Thread Security and Access Rights
Microsoft Windows enables you to control access to thread objects. For more information about security, see Access-Control Model.
You can specify a security descriptor for a thread when you call the CreateProcess, CreateProcessAsUser, CreateProcessWithLogonW, CreateThread, or CreateRemoteThread function. If you specify NULL, the thread gets a default security descriptor. The ACLs in the default security descriptor for a thread come from the primary or impersonation token of the creator.
To retrieve a thread's security descriptor, call the GetSecurityInfo function. To change a thread's security descriptor, call the SetSecurityInfo function.
The handle returned by the CreateThread function has THREAD_ALL_ACCESS access to the thread object. When you call the GetCurrentThread function, the system returns a pseudohandle with the maximum access that the thread's security descriptor allows the caller.
The valid access rights for thread objects include the standard access rights and some thread-specific access rights. The following table lists the standard access rights used by all objects.
Value | Meaning |
---|---|
DELETE (0x00010000L) | Required to delete the object. |
READ_CONTROL (0x00020000L) | Required to read information in the security descriptor for the object, not including the information in the SACL. To read or write the SACL, you must request the ACCESS_SYSTEM_SECURITY access right. For more information, see SACL Access Right. |
SYNCHRONIZE (0x00100000L) | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. |
WRITE_DAC (0x00040000L) | Required to modify the DACL in the security descriptor for the object. |
WRITE_OWNER (0x00080000L) | Required to change the owner in the security descriptor for the object. |
The following table lists the thread-specific access rights.
Value | Meaning |
---|---|
SYNCHRONIZE (0x00100000L) | Enables the use of the thread handle in any of the wait functions. |
THREAD_ALL_ACCESS | All possible access rights for a thread object.Windows Server 2003 and Windows XP: The value of the THREAD_ALL_ACCESS flag increased on Windows Server 2008 and Windows Vista. If an application compiled for Windows Server 2008 and Windows Vista is run on Windows Server 2003 or Windows XP, the THREAD_ALL_ACCESS flag contains access bits that are not supported and the function specifying this flag fails with ERROR_ACCESS_DENIED. To avoid this problem, specify the minimum set of access rights required for the operation. If THREAD_ALL_ACCESS must be used, set _WIN32_WINNT to the minimum operating system targeted by your application (for example, #define _WIN32_WINNT _WIN32_WINNT_WINXP ). For more information, see Using the Windows Headers. |
THREAD_DIRECT_IMPERSONATION (0x0200) | Required for a server thread that impersonates a client. |
THREAD_GET_CONTEXT (0x0008) | Required to read the context of a thread using GetThreadContext. |
THREAD_IMPERSONATE (0x0100) | Required to use a thread's security information directly without calling it by using a communication mechanism that provides impersonation services. |
THREAD_QUERY_INFORMATION (0x0040) | Required to read certain information from the thread object, such as the exit code (see GetExitCodeThread). |
THREAD_QUERY_LIMITED_INFORMATION (0x0800) | Required to read certain information from the thread objects (see GetProcessIdOfThread). A handle that has the THREAD_QUERY_INFORMATION access right is automatically granted THREAD_QUERY_LIMITED_INFORMATION.Windows Server 2003 and Windows XP: This access right is not supported. |
THREAD_SET_CONTEXT (0x0010) | Required to write the context of a thread using SetThreadContext. |
THREAD_SET_INFORMATION (0x0020) | Required to set certain information in the thread object. |
THREAD_SET_LIMITED_INFORMATION (0x0400) | Required to set certain information in the thread object. A handle that has the THREAD_SET_INFORMATION access right is automatically granted THREAD_SET_LIMITED_INFORMATION.Windows Server 2003 and Windows XP: This access right is not supported. |
THREAD_SET_THREAD_TOKEN (0x0080) | Required to set the impersonation token for a thread using SetThreadToken. |
THREAD_SUSPEND_RESUME (0x0002) | Required to suspend or resume a thread (see SuspendThread and ResumeThread). |
THREAD_TERMINATE (0x0001) | Required to terminate a thread using TerminateThread. |
You can request the ACCESS_SYSTEM_SECURITY access right to a thread object if you want to read or write the object's SACL. For more information, see Access-Control Lists (ACLs) and SACL Access Right.
Protected Processes
Protected processes enhance support for Digital Rights Management. The system restricts access to protected processes and the threads of protected processes.
Windows Server 2003 and Windows XP: Protected processes were added starting with Windows Vista.
The following specific access rights are not allowed from a process to the threads of a protected process:
THREAD_ALL_ACCESS
THREAD_DIRECT_IMPERSONATION
THREAD_GET_CONTEXT
THREAD_IMPERSONATE
THREAD_QUERY_INFORMATION
THREAD_SET_CONTEXT
THREAD_SET_INFORMATION
THREAD_SET_TOKEN
THREAD_TERMINATE
The THREAD_QUERY_LIMITED_INFORMATION right was introduced to provide access to a subset of the information available through THREAD_QUERY_INFORMATION.