This section lists and describes the constants used to specify access rights for various Windows objects. These constants are crucial for controlling permissions and security when interacting with system resources like files, processes, registry keys, and more.
General Access Rights
These constants represent generic access rights that can be mapped to specific rights depending on the object type.
| Constant | Description |
|---|---|
GENERIC_READ |
Read access. Maps to specific read permissions for the object. |
GENERIC_WRITE |
Write access. Maps to specific write permissions for the object. |
GENERIC_EXECUTE |
Execute access. Maps to specific execute permissions for the object. |
GENERIC_ALL |
All possible access rights. |
Specific Access Rights
These constants represent the most granular access rights. Their meaning is object-specific.
File and Directory Access Rights
| Constant | Description |
|---|---|
FILE_READ_DATA |
For a file, the right to read data from the file. For a directory, the right to list the contents of the directory. |
FILE_WRITE_DATA |
For a file, the right to write data to the file. For a directory, the right to create files in the directory. |
FILE_APPEND_DATA |
For a file, the right to append data to the file. For a directory, the right to create subdirectories in the directory. |
FILE_EXECUTE |
For a file, the right to execute the file. |
FILE_READ_EA |
The right to read extended attributes. |
FILE_WRITE_EA |
The right to write extended attributes. |
FILE_READ_ATTRIBUTES |
The right to read file attributes. |
FILE_WRITE_ATTRIBUTES |
The right to change file attributes. |
DELETE |
The right to delete the object. |
READ_CONTROL |
The right to read the object's security descriptor. |
WRITE_DAC |
The right to modify the discretionary access control list (DACL) in the object's security descriptor. |
WRITE_OWNER |
The right to change the owner in the object's security descriptor. |
SYNCHRONIZE |
Indicates that the process can wait for an object to enter the signaled state. |
Process and Thread Access Rights
| Constant | Description |
|---|---|
PROCESS_TERMINATE |
A process can terminate it. |
PROCESS_CREATE_THREAD |
A process can create a thread. |
PROCESS_SET_SESSIONID |
A process can set its session ID. |
PROCESS_VM_OPERATION |
A process can perform arbitrary operations on the process's virtual memory. |
PROCESS_VM_READ |
A process can read from its virtual memory. |
PROCESS_VM_WRITE |
A process can write to its virtual memory. |
PROCESS_SET_QUOTA |
A process can alter the working set size of another process. |
PROCESS_SUSPEND_RESUME |
A process can suspend or resume it. |
PROCESS_QUERY_INFORMATION |
A process can get information about it. |
PROCESS_QUERY_LIMITED_INFORMATION |
A process can get limited information about it. |
THREAD_TERMINATE |
A thread can terminate it. |
THREAD_GET_CONTEXT |
A thread can get the context of the thread. |
THREAD_SET_CONTEXT |
A thread can set the context of the thread. |
THREAD_SET_INFORMATION |
A thread can alter the state of the thread. |
THREAD_QUERY_INFORMATION |
A thread can get information about the thread. |
THREAD_SET_RUN |
A thread can resume it. |
THREAD_SUSPEND_RESUME |
A thread can suspend or resume it. |
This is not an exhaustive list. Specific access rights vary greatly depending on the object type. Consult the documentation for individual object types for a complete list.
Combining Access Rights
Access rights are typically combined using the bitwise OR operator (|) to form a complete access mask. For example, to request read and write access to a file, you would use:
DWORD dwDesiredAccess = GENERIC_READ | GENERIC_WRITE;Examples
When opening a file, you might use the following to request full access:
HANDLE hFile = CreateFile(L"MyFile.txt",
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ,
NULL,
OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);When querying information about a process:
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwProcessId);