Thread Security and Access Rights
Microsoft Windows enables you to control access to thread objects. For more information about security, see Access-Control Model.
You can specify a security descriptor for a thread when you call the CreateProcess, CreateProcessAsUser, CreateProcessWithLogonW, CreateThread, or CreateRemoteThread function. If you specify NULL, the thread gets a default security descriptor. The ACLs in the default security descriptor for a thread come from the primary or impersonation token of the creator.
The handle returned by the CreateThread function has THREAD_ALL_ACCESS access to the thread object. When you call the GetCurrentThread function, the system returns a pseudohandle with the maximum access that the thread's security descriptor allows the caller.
The valid access rights for thread objects include the standard access rights and some thread-specific access rights. The following table lists the standard access rights used by all objects.
|DELETE (0x00010000L)||Required to delete the object.|
|READ_CONTROL (0x00020000L)||Required to read information in the security descriptor for the object, not including the information in the SACL. To read or write the SACL, you must request the ACCESS_SYSTEM_SECURITY access right. For more information, see SACL Access Right.|
|SYNCHRONIZE (0x00100000L)||The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state.|
|WRITE_DAC (0x00040000L)||Required to modify the DACL in the security descriptor for the object.|
|WRITE_OWNER (0x00080000L)||Required to change the owner in the security descriptor for the object.|
The following table lists the thread-specific access rights.
|SYNCHRONIZE (0x00100000L)||Enables the use of the thread handle in any of the wait functions.|
|THREAD_ALL_ACCESS||All possible access rights for a thread object.|
|THREAD_DIRECT_IMPERSONATION (0x0200)||Required for a server thread that impersonates a client.|
|THREAD_GET_CONTEXT (0x0008)||Required to read the context of a thread using GetThreadContext.|
|THREAD_IMPERSONATE (0x0100)||Required to use a thread's security information directly without calling it by using a communication mechanism that provides impersonation services.|
|THREAD_QUERY_INFORMATION (0x0040)||Required to read certain information from the thread object, such as the exit code (see GetExitCodeThread).|
|THREAD_QUERY_LIMITED_INFORMATION (0x0800)||Required to read certain information from the thread objects (see GetProcessIdOfThread). A handle that has the THREAD_QUERY_INFORMATION access right is automatically granted THREAD_QUERY_LIMITED_INFORMATION.|
|THREAD_SET_CONTEXT (0x0010)||Required to write the context of a thread using SetThreadContext.|
|THREAD_SET_INFORMATION (0x0020)||Required to set certain information in the thread object.|
|THREAD_SET_LIMITED_INFORMATION (0x0400)||Required to set certain information in the thread object. A handle that has the THREAD_SET_INFORMATION access right is automatically granted THREAD_SET_LIMITED_INFORMATION.|
|THREAD_SET_THREAD_TOKEN (0x0080)||Required to set the impersonation token for a thread using SetThreadToken.|
|THREAD_SUSPEND_RESUME (0x0002)||Required to suspend or resume a thread (see SuspendThread and ResumeThread).|
|THREAD_TERMINATE (0x0001)||Required to terminate a thread using TerminateThread.|
Protected processes enhance support for Digital Rights Management. The system restricts access to protected processes and the threads of protected processes.
Windows Server 2003 and Windows XP: Protected processes were added starting with Windows Vista.
The following specific access rights are not allowed from a process to the threads of a protected process:
The THREAD_QUERY_LIMITED_INFORMATION right was introduced to provide access to a subset of the information available through THREAD_QUERY_INFORMATION.
Build date: 11/21/2012