Microsoft Threads，设置安全和访问权限 [英] Microsoft Threads, setting Security and Access Rights

问题描述

我正在尝试制作一个基本的线程管理器.您可能已经看到我之前提出的一些错误代码的问题之一，而我仍在处理该代码！但是我被卡住了，因为我希望能够调用函数 GetExitCodeThread(HANDLE, LPDWORD)，但是我在实现它时遇到了麻烦.我遇到的第一个问题我想我想出了我需要做什么，但我不知道如何实现它.我最初是在安全属性设置为 NULL 的情况下调用 CreateThread，从它的外观来看，我需要将其设置为 THREAD_QUERY_INFORMATION，但是我不知道如何填充它想要的 LPSECURITY_ATTRIBUTES 结构.来自msdn的结构是:

I am trying to make a basic thread manager. You may have seen one of my previous questions where I posed some bad code, and I am still working on that code! But I am stuck because I want to be able to call the function GetExitCodeThread(HANDLE, LPDWORD), but I am having trouble implementing this. The first problem I ran into I think I figured out what I need to do, but I don't know how to implement it. I was originally calling CreateThread with the security attributes set to NULL, and from the looks of it I need to set it to THREAD_QUERY_INFORMATION, however I don't know how to fill the LPSECURITY_ATTRIBUTES structure it wants. The structure from msdn is:

typedef struct _SECURITY_ATTRIBUTES {
  DWORD  nLength;
  LPVOID lpSecurityDescriptor;
  BOOL   bInheritHandle;
} SECURITY_ATTRIBUTES, *PSECURITY_ATTRIBUTES, *LPSECURITY_ATTRIBUTES;

但我不知道如何用 THREAD_QUERY_INFORMATION 填充它，而且我不明白我用什么填充了结构的其他部分.

But I don't know how to fill that with THREAD_QUERY_INFORMATION, and I don't understand what I fill the other parts of the structure with.

我想如果我设置了创建线程的安全属性，我应该可以调用GetExitCodeThread，然后我的代码应该可以工作...有没有人有任何在创建线程时设置安全属性的示例代码我可以看看和参考吗?以及对更好地理解 Windows 库有什么建议吗?

I think if I set the security attributes of creating the thread, I should be able to call GetExitCodeThread, and then my code should work... Does anyone have any example code of setting the security attributes while creating a thread that I could look and reference off of? And any recommendation on understanding the windows library better?

推荐答案

lpThreadAttributes 参数确定句柄是否可继承以及对线程对象设置了哪些安全权限.它不会影响授予 CreateThread 返回的句柄的安全访问权限，该句柄始终为 THREAD_ALL_ACCESS.

The lpThreadAttributes argument determines whether the handle is inheritable and what security permissions are set on the thread object. It does not affect the security access granted to the handle returned by CreateThread, which is always THREAD_ALL_ACCESS.

类似地，当新线程本身调用 GetCurrentThread 时返回的句柄始终具有完全访问权限，但在不支持的旧版 Windows 上除外.

Similarly, the handle returned when the new thread itself calls GetCurrentThread always has full access rights, except on older out-of-support versions of Windows.

如果您稍后要使用 OpenThread 来获取额外的句柄，或者如果外部进程尝试使用 OpenThread 来获取句柄，那么当线程安全权限将发挥作用.

If you were to use OpenThread later on to get an additional handle, or if an external process tried to use OpenThread to get a handle, that is when the thread security permissions would come into play.

在支持的 Windows 版本上，线程对象的默认安全权限(几乎?)总是合适的，所以 lpThreadAttributes 或 lpSecurityDescriptor 应该是 NULL.处理加密、身份验证或其他特别敏感任务的软件在极少数情况下可能会使用非默认线程安全权限.(我想不出这有什么有用的用途，但可能有一些奇怪的情况是合适的.)

On supported versions of Windows, the default security permissions for the thread object are (almost?) always appropriate, so either lpThreadAttributes or lpSecurityDescriptor should be NULL. Software dealing with cryptography, authentication, or other especially sensitive tasks might on rare occasions use non-default thread security permissions. (I can't think of any useful purpose this would serve, but there may be some oddball cases where it is appropriate.)

在旧版本的 Windows 上，如果调用 CreateThread 的线程正在模拟另一个用户，则可能需要指定 lpSecurityDescriptor，尽管推荐的做法是在调用 CreateThread 之前停止模拟代码>创建线程.

On older versions of Windows it might be necessary to specify lpSecurityDescriptor if the thread calling CreateThread is impersonating another user, although the recommended practice is to cease impersonation before calling CreateThread.

这在 MSDN 文档中有详细说明对于 CreateThread.

这篇关于Microsoft Threads，设置安全和访问权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！