NTSTATUS
RtlSetSecurityObject(
  IN  SECURITY_INFORMATION SecurityInformation,
  IN  PSECURITY_DESCRIPTOR ModificationDescriptor,
  IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
  IN  PGENERIC_MAPPING GenericMapping,
  IN  HANDLE Token OPTIONAL
  );

Routine Description:

    Modify an object's existing self-relative form security descriptor.

    This procedure, called only from user mode, is used to update a
    security descriptor on an existing protected server's object.  It
    applies changes requested by a new security descriptor to the existing
    security descriptor.  If necessary, this routine will allocate
    additional memory to produce a larger security descriptor.  All access
    checking is expected to be done before calling this routine.  This
    includes checking for WRITE_OWNER, WRITE_DAC, and privilege to assign a
    system ACL as appropriate.

    The caller of this routine must not be impersonating a client.

                                  - - WARNING - -

    This service is for use by protected subsystems that project their own
    type of object.  This service is explicitly not for use by the
    executive for executive objects and must not be called from kernel
    mode.

Arguments:

    SecurityInformation - Indicates which security information is
        to be applied to the object.  The value(s) to be assigned are
        passed in the ModificationDescriptor parameter.

    ModificationDescriptor - Supplies the input security descriptor to be
        applied to the object.  The caller of this routine is expected
        to probe and capture the passed security descriptor before calling
        and release it after calling.

    ObjectsSecurityDescriptor - Supplies the address of a pointer to
        the objects security descriptor that is going to be altered by
        this procedure.  This security descriptor must be in self-
        relative form or an error will be returned.

    GenericMapping - This argument provides the mapping of generic to
        specific/standard access types for the object being accessed.
        This mapping structure is expected to be safe to access
        (i.e., captured if necessary) prior to be passed to this routine.

    Token - (optionally) Supplies the token for the client on whose
        behalf the security is being modified.  This parameter is only
        required to ensure that the client has provided a legitimate
        value for a new owner SID.  The token must be open for
        TOKEN_QUERY access.

Return Value:

    STATUS_SUCCESS - The operation was successful.

    STATUS_INVALID_OWNER - The owner SID provided as the new owner of the
        target security descriptor is not one the caller is authorized to
        assign as the owner of an object, or the client did not pass
        a token at all.

    STATUS_NO_CLIENT_TOKEN - Indicates a client token was not explicitly
        provided and the caller is not currently impersonating a client.

    STATUS_BAD_DESCRIPTOR_FORMAT - Indicates the provided object's security
        descriptor was not in self-relative format.