Need to change Windows Station (winsta0) ACLs

Dear Experts,

I have downloaded a Windows Station/Desktop DACL editor.

The program shows the DACLs (winstadacl.exe). There are twor users as "Unknown" and RESTRICTED.

Unknown should be a deleted users or kind of user that was created during windows startup and windows statation creation and then deleted. I guess so because I couldn´t find any reference to its SID in the registry. I also don´t know exactly who RESTRICTED is. Could you help me to uderstand more about who is included as RESTRICTED? Do you know about users that XP creates and delete for any reason?

I am programming a software that will run as a Service, that needs ti interact with desktop, and I would like to understand what is happening bihind the curtain in order to not leaving security holes.

Thank you in advance.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Restricted sometimes refers to standard users (e.g. a basic user account).  I suppose it depends on the specifics of the tool you are using what this may indeed mean.
ToHecAuthor Commented:
gidds99, Thank you for your help.

It is the first time I noticed the RESTRICTED user in an ACL. Have you ever seen this in other ACL? Can I reproduce RESTRICTED example with another object?

I realized that the source of the program uses the function CreateSecurityPage that is a function included in ACLUI.DLL.

I understand that one can pass whatever have a security desciptor (files, named pipes, services, etc.). and CreateSecirutyPage presents the well known "Security" hive. In fact I understand that is the same function that is used by Explorer and most of the Windows utilities.

Also, there is another users in the winsta0 ACL that seems to be deleted, and this is odd. Because , as I imagine, the winsta0 is create using CreateWindowStation at the very fist stage of the boot process.  And there is no sense in adding a deleted user to the ACL.

Best Regards.



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ToHecAuthor Commented:

I Have created a new Windows Station usign CreateWindowStation.

HWINSTA hwinsta = CreateWindowStation((LPCWSTR)"WinstaTest",0, READ_CONTROL,NULL);  

Inmediatly after, I reviewed the ACL using CreateSecurityPage, and the new Windows Station inherets ACE for users RESTRICED and EVERYONE.

Microsoft says:
SID: S-1-5-12
Name: Restricted Code (código restringido)
This SID is reserved for future use.


It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.