NTSTATUS
SePrivilegePolicyCheck(
  IN OUT PACCESS_MASK RemainingDesiredAccess,
  IN OUT PACCESS_MASK PreviouslyGrantedAccess,
  IN  PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL,
  IN  PACCESS_TOKEN ExplicitToken OPTIONAL,
  OUT PPRIVILEGE_SET *PrivilegeSet,
  IN  KPROCESSOR_MODE PreviousMode
  );

Routine Description:

    This routine implements privilege policy by examining the bits in
    a DesiredAccess mask and adjusting them based on privilege checks.

    Currently, a request for ACCESS_SYSTEM_SECURITY may only be satisfied
    by the caller having SeSecurityPrivilege.  WRITE_OWNER may optionally
    be satisfied via SeTakeOwnershipPrivilege.

Arguments:

    RemainingDesiredAccess - The desired access for the current operation.
        Bits may be cleared in this if the subject has particular privileges.

    PreviouslyGrantedAccess - Supplies an access mask describing any
        accesses that have already been granted.  Bits may be set in
        here as a result of privilge checks.

    SubjectSecurityContext - Optionally provides the subject's security
        context.

    ExplicitToken - Optionally provides the token to be examined.

    PrivilegeSet - Supplies a pointer to a location in which will be
        returned a pointer to a privilege set.

    PreviousMode - The previous processor mode.

Return Value:

    STATUS_SUCCESS - Any access requests that could be satisfied via
        privileges were done.

    STATUS_PRIVILEGE_NOT_HELD - An access type was being requested that
        requires a privilege, and the current subject did not have the
        privilege.