Export (0) Print
Expand All

Desktop Security and Access Rights

Security enables you to control access to desktop objects. For more information about security, see Access-Control Model.

You can specify a security descriptor for a desktop object when you call the CreateDesktop or CreateDesktopEx function. If you specify NULL, the desktop gets a default security descriptor. The ACLs in the default security descriptor for a desktop come from its parent window station.

To get or set the security descriptor of a window station object, call the GetSecurityInfo and SetSecurityInfo functions.

When you call the OpenDesktop or OpenInputDesktop function, the system checks the requested access rights against the object's security descriptor.

The valid access rights for desktop objects include the standard access rights and some object-specific access rights. The following table lists the standard access rights used by all objects.

ValueMeaning
DELETE (0x00010000L)Required to delete the object.
READ_CONTROL (0x00020000L)Required to read information in the security descriptor for the object, not including the information in the SACL. To read or write the SACL, you must request the ACCESS_SYSTEM_SECURITY access right. For more information, see SACL Access Right.
SYNCHRONIZE (0x00100000L)Not supported for desktop objects.
WRITE_DAC (0x00040000L)Required to modify the DACL in the security descriptor for the object.
WRITE_OWNER (0x00080000L)Required to change the owner in the security descriptor for the object.

 

The following table lists the object-specific access rights.

Access rightDescription
DESKTOP_CREATEMENU (0x0004L)Required to create a menu on the desktop.
DESKTOP_CREATEWINDOW (0x0002L)Required to create a window on the desktop.
DESKTOP_ENUMERATE (0x0040L)Required for the desktop to be enumerated.
DESKTOP_HOOKCONTROL (0x0008L)Required to establish any of the window hooks.
DESKTOP_JOURNALPLAYBACK (0x0020L)Required to perform journal playback on a desktop.
DESKTOP_JOURNALRECORD (0x0010L)Required to perform journal recording on a desktop.
DESKTOP_READOBJECTS (0x0001L)Required to read objects on the desktop.
DESKTOP_SWITCHDESKTOP (0x0100L)Required to activate the desktop using the SwitchDesktop function.
DESKTOP_WRITEOBJECTS (0x0080L)Required to write objects on the desktop.

 

The following are the generic access rights for a desktop object contained in the interactive window station of the user's logon session.

Access rightDescription
GENERIC_READ
DESKTOP_ENUMERATE
DESKTOP_READOBJECTS
STANDARD_RIGHTS_READ
GENERIC_WRITE
DESKTOP_CREATEMENU
DESKTOP_CREATEWINDOW
DESKTOP_HOOKCONTROL
DESKTOP_JOURNALPLAYBACK
DESKTOP_JOURNALRECORD
DESKTOP_WRITEOBJECTS
STANDARD_RIGHTS_WRITE
GENERIC_EXECUTE
DESKTOP_SWITCHDESKTOP
STANDARD_RIGHTS_EXECUTE
GENERIC_ALL
DESKTOP_CREATEMENU
DESKTOP_CREATEWINDOW
DESKTOP_ENUMERATE
DESKTOP_HOOKCONTROL
DESKTOP_JOURNALPLAYBACK
DESKTOP_JOURNALRECORD
DESKTOP_READOBJECTS
DESKTOP_SWITCHDESKTOP
DESKTOP_WRITEOBJECTS
STANDARD_RIGHTS_REQUIRED

 

You can request the ACCESS_SYSTEM_SECURITY access right to a desktop object if you want to read or write the object's SACL. For more information, see Access-Control Lists (ACLs) and SACL Access Right.

 

 

Community Additions

ADD
Show:
© 2014 Microsoft