Need to change Windows Station (winsta0) ACLs

Dear Experts,

I have downloaded a Windows Station/Desktop DACL editor.

The program shows the DACLs (winstadacl.exe). There are twor users as "Unknown" and RESTRICTED.

Unknown should be a deleted users or kind of user that was created during windows startup and windows statation creation and then deleted. I guess so because I couldn´t find any reference to its SID in the registry. I also don´t know exactly who RESTRICTED is. Could you help me to uderstand more about who is included as RESTRICTED? Do you know about users that XP creates and delete for any reason?

I am programming a software that will run as a Service, that needs ti interact with desktop, and I would like to understand what is happening bihind the curtain in order to not leaving security holes.

Thank you in advance.

Hector.
ToHecAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
ToHecConnect With a Mentor Author Commented:
gidds99, Thank you for your help.

It is the first time I noticed the RESTRICTED user in an ACL. Have you ever seen this in other ACL? Can I reproduce RESTRICTED example with another object?

I realized that the source of the program uses the function CreateSecurityPage that is a function included in ACLUI.DLL.

I understand that one can pass whatever have a security desciptor (files, named pipes, services, etc.). and CreateSecirutyPage presents the well known "Security" hive. In fact I understand that is the same function that is used by Explorer and most of the Windows utilities.

Also, there is another users in the winsta0 ACL that seems to be deleted, and this is odd. Because , as I imagine, the winsta0 is create using CreateWindowStation at the very fist stage of the boot process.  And there is no sense in adding a deleted user to the ACL.

Best Regards.

Hector.

0
 
gidds99Commented:
Restricted sometimes refers to standard users (e.g. a basic user account).  I suppose it depends on the specifics of the tool you are using what this may indeed mean.
0
 
ToHecAuthor Commented:
gidds99,

I Have created a new Windows Station usign CreateWindowStation.

HWINSTA hwinsta = CreateWindowStation((LPCWSTR)"WinstaTest",0, READ_CONTROL,NULL);  

Inmediatly after, I reviewed the ACL using CreateSecurityPage, and the new Windows Station inherets ACE for users RESTRICED and EVERYONE.

Microsoft says:
SID: S-1-5-12
Name: Restricted Code (código restringido)
This SID is reserved for future use.

Regards.

0
All Courses

From novice to tech pro — start learning today.