Desktop Security and Access Rights
Security enables you to control access to desktop objects. For more information about security, see Access-Control Model.
You can specify a security descriptor for a desktop object when you call the CreateDesktop or CreateDesktopEx function. If you specify NULL, the desktop gets a default security descriptor. The ACLs in the default security descriptor for a desktop come from its parent window station.
To get or set the security descriptor of a window station object, call the GetSecurityInfo and SetSecurityInfo functions.
When you call the OpenDesktop or OpenInputDesktop function, the system checks the requested access rights against the object's security descriptor.
The valid access rights for desktop objects include the standard access rights and some object-specific access rights. The following table lists the standard access rights used by all objects.
| Value | Meaning |
|---|---|
| DELETE (0x00010000L) | Required to delete the object. |
| READ_CONTROL (0x00020000L) | Required to read information in the security descriptor for the object, not including the information in the SACL. To read or write the SACL, you must request the ACCESS_SYSTEM_SECURITY access right. For more information, see SACL Access Right. |
| SYNCHRONIZE (0x00100000L) | Not supported for desktop objects. |
| WRITE_DAC (0x00040000L) | Required to modify the DACL in the security descriptor for the object. |
| WRITE_OWNER (0x00080000L) | Required to change the owner in the security descriptor for the object. |
The following table lists the object-specific access rights.
| Access right | Description |
|---|---|
| DESKTOP_CREATEMENU (0x0004L) | Required to create a menu on the desktop. |
| DESKTOP_CREATEWINDOW (0x0002L) | Required to create a window on the desktop. |
| DESKTOP_ENUMERATE (0x0040L) | Required for the desktop to be enumerated. |
| DESKTOP_HOOKCONTROL (0x0008L) | Required to establish any of the window hooks. |
| DESKTOP_JOURNALPLAYBACK (0x0020L) | Required to perform journal playback on a desktop. |
| DESKTOP_JOURNALRECORD (0x0010L) | Required to perform journal recording on a desktop. |
| DESKTOP_READOBJECTS (0x0001L) | Required to read objects on the desktop. |
| DESKTOP_SWITCHDESKTOP (0x0100L) | Required to activate the desktop using the SwitchDesktop function. |
| DESKTOP_WRITEOBJECTS (0x0080L) | Required to write objects on the desktop. |
The following are the generic access rights for a desktop object contained in the interactive window station of the user's logon session.
| Access right | Description |
|---|---|
| GENERIC_READ |
DESKTOP_READOBJECTS STANDARD_RIGHTS_READ |
| GENERIC_WRITE |
DESKTOP_CREATEWINDOW DESKTOP_HOOKCONTROL DESKTOP_JOURNALPLAYBACK DESKTOP_JOURNALRECORD DESKTOP_WRITEOBJECTS STANDARD_RIGHTS_WRITE |
| GENERIC_EXECUTE |
STANDARD_RIGHTS_EXECUTE |
| GENERIC_ALL |
DESKTOP_CREATEWINDOW DESKTOP_ENUMERATE DESKTOP_HOOKCONTROL DESKTOP_JOURNALPLAYBACK DESKTOP_JOURNALRECORD DESKTOP_READOBJECTS DESKTOP_SWITCHDESKTOP DESKTOP_WRITEOBJECTS STANDARD_RIGHTS_REQUIRED |
You can request the ACCESS_SYSTEM_SECURITY access right to a desktop object if you want to read or write the object's SACL. For more information, see Access-Control Lists (ACLs) and SACL Access Right.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for