Make sure you are calling it within the correct process and impersonation context. You may be calling the function in an arbitrary thread context, or in a system thread context, in which case the security token that is being checked is the wrong one.
The most reliable way to ensure that you are in the right context is to call SeAccessCheck at PASSIVE_LEVEL from an I/O dispatch routine (DispatchDeviceControl, etc.). Unless you work at it (i.e. use APCs to get called on the right thread, rather difficult in general), this is about the only way to guarantee that you’re in the right context.
You also need to make sure that none of the filter drivers (if any) that are layered above your driver are breaking this assumption, by submitting IRPs to your driver in the wrong context.
– arlie
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@teleline.es
Sent: Tuesday, September 26, 2006 3:13 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Kernel equivalent to AccessCheck user-mode function
Hi, i want to determine whether some thread is running under Admin, guest or any other account. I know how to make it in user-mode, with the good old AccessCheck( ) function, and wanted to translate this in my kernel-mode driver.
I use ZwOpenThreadToken and/or ZwOpenProcessToken to get the token, and then RtlCreateSecurityDescriptor, RtlSetOwnerSecurityDescriptor, RtlSetGroupSecurityDescriptor, RtlCreateAcl and so on…but I can’t call NtAccessCheck or ZwAccessCheck since they are not exported, so anyone knows some alternative function call to achieve the AccessCheck results?
BTW, i tried with SeAccessCheck but the results were not very reliable to me; testing it under Guest user account, the function told me that I was under admin account 
Thanks in advance.
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
