The Windows Processes and Threads 9

 

 

 

 

 

Thread Security and Access Rights

 

Microsoft Windows enables you to control access to thread objects. You can specify a security descriptor for a thread when you call the CreateProcess(), CreateProcessAsUser(), CreateProcessWithLogonW(), CreateThread(), or CreateRemoteThread() function. If you specify NULL, the thread gets a default security descriptor. The ACLs in the default security descriptor for a thread come from the primary or impersonation token of the creator. To retrieve a thread's security descriptor, call the GetSecurityInfo() function. To change a thread's security descriptor, call the SetSecurityInfo() function. The handle returned by the CreateThread() function has THREAD_ALL_ACCESS access to the thread object. When you call the GetCurrentThread() function, the system returns a pseudohandle with the maximum access that the thread's security descriptor allows the caller. The valid access rights for thread objects include the standard access rights and some thread-specific access rights. The following table lists the standard access rights used by all objects.

 

String Constant (Value)

Meaning

DELETE (0x00010000L)

Required to delete the object.

READ_CONTROL (0x00020000L)

Required to read information in the security descriptor for the object, not including the information in the SACL. To read or write the SACL, you must request the ACCESS_SYSTEM_SECURITY access right.

SYNCHRONIZE (0x00100000L)

The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state.

WRITE_DAC (0x00040000L)

Required to modify the DACL in the security descriptor for the object.

WRITE_OWNER (0x00080000L)

Required to change the owner in the security descriptor for the object.

 

The following table lists the thread-specific access rights.

 

String Constant (Value)

Meaning

SYNCHRONIZE (0x00100000L)

Enables the use of the thread handle in any of the wait functions.

THREAD_ALL_ACCESS

All possible access rights for a thread object. For Windows Server 2003 and Windows XP/2000:  The size of the THREAD_ALL_ACCESS flag increased on Windows Server 2008 and Windows Vista. If an application compiled for Windows Server 2008 and Windows Vista is run on Windows Server 2003 or Windows XP/2000, the THREAD_ALL_ACCESS flag is too large and the function specifying this flag fails with ERROR_ACCESS_DENIED. To avoid this problem, specify the minimum set of access rights required for the operation. If THREAD_ALL_ACCESS must be used, set _WIN32_WINNT to the minimum operating system targeted by your application (for example, #define _WIN32_WINNT _WIN32_WINNT_WINXP).

THREAD_DIRECT_IMPERSONATION (0x0200)

Required for a server thread that impersonates a client.

THREAD_GET_CONTEXT (0x0008)

Required to read the context of a thread using GetThreadContext().

THREAD_IMPERSONATE (0x0100)

Required to use a thread's security information directly without calling it by using a communication mechanism that provides impersonation services.

THREAD_QUERY_INFORMATION (0x0040)

Required to read certain information from the thread object, such as the exit code (see GetExitCodeThread()).

THREAD_QUERY_LIMITED_INFORMATION (0x0800)

Required to read certain information from the thread objects. A handle that has the THREAD_QUERY_INFORMATION access right is automatically granted THREAD_QUERY_LIMITED_INFORMATION. For Windows Server 2003 and Windows XP/2000:  This access right is not supported.

THREAD_SET_CONTEXT (0x0010)

Required to write the context of a thread using SetThreadContext().

THREAD_SET_INFORMATION (0x0020)

Required to set certain information in the thread object.

THREAD_SET_LIMITED_INFORMATION (0x0400)

Required to set certain information in the thread object. A handle that has the THREAD_SET_INFORMATION access right is automatically granted THREAD_SET_LIMITED_INFORMATION. For Windows Server 2003 and Windows XP/2000:  This access right is not supported.

THREAD_SET_THREAD_TOKEN (0x0080)

Required to set the impersonation token for a thread using SetThreadToken().

THREAD_SUSPEND_RESUME (0x0002)

Required to suspend or resume a thread (see SuspendThread() and ResumeThread()).

THREAD_TERMINATE (0x0001)

Required to terminate a thread using TerminateThread().

 

You can request the ACCESS_SYSTEM_SECURITY access right to a thread object if you want to read or write the object's SACL.

 

Protected Processes

 

Windows Vista introduces protected processes to enhance support for Digital Rights Management. The system restricts access to protected processes and the threads of protected processes. The following specific access rights are not allowed from a process to the threads of a protected process:

 

  1. THREAD_ALL_ACCESS
  2. THREAD_DIRECT_IMPERSONATION
  3. THREAD_GET_CONTEXT
  4. THREAD_IMPERSONATE
  5. THREAD_QUERY_INFORMATION
  6. THREAD_SET_CONTEXT
  7. THREAD_SET_INFORMATION
  8. THREAD_SET_TOKEN
  9. THREAD_TERMINATE

 

The THREAD_QUERY_LIMITED_INFORMATION right was introduced to provide access to a subset of the information available through THREAD_QUERY_INFORMATION.

 

Child Processes

 

Each process provides the resources needed to execute a program. A child process is a process that is created by another process, called the parent process.

 

 

 

< Processes & Threads 8 | Win32 Process & Thread Programming | Win32 Programming | Processes & Threads 10 >