PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY structure (winnt.h)

Article
2024-02-22

Used to impose restrictions on what system calls can be invoked by a process.

Syntax

typedef struct _PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY {
  union {
    DWORD Flags;
    struct {
      DWORD DisallowWin32kSystemCalls : 1;
      DWORD AuditDisallowWin32kSystemCalls : 1;
      DWORD DisallowFsctlSystemCalls : 1;
      DWORD AuditDisallowFsctlSystemCalls : 1;
      DWORD ReservedFlags : 28;
    } DUMMYSTRUCTNAME;
  } DUMMYUNIONNAME;
} PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY, *PPROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY;

Members

DUMMYUNIONNAME

DUMMYUNIONNAME.Flags

This member is reserved for system use.

DUMMYUNIONNAME.DUMMYSTRUCTNAME

DUMMYUNIONNAME.DUMMYSTRUCTNAME.DisallowWin32kSystemCalls

When set to 1, the process is not permitted to perform GUI system calls.

DUMMYUNIONNAME.DUMMYSTRUCTNAME.AuditDisallowWin32kSystemCalls

DUMMYUNIONNAME.DUMMYSTRUCTNAME.DisallowFsctlSystemCalls

When set to 1, the process is not be able to successfully make NtFsControlFile system calls, with the following FsControlCode exceptions.

FSCTL_IS_VOLUME_MOUNTED
FSCTL_PIPE_IMPERSONATE
FSCTL_PIPE_LISTEN
FSCTL_PIPE_DISCONNECT
FSCTL_PIPE_TRANSCEIVE
FSCTL_PIPE_WAIT
FSCTL_PIPE_GET_PIPE_ATTRIBUTE
FSCTL_PIPE_GET_CONNECTION_ATTRIBUTE
FSCTL_PIPE_GET_HANDLE_ATTRIBUTE
FSCTL_PIPE_PEEK
FSCTL_PIPE_EVENT_SELECT
FSCTL_PIPE_EVENT_ENUM

DUMMYUNIONNAME.DUMMYSTRUCTNAME.AuditDisallowFsctlSystemCalls

DUMMYUNIONNAME.DUMMYSTRUCTNAME.ReservedFlags

This member is reserved for system use.

Requirements

Requirement	Value
Minimum supported client	Windows 8 [desktop apps only]
Minimum supported server	Windows Server 2012 [desktop apps only]
Header	winnt.h (include Windows.h)

Share via

PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY structure (winnt.h)

Syntax

Members

Requirements

Feedback

Additional resources