Desktop Security and Access Rights
Security enables you to control access to desktop objects. For more information about security, see Access-Control Model.
You can specify a security descriptor for a desktop object when you call the CreateDesktop or CreateDesktopEx function. If you specify NULL, the desktop gets a default security descriptor. The ACLs in the default security descriptor for a desktop come from its parent window station.
The valid access rights for desktop objects include the standard access rights and some object-specific access rights. The following table lists the standard access rights used by all objects.
|DELETE (0x00010000L)||Required to delete the object.|
|READ_CONTROL (0x00020000L)||Required to read information in the security descriptor for the object, not including the information in the SACL. To read or write the SACL, you must request the ACCESS_SYSTEM_SECURITY access right. For more information, see SACL Access Right.|
|SYNCHRONIZE (0x00100000L)||Not supported for desktop objects.|
|WRITE_DAC (0x00040000L)||Required to modify the DACL in the security descriptor for the object.|
|WRITE_OWNER (0x00080000L)||Required to change the owner in the security descriptor for the object.|
The following table lists the object-specific access rights.
|DESKTOP_CREATEMENU (0x0004L)||Required to create a menu on the desktop.|
|DESKTOP_CREATEWINDOW (0x0002L)||Required to create a window on the desktop.|
|DESKTOP_ENUMERATE (0x0040L)||Required for the desktop to be enumerated.|
|DESKTOP_HOOKCONTROL (0x0008L)||Required to establish any of the window hooks.|
|DESKTOP_JOURNALPLAYBACK (0x0020L)||Required to perform journal playback on a desktop.|
|DESKTOP_JOURNALRECORD (0x0010L)||Required to perform journal recording on a desktop.|
|DESKTOP_READOBJECTS (0x0001L)||Required to read objects on the desktop.|
|DESKTOP_SWITCHDESKTOP (0x0100L)||Required to activate the desktop using the SwitchDesktop function.|
|DESKTOP_WRITEOBJECTS (0x0080L)||Required to write objects on the desktop.|
The following are the generic access rights for a desktop object contained in the interactive window station of the user's logon session.
You can request the ACCESS_SYSTEM_SECURITY access right to a desktop object if you want to read or write the object's SACL. For more information, see Access-Control Lists (ACLs) and SACL Access Right.
Build date: 11/16/2013