Platform SDK: DLLs, Processes, and Threads

Thread Security and Access Rights

Windows NT/Windows 2000 security enables you to control access to thread objects. For more information about security, see Access-Control Model.

You can specify a security descriptor for a thread when you call the CreateProcess, CreateProcessAsUser, CreateProcessWithLogonW, CreateThread, or CreateRemoteThread function. To retrieve a thread's security descriptor, call the GetSecurityInfo function. To change a thread's security descriptor, call the SetSecurityInfo function.

The handle returned by the CreateThread function has THREAD_ALL_ACCESS access to the thread object. When you call the GetCurrentThread function, the system returns a pseudohandle with the maximum access that the thread's security descriptor allows the caller.

The valid access rights for thread objects include the DELETE, READ_CONTROL, SYNCHRONIZE, WRITE_DAC, and WRITE_OWNER standard access rights, in addition to the following thread-specific access rights.

Value Meaning
SYNCHRONIZE A standard right required to wait for the thread to exit.
THREAD_ALL_ACCESS Specifies all possible access rights for a thread object.
THREAD_DIRECT_IMPERSONATION Required for a server thread that impersonates a client.
THREAD_GET_CONTEXT Required to read the context of a thread using GetThreadContext.
THREAD_IMPERSONATE Required to use a thread's security information directly without calling it by using a communication mechanism that provides impersonation services.
THREAD_QUERY_INFORMATION Required to read certain information from the thread object.
THREAD_SET_CONTEXT Required to write the context of a thread.
THREAD_SET_INFORMATION Required to set certain information in the thread object.
THREAD_SET_THREAD_TOKEN Required to set the impersonation token for a thread.
THREAD_SUSPEND_RESUME Required to suspend or resume a thread.
THREAD_TERMINATE Required to terminate a thread.

You can request the ACCESS_SYSTEM_SECURITY access right to a thread object if you want to read or write the object's SACL. For more information, see Access-Control Lists (ACLs) and SACL Access Right.