Prevent CreateDesktop from being opened
Question
I am calling CreateDesktop to create a virtual desktop for security against keyloggers. However, somebody can easily open the desktop using OpenDesktop. I specifically want to prevent somebody from creating a process within that desktop.
The last parameter of CreateDesktop points to a SECURITY_ATTRIBUTES structure. However, I'm not sure how to use it.
I heard that you can't have a process-level protection, but only user level. Is there a way to create a new restricted user and then have the last parameter use the credentials of the user?
Thanks
1 answers
solution1
1 ACCPTED 2020-08-25 08:31:03
Yes you can control accesses of others to the desktop you created via security descriptor .
If the value of lpSecurityDescriptor member is NULL , the object is assigned the default security descriptor associated with the access token of the calling process. By default, the default DACL in the access token of a process allows access only to the user represented by the access token. (This is not the same as granting access to everyone by assigning a NULL discretionary access control list ( DACL ). A NULL DACL permits all types of access to all users.)
If the default security descriptor doesn't meet your requirements you can create EXPLICIT_ACCESS like grant only read access to someone and grant all access to yourself.
More reference: Creating a Security Descriptor for a New Object in C++ .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.