Detecting process or current thread desktop

Sourabh_Arvikar · August 21, 2014, 3:33am

Is it possible to detect current thread desktop in my driver?

Thanks All

Julian_Navascues · August 21, 2014, 5:52am

What is thread desktop?

PsGetCurrentThreadId
PsGetCurrentThread
PsSetCreateThreadNotifyRoutine

2014-08-21 9:33 GMT+02:00 :

> Is it possible to detect current thread desktop in my driver?
>
> Thanks All
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Sourabh_Arvikar · August 21, 2014, 6:16am

every process(and thread) has its own desktop, by default in windows all processes run under “Default” desktop(kernel object).

Also we can create more desktop using “CreateDesktop” API and create any process under same desktop.

To retrieve current thread desktop in user mode we can use “GetThreadDesktop” API.

but I wanted same mechanism in driver.

Doron_Holan · August 21, 2014, 9:51am

The concept of desktops doesn’t exist in km. Besides there isn’t just one current thread, there is one running thread per CPU core. What bigger problem are you trying to solve ?

d

Bent from my phone

From: xxxxx@gmail.com mailto:xxxxx
Sent: ?8/?21/?2014 3:15 AM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: RE:[ntdev] Detecting process or current thread desktop

every process(and thread) has its own desktop, by default in windows all processes run under “Default” desktop(kernel object).

Also we can create more desktop using “CreateDesktop” API and create any process under same desktop.

To retrieve current thread desktop in user mode we can use “GetThreadDesktop” API.

but I wanted same mechanism in driver.

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>

Sourabh_Arvikar · August 21, 2014, 2:48pm

Ok,

I have created another desktop using CreateDesktop api and I wanted to run only selected process inside same desktop so I am using driver to track process creation but not able detect desktop of process to restrict it.

I don’t see any other way to restrict process creation inside my desktop.

Thanks

Alex_Grig · August 21, 2014, 11:29pm

In what security context you want to run the process on the special desktop?
Under which account?
Why do you want to restrict processes to that desktop?
What problem are you trying to solve with that isolation?

Sourabh_Arvikar · August 22, 2014, 12:08am

I have created this desktop name as “Restricted Desk”, I wanted to allow only processes to run into it which has “restricted user token” and special user group name as “IsolationGrp”.

I am trying out sandbox desktop in which only special user token processes are allowed.

Thanks

OSR_Community_User · August 22, 2014, 12:28am

Your driver can register a process creation callback (PsSetCreateProcessNotifyRoutineEx) that can cancel a process creation. But for the desktop related API your driver must rely on a user mode service or general application. Look at the following document and precisely to the section titled “Calling user mode from kernel mode”:

http://insider.osr.com/2013/ntinsider_2013_01.pdf

Amritanshu_Johri · August 22, 2014, 3:44am

> I have created this desktop name as “Restricted Desk”, I wanted to allow

only processes to run into it which has “restricted user token” and special
user group name as “IsolationGrp”.

I am trying out sandbox desktop in which only special user token processes
are allowed.

At the risk of stating the obvious, I think this can be done in user
mode, the point at which your application creates a desktop it can
associate a security descriptor with it?

http://msdn.microsoft.com/en-us/library/windows/desktop/ms682575(v=vs.85).aspx

Maxim_S_Shatskih · August 22, 2014, 4:55am

> At the risk of stating the obvious, I think this can be done in user mode, the point at which your

application creates a desktop it can associate a security descriptor with it?

At least this is for sure possible with WinSta, and you can create both WinSta+desktop

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

Alex_Grig · August 22, 2014, 9:59am

Assign an ACL to the desktop, to only allow this group to open it.

Alex_Grig · August 22, 2014, 5:26pm

Your approach will not protect against OpenDesktop/SetThreadDesktop.

Sourabh_Arvikar · August 24, 2014, 11:43am

Thanks Alex Grig and ALL

it was so simple,