| Platform SDK: DLLs, Processes, and Threads |
Windows NT/Windows 2000 security enables you to control access to thread objects. For more information about security, see Access-Control Model.
You can specify a security descriptor for a thread when you call the CreateProcess, CreateProcessAsUser, CreateProcessWithLogonW, CreateThread, or CreateRemoteThread function. To retrieve a thread's security descriptor, call the GetSecurityInfo function. To change a thread's security descriptor, call the SetSecurityInfo function.
The handle returned by the CreateThread function has THREAD_ALL_ACCESS access to the thread object. When you call the GetCurrentThread function, the system returns a pseudohandle with the maximum access that the thread's security descriptor allows the caller.
The valid access rights for thread objects include the DELETE, READ_CONTROL, SYNCHRONIZE, WRITE_DAC, and WRITE_OWNER standard access rights, in addition to the following thread-specific access rights.
| Value | Meaning |
|---|---|
| SYNCHRONIZE | A standard right required to wait for the thread to exit. |
| THREAD_ALL_ACCESS | Specifies all possible access rights for a thread object. |
| THREAD_DIRECT_IMPERSONATION | Required for a server thread that impersonates a client. |
| THREAD_GET_CONTEXT | Required to read the context of a thread using GetThreadContext. |
| THREAD_IMPERSONATE | Required to use a thread's security information directly without calling it by using a communication mechanism that provides impersonation services. |
| THREAD_QUERY_INFORMATION | Required to read certain information from the thread object. |
| THREAD_SET_CONTEXT | Required to write the context of a thread. |
| THREAD_SET_INFORMATION | Required to set certain information in the thread object. |
| THREAD_SET_THREAD_TOKEN | Required to set the impersonation token for a thread. |
| THREAD_SUSPEND_RESUME | Required to suspend or resume a thread. |
| THREAD_TERMINATE | Required to terminate a thread. |
You can request the ACCESS_SYSTEM_SECURITY access right to a thread object if you want to read or write the object's SACL. For more information, see Access-Control Lists (ACLs) and SACL Access Right.