Ok, long story short. I'm writing an app which gives a lot of options to control the launching of an application, including impersonating a user, and in this case, specifying the window station and desktop to launch the process under. All this is working. The problem is, I would like an administrator to be able to specify the Winlogon desktop as the target, and launch an application under it. I'm running into a few permission issues however. In order to launch an application under a given desktop, the account the process is launched under must have certain privileges enabled. The Winlogon desktop, being a more secure and restrictive desktop than the default interactive desktop, doesn't have many of the required privileges enabled by default, even for administrators. In order to grant a user access to a secured object, we have to obtain a handle to the object in question and modify the DACL for the object, granting the necessary rights to the user in question. In this case, it's not the modification of the DACL that's the problem, it's obtaining the handle in the first place. By default, administrators are granted the necessary rights to enumerate the Winlogon desktop, as well as read and modify its DACL. For most securable objects, that would be enough to obtain a handle and modify its permissions. In order to obtain a handle to an existing desktop, we call the OpenDesktop function. Here's the catch: As detailed in the MSDN documentation, in order to obtain a handle with READ_CONTROL, WRITE_DAC, or WRITE_OWNER privileges, all of which are privileges administrators have for the winlogon desktop, we also need to request the DESKTOP_READOBJECTS and DESKTOP_WRITEOBJECTS privileges, which administrators do not have by default. Now, administrators can work around this by spawning a command console from a service to obtain system credentials, however I'm wondering if there is any way to modify the DACL for the winlogon desktop using the default permissions granted to administrators. If not, why do administrators have read and write permissions to the winlogon DACL, if they can't ever obtain a handle with these privileges enabled?

You should probably post this on one of MS's *.security newsgroups. You may get lucky and find someone here that both writes games and deals in depth with windows security, but your chances are much better on a security newsgroup :)

Robert

Yeah, I realise it was a longshot asking this here. If I don't get a response, and I don't find a solution myself within the next couple of days, I'll hunt around and find a better place to pose this question. Cheers for the newsgroups suggestion. I looked on the MSDN forums and was less than impressed with the choices.