Process Security and Access Rights
When a user logs in, the system collects a set of data that uniquely identifies the user during the authentication process, and stores it in an access token. This access token describes the security context of all processes associated with the user. The security context of a process is the set of credentials given to the process or the user account that created the process.
(当用户登录时,系统在认证进程中将收集一系列用于识别用户的独特数据,并且存储于访问令牌中。访问令牌描述了与用户相关的所有进程的安全上下文。进程的安全上下文就是传递给创建进程的用户或者进程的凭证。)
You can use a token to specify the current security context for a process using the CreateProcessWithTokenW function. You can specify a security descriptor for a process when you call the CreateProcess, CreateProcessAsUser, or CreateProcessWithLogonW function. If you specify NULL, the process gets a default security descriptor. The ACLs in the default security descriptor for a process come from the primary or impersonation token of the creator.
(使用CreateProcessWithTokenW函数可以使用访问令牌将当前的安全上下文赋予一个新创建的进程(为一个进程赋予cl)。CreateProcess、CreateProcessAsUser或者CreateProcessWithLogonW函数可以为新创建的进程指定一个安全描述符(为一个进程服务acl)。如果相关参数传递NULL,进程将获得默认的安全描述符。进程中ACL的默认安全描述符来自于创建者的主要访问令牌或者模拟访问令牌。)
To retrieve a process's security descriptor, call the GetSecurityInfo function. To change a process's security descriptor, call the SetSecurityInfo function.
(调用GetSecurityInfo函数可以获取进程的安全描述符。调用SetSecurityInfo函数可以更改进程的安全描述符。)
The valid access rights for process objects include the standard access rights and some process-specific access rights. The following table lists the standard access rights used by all objects.
(进程对象的有效访问权限包括标准访问权限和进程特定访问权限。下表列举出了所有对象使用的标准访问权限:)
Value
| Meaning | |
|---|---|
| DELETE (0x00010000L) | Required to delete the object. |
| READ_CONTROL (0x00020000L) | Required to read information in the security descriptor for the object, not including the information in the SACL. To read or write the SACL, you must request the ACCESS_SYSTEM_SECURITY access right. For more information, see SACL Access Right. |
| SYNCHRONIZE (0x00100000L) | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. |
| WRITE_DAC (0x00040000L) | Required to modify the DACL in the security descriptor for the object. |
| WRITE_OWNER (0x00080000L) | Required to change the owner in the security descriptor for the object. |
The following table lists the process-specific access rights.
(下表列举了进程特定的访问权限:)
Value
| Meaning | |
|---|---|
| PROCESS_ALL_ACCESS | All possible access rights for a process object.
Windows Server 2003 and Windows XP: The size of the PROCESS_ALL_ACCESS flag increased on Windows Server 2008 and Windows Vista. If an application compiled for Windows Server 2008 and Windows Vista is run on Windows Server 2003 or Windows XP, the PROCESS_ALL_ACCESS flag is too large and the function specifying this flag fails with ERROR_ACCESS_DENIED. To avoid this problem, specify the minimum set of access rights required for the operation. If PROCESS_ALL_ACCESS must be used, set _WIN32_WINNT to the minimum operating system targeted by your application (for example, |
| PROCESS_CREATE_PROCESS (0x0080) | Required to create a process. |
| PROCESS_CREATE_THREAD (0x0002) | Required to create a thread. |
| PROCESS_DUP_HANDLE (0x0040) | Required to duplicate a handle using DuplicateHandle. |
| PROCESS_QUERY_INFORMATION (0x0400) | Required to retrieve certain information about a process, such as its token, exit code, and priority class (see OpenProcessToken). |
| PROCESS_QUERY_LIMITED_INFORMATION (0x1000) | Required to retrieve certain information about a process (see GetExitCodeProcess, GetPriorityClass, IsProcessInJob, QueryFullProcessImageName). A handle that has the PROCESS_QUERY_INFORMATION access right is automatically granted PROCESS_QUERY_LIMITED_INFORMATION.
Windows Server 2003 and Windows XP: This access right is not supported. |
| PROCESS_SET_INFORMATION (0x0200) | Required to set certain information about a process, such as its priority class (see SetPriorityClass). |
| PROCESS_SET_QUOTA (0x0100) | Required to set memory limits using SetProcessWorkingSetSize. |
| PROCESS_SUSPEND_RESUME (0x0800) | Required to suspend or resume a process. |
| PROCESS_TERMINATE (0x0001) | Required to terminate a process using TerminateProcess. |
| PROCESS_VM_OPERATION (0x0008) | Required to perform an operation on the address space of a process (see VirtualProtectEx and WriteProcessMemory). |
| PROCESS_VM_READ (0x0010) | Required to read memory in a process using ReadProcessMemory. |
| PROCESS_VM_WRITE (0x0020) | Required to write to memory in a process using WriteProcessMemory. |
| SYNCHRONIZE (0x00100000L) | Required to wait for the process to terminate using the wait functions. |
To open a handle to another process and obtain full access rights, you must enable the SeDebugPrivilege privilege. For more information, see Changing Privileges in a Token.
(打开另一个进程的句柄并且获得完全的访问权限,必须打开SeDebugPrivilege特权。)
The handle returned by the CreateProcess function has PROCESS_ALL_ACCESS access to the process object. When you call the OpenProcess function, the system checks the requested access rights against the DACL in the process's security descriptor. When you call the GetCurrentProcess function, the system returns a pseudohandle with the maximum access that the DACL allows to the caller.
(CreateProcess函数返回的句柄拥有进程对象的PROCESS_ALL_ACCESS访问权限。调用OpenProcess函数时,系统检查请求的访问权限与被访问进程的安全描述符的自主访问控制列表。调用GetCurrentProcess函数是,系统返回一个伪句柄,该伪句柄含有自主访问控制列表允许调用者的最大访问权限。)
You can request the ACCESS_SYSTEM_SECURITY access right to a process object if you want to read or write the object's SACL. For more information, see Access-Control Lists (ACLs) and SACL Access Right.
(若要读取进程对象的系统访问控制列表,我们可以请求ACCESS_SYSTEM_SECURITY访问权限。)
Warning A process that has some of the access rights noted here can use them to gain other access rights. For example, if process A has a handle to process B with PROCESS_DUP_HANDLE access, it can duplicate the pseudo handle for process B. This creates a handle that has maximum access to process B. For more information on pseudo handles, see GetCurrentProcess.
(警告:拥有此时描述的访问权限的进程可以使用它们去获取其他访问权限。例如,A进程拥有B进程的句柄,且有PROCESS_DUP_HANDLE权限,A进程可以复制B进程的伪句柄。这将创建一个对B进程可以最大访问的句柄。)
Protected Processes
Windows Vista introduces protected processes to enhance support for Digital Rights Management. The system restricts access to protected processes and the threads of protected processes.
(Vista引入受保护进程的概念来增强对DRM的支持。系统限制对进程和进程中的线程的访问。)
The following standard access rights are not allowed from a process to a protected process:
- DELETE
- READ_CONTROL
- WRITE_DAC
- WRITE_OWNER
The following specific access rights are not allowed from a process to a protected process:
- PROCESS_ALL_ACCESS
- PROCESS_CREATE_PROCESS
- PROCESS_CREATE_THREAD
- PROCESS_DUP_HANDLE
- PROCESS_QUERY_INFORMATION
- PROCESS_SET_INFORMATION
- PROCESS_SET_QUOTA
- PROCESS_VM_OPERATION
- PROCESS_VM_READ
- PROCESS_VM_WRITE
The PROCESS_QUERY_LIMITED_INFORMATION right was introduced to provide access to a subset of the information available through PROCESS_QUERY_INFORMATION.
