Window Station Security and Access Rights
Security enables you to control access to window station objects. For more information about security, see Access-Control Model.
You can specify a security descriptor for a window station object when you call the CreateWindowStation function. If you specify NULL, the window station gets a default security descriptor. The ACLs in the default security descriptor for a window station come from the primary or impersonation token of the creator.
To get or set the security descriptor of a window station object, call the GetSecurityInfo and SetSecurityInfo functions.
When you call the OpenWindowStation function, the system checks the requested access rights against the object's security descriptor.
The valid access rights for window station objects include the standard access rights and some object-specific access rights. The following table lists the standard access rights used by all objects.
| Value | Meaning |
|---|---|
| DELETE (0x00010000L) | Required to delete the object. |
| READ_CONTROL (0x00020000L) | Required to read information in the security descriptor for the object, not including the information in the SACL. To read or write the SACL, you must request the ACCESS_SYSTEM_SECURITY access right. For more information, see SACL Access Right. |
| SYNCHRONIZE (0x00100000L) | Not supported for window station objects. |
| WRITE_DAC (0x00040000L) | Required to modify the DACL in the security descriptor for the object. |
| WRITE_OWNER (0x00080000L) | Required to change the owner in the security descriptor for the object. |
The following table lists the object-specific access rights.
| Access right | Description |
|---|---|
| WINSTA_ALL_ACCESS (0x37F) | All possible access rights for the window station. |
| WINSTA_ACCESSCLIPBOARD (0x0004L) | Required to use the clipboard. |
| WINSTA_ACCESSGLOBALATOMS (0x0020L) | Required to manipulate global atoms. |
| WINSTA_CREATEDESKTOP (0x0008L) | Required to create new desktop objects on the window station. |
| WINSTA_ENUMDESKTOPS (0x0001L) | Required to enumerate existing desktop objects. |
| WINSTA_ENUMERATE (0x0100L) | Required for the window station to be enumerated. |
| WINSTA_EXITWINDOWS (0x0040L) | Required to successfully call the ExitWindows or ExitWindowsEx function. Window stations can be shared by users and this access type can prevent other users of a window station from logging off the window station owner. |
| WINSTA_READATTRIBUTES (0x0002L) | Required to read the attributes of a window station object. This attribute includes color settings and other global window station properties. |
| WINSTA_READSCREEN (0x0200L) | Required to access screen contents. |
| WINSTA_WRITEATTRIBUTES (0x0010L) | Required to modify the attributes of a window station object. The attributes include color settings and other global window station properties. |
The following are the generic access rights for the interactive window station object, which is the window station assigned to the logon session of the interactive user.
| Access right | Description |
|---|---|
| GENERIC_READ |
WINSTA_ENUMDESKTOPS WINSTA_ENUMERATE WINSTA_READATTRIBUTES WINSTA_READSCREEN |
| GENERIC_WRITE |
WINSTA_ACCESSCLIPBOARD WINSTA_CREATEDESKTOP WINSTA_WRITEATTRIBUTES |
| GENERIC_EXECUTE |
WINSTA_ACCESSGLOBALATOMS WINSTA_EXITWINDOWS |
| GENERIC_ALL |
WINSTA_ACCESSCLIPBOARD WINSTA_ACCESSGLOBALATOMS WINSTA_CREATEDESKTOP WINSTA_ENUMDESKTOPS WINSTA_ENUMERATE WINSTA_EXITWINDOWS WINSTA_READATTRIBUTES WINSTA_READSCREEN WINSTA_WRITEATTRIBUTES |
The following are the generic access rights for a noninteractive window station object. The system assigns noninteractive window stations to all logon sessions other than that of the interactive user.
| Access right | Description |
|---|---|
| GENERIC_READ |
WINSTA_ENUMDESKTOPS WINSTA_ENUMERATE WINSTA_READATTRIBUTES |
| GENERIC_WRITE |
WINSTA_ACCESSCLIPBOARD WINSTA_CREATEDESKTOP |
| GENERIC_EXECUTE |
WINSTA_ACCESSGLOBALATOMS WINSTA_EXITWINDOWS |
| GENERIC_ALL |
WINSTA_ACCESSCLIPBOARD WINSTA_ACCESSGLOBALATOMS WINSTA_CREATEDESKTOP WINSTA_ENUMDESKTOPS WINSTA_ENUMERATE WINSTA_EXITWINDOWS WINSTA_READATTRIBUTES |
You can request the ACCESS_SYSTEM_SECURITY access right to a window station object if you want to read or write the object's SACL. For more information, see Access-Control Lists (ACLs) and SACL Access Right.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for