| Platform SDK: DLLs, Processes, and Threads |
Windows NT/Windows 2000 security enables you to control access to process objects. For more information about security, see Access-Control Model.
You can specify a security descriptor for a process when you call the CreateProcess, CreateProcessAsUser, or CreateProcessWithLogonW function. To retrieve a process's security descriptor, call the GetSecurityInfo function. To change a process's security descriptor, call the SetSecurityInfo function.
The handle returned by the CreateProcess function has PROCESS_ALL_ACCESS access to the process object. When you call the OpenProcess function, the system checks the requested access rights against the DACL in the process's security descriptor. When you call the GetCurrentProcess function, Windows NT returns a pseudohandle with the maximum access that the DACL allows to the caller.
The valid access rights for process objects include the DELETE, READ_CONTROL, SYNCHRONIZE, WRITE_DAC, and WRITE_OWNER standard access rights, in addition to the following process-specific access rights.
| Value | Meaning |
|---|---|
| PROCESS_ALL_ACCESS | Specifies all possible access rights for a process object. |
| PROCESS_CREATE_PROCESS | Required to create a process. |
| PROCESS_CREATE_THREAD | Required to create a thread. |
| PROCESS_DUP_HANDLE | Required to duplicate a handle. |
| PROCESS_QUERY_INFORMATION | Required to retrieve certain information about a process, such as its priority class. |
| PROCESS_SET_QUOTA | Required to set memory limits. |
| PROCESS_SET_INFORMATION | Required to set certain information about a process, such as its priority class. |
| PROCESS_TERMINATE | Required to terminate a process. |
| PROCESS_VM_OPERATION | Required to perform an operation on the address space of a process. |
| PROCESS_VM_READ | Required to read memory in a process. |
| PROCESS_VM_WRITE | Required to write to memory in a process. |
| SYNCHRONIZE | A standard right required to wait for the process to terminate. |
You can request the ACCESS_SYSTEM_SECURITY access right to a process object if you want to read or write the object's SACL. For more information, see Access-Control Lists (ACLs) and SACL Access Right.