Access checks & Security Reference Monitor
How Windows actually decides allow/deny using tokens, descriptors, and SRM routines.
What you should already know
This topic is marked expert. Skim these first if any of them feel unfamiliar.
Related labs
Hands-on exercises for this area — in the browser or on a Windows machine.
ACL & SDDL Lab
Paste SDDL or pick samples, then see owner, DACL, SACL, and ACE meaning in plain language.
Open labAccess check simulator
Step through a simplified DACL vs token decision — same rules as the real algorithm, fewer edge cases.
Open labGuided paths in this branch
Follow a short sequence step by step. Each path links to the first topic; use Read next on each page to continue.
Security deep dive
From identity (tokens) to object policy (DACL/SACL), through kernel access checks (SRM), ending with UAC and integrity boundaries.
Step 4 of 5 in this path
Official Microsoft docs
Closest official references related to this topic on Microsoft Learn.
Why it matters
This is the core algorithm behind almost every security decision. It connects the theory of tokens + ACLs to what Windows actually does at runtime.
Mental model
The SRM is the gatekeeper in kernel mode. Every object access funnels through an access check that compares the caller token against the target descriptor.
Windows building blocks
Names and paths you can look for in Task Manager, Explorer, or documentation.
- ComponentSRM (Se* routines)
Kernel access validation
Go one level deeper
Extra detail for readers who want more precision before opening a child topic.
- MaximumAllowed grants the union of rights allowed by applicable ACEs without exceeding request.
- Callback ACEs can invoke application-defined logic during Authz checks in user mode.
How it works
- 1The caller presents desired access, plus a token-derived subject security context.
- 2The SRM evaluates the security descriptor's DACL ACE-by-ACE against the token SIDs and attributes.
- 3If the request includes special rights, privilege checks (SePrivilegeCheck) can influence the outcome.
Key terms
- SRM
- Security Reference Monitor, the kernel-mode enforcer of access control.
- SeAccessCheck
- Kernel access-check routine used by drivers and kernel components.
- AuthzAccessCheck
- User-mode access-check API mirroring the core decision logic.
Why access can fail even with group membership
A deny ACE for a token SID, a disabled group SID, or missing privileges for certain operations can cause the SRM to reject the request.
Common misconception
Admins often assume 'being admin' bypasses everything. Many objects still require specific rights or privileges, and SRM still enforces the descriptor policy.
Guided exercise
Use this topic to move from theory into practice.
- 1Pick Standard user and request Write — observe implicit deny when no ACE grants it.
- 2Switch to Administrator and confirm Write is allowed via the BA ACE.
- 3Reorder mental model: deny ACE for BU blocks even if AU has allow later (try resetting ACEs).
You should read next
Ranked from your current topic, related links, branch depth, and any active guided path.
intermediate
UAC, integrity levels, and secure desktop
Why elevation prompts exist, what filtered tokens are, and how MIC constrains writes.
Next step in your guided path
intermediate
Security descriptors & ACLs
Owners, DACL/SACL, ACE ordering, and the object-side policy Windows enforces.
Related topic
intermediate
Access tokens
SIDs, privileges, impersonation, and the identity payload every process carries.
Related topic
Related topics
Security descriptors & ACLs
Owners, DACL/SACL, ACE ordering, and the object-side policy Windows enforces.
Access tokens
SIDs, privileges, impersonation, and the identity payload every process carries.
Authentication & logon
How Windows turns credentials into authenticated sessions, security contexts, and usable access tokens.