PSAM_PASSWORD_FILTER_ROUTINE callback function (ntsecapi.h)

The PasswordFilter function is implemented by a password filter DLL. The value returned by this function determines whether the new password is accepted by the system. All of the password filters installed on a system must return TRUE for the password change to take effect.

Syntax

PSAM_PASSWORD_FILTER_ROUTINE PsamPasswordFilterRoutine;

BOOLEAN PsamPasswordFilterRoutine(
  [in] PUNICODE_STRING AccountName,
  [in] PUNICODE_STRING FullName,
  [in] PUNICODE_STRING Password,
  [in] BOOLEAN SetOperation
)
{...}

Parameters

[in] AccountName

Pointer to a UNICODE_STRING that represents the name of the user whose password changed.

[in] FullName

Pointer to a UNICODE_STRING that represents the full name of the user whose password changed.

[in] Password

Pointer to a UNICODE_STRING that represents the new plaintext password. When you have finished using the password, clear it from memory by calling the SecureZeroMemory function. For more information on protecting the password, see Handling Passwords.

[in] SetOperation

TRUE if the password was set rather than changed.

Return value

Return code Description
TRUE
Return TRUE if the new password is valid with respect to the password policy implemented in the password filter DLL. When TRUE is returned, the Local Security Authority (LSA) continues to evaluate the password by calling any other password filters installed on the system.
FALSE
Return FALSE if the new password is not valid with respect to the password policy implemented in the password filter DLL. When FALSE is returned, the LSA returns the ERROR_ILL_FORMED_PASSWORD (1324) status code to the source of the password change request.

Remarks

Password change requests may be made when users specify a new password, accounts are created and when administrators override a password.

This function must use the __stdcall calling convention and must be exported by the DLL.

When the PasswordFilter routine is running, processing is blocked until the routine is finished. When appropriate, move any lengthy processing to a separate thread prior to returning from this routine.

This function is called only for password filters that are installed and registered on a system.

Any process exception that is not handled within this function may cause security-related failures system-wide. Structured exception handling should be used when appropriate.

For information about See
Programming issues when implementing a password filter DLL Password Filter Programming Considerations
How to install and register your own password filter DLL Installing and Registering a Password Filter DLL
The password filter DLL provided by Microsoft Strong Password Enforcement and Passfilt.dll

Requirements

Requirement Value
Minimum supported client Windows XP [desktop apps only]
Minimum supported server Windows Server 2003 [desktop apps only]
Target Platform Windows
Header ntsecapi.h

See also

InitializeChangeNotify

PasswordChangeNotify