Skip to main content
Anonymous Pipe Security and Access Rights

Windows security enables you to control access to anonymous pipes. For more information about security, see Access-Control Model.

You can specify a security descriptor for a pipe when you call the CreatePipe function. The security descriptor controls access to both the read and write ends of the pipe. If you specify NULL, the pipe gets a default security descriptor. The ACLs in the default security descriptor for a pipe come from the primary or impersonation token of the creator.

To retrieve a pipe's security descriptor, call the GetSecurityInfo function. To change a pipe's security descriptor, call the SetSecurityInfo function.

The CreatePipe function returns two handles to the anonymous pipe: a read handle with GENERIC_READ and SYNCHRONIZE access; and a write handle with GENERIC_WRITE and SYNCHRONIZE access. GENERIC_READ and GENERIC_WRITE access use the same access rights mapping as for named pipes.

GENERIC_READ access for an anonymous pipe combines the rights to read data from the pipe, read pipe attributes, read extended attributes, and read the pipe's DACL.

GENERIC_WRITE access for an anonymous pipe combines the rights to write data to the pipe, append data to it, write pipe attributes, write extended attributes, and read the pipe's DACL.