This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 25%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
One of the microsoft recommendation is not to use nullptr for first parameter of CoInitializeSecurity. So how can I use CoInitializeSecurity by using pointer to AppID in first parameter (pSecDesc)?. Appreciate your help in this.
A high-level, general-purpose programming language, created as an extension of the C programming language, that has object-oriented, generic, and functional features in addition to facilities for low-level memory manipulation.
Answer accepted by question author
To use CoInitializeSecurity with an AppID instead of passing nullptr for pSecDesc, pass a pointer to the AppID GUID and set the EOAC_APPID capability flag. When this is done, all other CoInitializeSecurity parameters are ignored and COM takes the security settings from the AppID’s registry key.
Conceptually, the steps are:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AppID_GUID}
and that its security-related values (for example AuthenticationLevel, AccessPermission) are configured as desired.CoInitializeSecurity like this (simplified pattern):// Example GUID – must match the AppID registered in HKLM\SOFTWARE\Classes\AppID
// DEFINE_GUID(APPID_MyServer, ...);
GUID appId = APPID_MyServer;
HRESULT hr = CoInitializeSecurity(
&appId, // pSecDesc: pointer to AppID GUID
-1, // cAuthSvc (ignored when EOAC_APPID is set)
nullptr, // asAuthSvc (ignored)
nullptr, // pReserved1
RPC_C_AUTHN_LEVEL_DEFAULT, // dwAuthnLevel (ignored)
RPC_C_IMP_LEVEL_IDENTIFY, // dwImpLevel (ignored)
nullptr, // pAuthList (ignored)
EOAC_APPID, // dwCapabilities: must include EOAC_APPID
nullptr // pReserved3
);
Key rules from the documentation:
pSecDesc can be a pointer to an AppID, an IAccessControl object, or a SECURITY_DESCRIPTOR.pSecDesc points to an AppID, EOAC_APPID must be set in dwCapabilities, and all other parameters to CoInitializeSecurity are ignored.EOAC_APPID is used, CoInitializeSecurity looks up the authentication level and other security settings under the AppID key in the registry and uses those as the process-wide defaults.nullptr for pSecDesc is strongly discouraged because, unless EOAC_APPID or EOAC_ACCESS_CONTROL is set, it effectively allows all callers including local and remote anonymous users.So, to follow the recommendation not to use nullptr, either:
SECURITY_DESCRIPTOR, orEOAC_APPID, relying on the AppID’s registry configuration for security.References:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 18%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETL%3C/text%3E%3C/svg%3E)
Hello @Sivalingam Somasundaram ,
To use CoInitializeSecurity with a pointer to an AppID in the first parameter, you need to fulfill two specific requirements:
GUID) and cast it to PSECURITY_DESCRIPTOR for the first parameter.EOAC_APPID flag: You must pass the EOAC_APPID flag in the 8th parameter (dwCapabilities). This flag explicitly indicates to the COM infrastructure that the pSecDesc parameter is a pointer to an AppID GUID. COM will then use this GUID to look up your security settings in the Windows Registry.Below is a C++ example snippet that I want to demonstrate how to do this:
#include <windows.h>
#include <objbase.h>
#include <iostream>
// Link the COM library for Visual Studio users
#pragma comment(lib, "ole32.lib")
// 1. Define your AppID (Replace with your application's actual GUID)
// Example: {12345678-1234-1234-1234-1234567890AB}
const GUID AppID_MyApp =
{ 0x12345678, 0x1234, 0x1234, { 0x12, 0x34, 0x12, 0x34, 0x56, 0x78, 0x90, 0xab } };
int main() {
// Initialize the COM library
HRESULT hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (FAILED(hr)) {
std::cout << "Failed to initialize COM library." << std::endl;
return -1;
}
// 2. Call CoInitializeSecurity using the AppID pointer
hr = CoInitializeSecurity(
(PSECURITY_DESCRIPTOR)&AppID_MyApp, // Parameter 1: Cast the address of your AppID
-1, // cAuthSvc
NULL, // asAuthSvc
NULL, // pReserved1
RPC_C_AUTHN_LEVEL_DEFAULT, // dwAuthnLevel
RPC_C_IMP_LEVEL_IDENTIFY, // dwImpLevel
NULL, // pAuthList
EOAC_APPID, // Parameter 8: REQUIRED FLAG to indicate pSecDesc is an AppID
NULL // pReserved3
);
if (hr == S_OK) {
std::cout << "Successfully initialized COM security using AppID!" << std::endl;
} else if (hr == REGDB_E_CLASSNOTREG) {
std::cout << "Failed: AppID not found in the Registry (0x80040154)." << std::endl;
} else {
std::cout << "Failed with HRESULT: 0x" << std::hex << hr << std::endl;
}
// Cleanup COM
CoUninitialize();
return 0;
}
Important Registry note is for this to work at runtime and not return REGDB_E_CLASSNOTREG, your AppID must actually exist in the Windows Registry under HKEY_CLASSES_ROOT\AppID\{Your-GUID} with the appropriate security configurations (like AccessPermission or LaunchPermission). If it's not in the registry, COM won't be able to fetch the security settings for your application.
Hope this helps clarify your question. If you found my response helpful, please follow this guide to provide feedback.
Thank you.
I’ve shared an answer. Did you get a chance to look at it? If you have any questions, just drop a comment and I’ll try my best to help.