSid function is exported by name from both the kernel and NTDLL in all Windows versions, i.e., in 3.10 and higher. It provides the low-level support for the documented high-level API function GetLengthSid, which ADVAPI32 exports by name in all versions.
The RtlLengthSid function is documented but has not always been. The first known documentation is from the Installable File System (IFS) Kit for Windows 2000, which was not widely circulated. The function is declared in NTIFS.H if compiling for Windows 2000 or higher.
A SID has a fixed-size header, which Microsoft defines as a SID structure, and a variable-size continuation. The total size is eight bytes for the fixed-size portion before the SubAuthority array plus four bytes for each subauthority. The number of subauthorities is given by SubAuthorityCount in the header. The function does nothing but read what would be the SubAuthorityCount if there is indeed a SID at Sid, and feed it into this computation. Note that the SubAuthorityCount is a byte, and so the computation cannot overflow.
Before version 6.0, the kernel-mode implementation is in a paged section and must not be called at DISPATCH_LEVEL or higher. Microsoft’s documentation explicitly permits as high as APC_LEVEL. Version 6.0 moved the code to a non-paged section. It is safe to call at DISPATCH_LEVEL or higher if the Sid is known to be in locked memory.
The function’s brief computation is coded in NTIFS.H as a macro named SeLengthSid, starting at least with the Windows Driver Kit (WDK) for Windows Vista. Contemporaneous documentation already has it as obsolete, with advice to use RtlLengthSid instead. It would not have been obsolete, and may even have been useful, while the function was in paged memory.