bool SetLowLabelToKernelObject(LPCTSTR lpszObjectName)

{

    // See http://msdn.microsoft.com/en-us/library/bb625960.aspx

    // The LABEL_SECURITY_INFORMATION SDDL SACL to be set for low integrity

    LPCTSTR LOW_INTEGRITY_SDDL_SACL = _T("S:(ML;;NW;;;LW)");

    PSECURITY_DESCRIPTOR pSD = NULL;

    if (!ConvertStringSecurityDescriptorToSecurityDescriptor(LOW_INTEGRITY_SDDL_SACL,

                                                             SDDL_REVISION_1,

                                                             &pSD,

                                                             NULL))

    {

        return false;

    }

    LOKI_ON_BLOCK_EXIT(LocalFree, pSD);

    PACL pSacl = NULL;

    BOOL fSaclPresent = FALSE;

    BOOL fSaclDefaulted = FALSE;

    if (!GetSecurityDescriptorSacl(pSD, &fSaclPresent, &pSacl, &fSaclDefaulted))

    {

        return false;

    }

    // Note that psidOwner, psidGroup, and pDacl are all NULL and set the new LABEL_SECURITY_INFORMATION

    DWORD dwError = SetNamedSecurityInfoW((LPTSTR)lpszObjectName,

                                          SE_KERNEL_OBJECT,

                                          LABEL_SECURITY_INFORMATION,

                                          NULL,

                                          NULL,

                                          NULL,

                                          pSacl);

    return dwError == ERROR_SUCCESS;

}