+VOID
+NTAPI
+SePrivilegedServiceAuditAlarm(
+ _In_opt_ PUNICODE_STRING ServiceName,
+ _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
+ _In_ PPRIVILEGE_SET PrivilegeSet,
+ _In_ BOOLEAN AccessGranted)
+{
+ PTOKEN EffectiveToken;
+ PSID UserSid;
+ PAGED_CODE();
+
+ /* Get the effective token */
+ if (SubjectContext->ClientToken != NULL)
+ EffectiveToken = SubjectContext->ClientToken;
+ else
+ EffectiveToken = SubjectContext->PrimaryToken;
+
+ /* Get the user SID */
+ UserSid = EffectiveToken->UserAndGroups->Sid;
+
+ /* Check if this is the local system SID */
+ if (RtlEqualSid(UserSid, SeLocalSystemSid))
+ {
+ /* Nothing to do */
+ return;
+ }
+
+ /* Check if this is the network service or local service SID */
+ if (RtlEqualSid(UserSid, SeExports->SeNetworkServiceSid) ||
+ RtlEqualSid(UserSid, SeExports->SeLocalServiceSid))
+ {
+ // FIXME: should continue for a certain set of privileges
+ return;
+ }
+
+ /* Call the worker function */
+ SepAdtPrivilegedServiceAuditAlarm(SubjectContext,
+ &SeSubsystemName,
+ ServiceName,
+ SubjectContext->ClientToken,
+ SubjectContext->PrimaryToken,
+ PrivilegeSet,
+ AccessGranted);
+
+}
+
+