IN  PUNICODE_STRING SubsystemName,
  IN  PVOID HandleId,
  IN  PSECURITY_DESCRIPTOR SecurityDescriptor,
  IN  PSID PrincipalSelfSid,
  IN  ACCESS_MASK DesiredAccess,
  IN  ULONG Flags,
  IN  ULONG ObjectTypeListLength,
  IN  PGENERIC_MAPPING GenericMapping,
  OUT PACCESS_MASK GrantedAccess,
  OUT PNTSTATUS AccessStatus,
  OUT PBOOLEAN GenerateOnClose,
  IN  BOOLEAN ReturnResultList

Routine Description:

    This system service is used to perform both an access validation and
    generate the corresponding audit and alarm messages.  This service may
    only be used by a protected server that chooses to impersonate its
    client and thereby specifies the client security context implicitly.


    SubsystemName - Supplies a name string identifying the subsystem
        calling the routine.

    HandleId - A unique value that will be used to represent the client's
        handle to the object.  This value is ignored (and may be re-used)
        if the access is denied.

    ClientToken - Supplies the client token so that the caller does not have
        to impersonate before making the kernel call.

    ObjectTypeName - Supplies the name of the type of the object being
        created or accessed.

    ObjectName - Supplies the name of the object being created or accessed.

    SecurityDescriptor - A pointer to the Security Descriptor against which
        access is to be checked.

    DesiredAccess - The desired access mask.  This mask must have been
        previously mapped to contain no generic accesses.

    AuditType - Specifies the type of audit to be generated.  Valid value
        is: AuditEventObjectAccess

    Flags - Flags modifying the execution of the API:

        AUDIT_ALLOW_NO_PRIVILEGE - If the called does not have AuditPrivilege,
            the call will silently continue to check access and will
            generate no audit.

    ObjectTypeList - Supplies a list of GUIDs representing the object (and
        sub-objects) being accessed.  If no list is present, AccessCheckByType
        behaves identically to AccessCheck.

    ObjectTypeListLength - Specifies the number of elements in the ObjectTypeList.

    GenericMapping - Supplies a pointer to the generic mapping associated
        with this object type.

    ObjectCreation - A boolean flag indicated whether the access will
        result in a new object being created if granted.  A value of TRUE
        indicates an object will be created, FALSE indicates an existing
        object will be opened.

    GrantedAccess - Receives a masking indicating which accesses have been

    AccessStatus - Receives an indication of the success or failure of the
        access check.  If access is granted, STATUS_SUCCESS is returned.
        If access is denied, a value appropriate for return to the client
        is returned.  This will be STATUS_ACCESS_DENIED or, when mandatory
        access controls are implemented, STATUS_OBJECT_NOT_FOUND.

    GenerateOnClose - Points to a boolean that is set by the audity
        generation routine and must be passed to NtCloseObjectAuditAlarm
        when the object handle is closed.

    ReturnResultList - If true, GrantedAccess and AccessStatus are actually
        arrays of entries ObjectTypeListLength elements long.

Return Value:

    STATUS_SUCCESS - Indicates the call completed successfully.  In this
        case, ClientStatus receives the result of the access check.

    STATUS_PRIVILEGE_NOT_HELD - Indicates the caller does not have
        sufficient privilege to use this privileged system service.