Console Buffer Security and Access Rights

The Windows security model enables you to control access to console input buffers and console screen buffers. For more information about security, see Access-Control Model.

Console Object Security Descriptors

You can specify a security descriptor for the console input and console screen buffers when you call the CreateFile or CreateConsoleScreenBuffer function. If you specify NULL, the object gets a default security descriptor. The ACLs in the default security descriptor for a console buffer come from the primary or impersonation token of the creator.

The handles returned by CreateFile, CreateConsoleScreenBuffer, and GetStdHandle have the GENERIC_READ and GENERIC_WRITE access rights.

The valid access rights include the GENERIC_READ and GENERIC_WRITE generic access rights.

Value Meaning
GENERIC_READ (0x80000000L) Requests read access to the console screen buffer, enabling the process to read data from the buffer.
GENERIC_WRITE (0x40000000L) Requests write access to the console screen buffer, enabling the process to write data to the buffer.

Note

Universal Windows Platform console apps and those with a lower integrity level than the attached console will be prohibited from both reading the output buffer and writing to the input buffer even if the security descriptors above would normally permit it. Please see the Wrong Way Verbs discussion below for more details.

Wrong-Way Verbs

Some operations to the console objects will be denied even if the object has a security descriptor that is stated to specifically permit reading or writing. This specifically concerns command-line applications running in a reduced-privilege context that are sharing a console session that was created by a command-line application in a more permissive context.

The term "wrong-way verbs" is intended to apply to the operation that is the converse of the normal flow for one of the console objects. Specifically, the normal flow for the output buffer is writing and the normal flow for the input buffer is reading. The "wrong-way" would therefore be the reading of the output buffer or the writing of the input buffer. These are functions that are described in the Low-Level Console I/O Functions documentation.

The two scenarios where this can be found are:

  1. Universal Windows Platform console apps. As these are cousins of other Universal Windows Platform applications, they hold a promise that they are isolated from other applications and provide user guarantees around the effects of their operation.
  2. Any console application intentionally launched with a lower integrity level than the existing session which can be accomplished with labeling or token manipulation during CreateProcess.

If either of these scenarios is detected, the console will apply the "wrong-way verbs" flag to the command-line application connection and reject calls to the following APIs to reduce the surface of communication between the levels:

Rejected calls will receive an access denied error code, the same as if the read or write permission were denied by the security descriptors on the object.