Window Stations and Desktops Explorer
Enum Winsta GUI displays list of window stations and desktops on your
Windows NT/2000/XP system and allows to play with their security
settings. It even allows things like running
on your logon desktop!
WinLogondesktop, which is supposed to be a stronghold of Windows NT security inaccessible to mere mortals. I was really fascinated when I finally succeeded to create my own windows on
WinLogondesktop (click here for important tip). My research efforts culminated with this program. Of course, I did not invent everything myself. A lot of credit goes to Keith Brown and his Security Samples Gallery.
- Edit security settings of window station/desktop objects.
- Create new window stations and desktops.
- Switch to desktops of default window station
cmd.exeon any desktop.
- Take ownership over window station and desktop objects.
4. Screen Shot
5.1. Windows 95/98 Are Not Supported
There is no point running Enum Winsta GUI on Windows 95/98 anyway, because Windows 95/98 do not support window stations and desktops. Enum Winsta GUI runs on Windows NT 4.0 SP4 or higher, and on Windows 2000. On Windows NT 4.0 new security editors (
AclUI.DLL) is required.
5.2. Inaccessible Window Stations
WINSTA_ENUMERATEright. Therefore, it is possible that some "invisible" window stations exist. Windows NT does not have documented way of displaying all window stations regardless of
Furthermore, if you remove
WINSTA_ENUMERATE right from a
windows station, it becomes "invisible" to you and there is no
way to return it back to view, except for rebooting the computer.
5.3. Inaccessible Desktops
WINSTA_ENUMDESKTOPSright for the parent window station. You can enable or disable this right using security editor built into Enum Winsta GUI.
5.4. Take Ownership
5.5. Switch To Desktop
WinSta0window station. This limitation is by design. In Windows NT only desktops of
WinSta0can be displayed on the physical screen.
5.6. Creating Window Stations and Desktops
cmd.exeon the desktop in question. For window station you will have to create a desktop and run
cmd.exeon that desktop.
5.7. Access to
Winlogondesktop, one needs
DESKTOP_WRITEOBJECTSrights, even if they are not specified in
OpenDesktop(). This is unique for
Winlogon- all other desktops behave properly with
OpenDesktop. Since even administrators normally don't have those rights on
Winlogondesktop, Winlogon can normally be opened only by
6. Running Enum Winsta GUI Under LocalSystem Account
CmdAsUsertool from www.develop.com/kbrown/security/samples.htm, or
su.exefrom Windows NT Resource Kit.
7. To Do List
- If there are too many window stations and desktops and the tree view must be scrolled, tree view jumps to the end of list every time it is refreshed. This may be very frustrating. Although, on a typical system it is unlikely that there are so many window stations and desktops that they don't fit in the window.
- Undocumented NT API (
NtQueryDirectoryObject???) allows to list all window stations, even those on which caller does not have
WINSTA_ENUMERATEright. These functions are used by
WinObjutility from www.sysinternals.com.
- Find a way to take ownership on inaccessible desktops/window stations.