EnumWinsta GUI
Window Stations and Desktops Explorer

You can download EnumWinstaGui and use it in any way you desire. If you modify the program, please change copyright notice accordingly. The program is provided "as is". Author assumes no responsibility with respect to this program.

• Dynamically linked executable (23K, requires MSVC 6.0 run-time DLLs)
• Statically linked executable (88K)
• Executables with source code for Visual C++ 6.0 (203K)

For a long time I was intrigued by Windows NT system of desktops and windows stations, and their security settings. This was very interesting and scarcely documented corner of Windows NT. I was particularly attracted to the mysterious WinLogon desktop, which is supposed to be a stronghold of Windows NT security inaccessible to mere mortals. I was really fascinated when I finally succeeded to create my own windows on WinLogon desktop (click here for important tip). My research efforts culminated with this program. Of course, I did not invent everything myself. A lot of credit goes to Keith Brown and his Security Samples Gallery.

With Enum Winsta GUI you can:

• Edit security settings of window station/desktop objects.
• Create new window stations and desktops.
• Switch to desktops of default window station WinSta0.
• Start cmd.exe on any desktop.
• Take ownership over window station and desktop objects.

Right-click on window station or desktop name opens context menu that contains list of possible actions.

Enum Winsta GUI will not run on Windows 95/98.
There is no point running Enum Winsta GUI on Windows 95/98 anyway, because Windows 95/98 do not support window stations and desktops. Enum Winsta GUI runs on Windows NT 4.0 SP4 or higher, and on Windows 2000. On Windows NT 4.0 new security editors (AclUI.DLL) is required.

Enum Winsta GUI displays only those window stations for which your user accountt has WINSTA_ENUMERATE right. Therefore, it is possible that some "invisible" window stations exist. Windows NT does not have documented way of displaying all window stations regardless of WINSTA_ENUMERATE right.

Furthermore, if you remove WINSTA_ENUMERATE right from a windows station, it becomes "invisible" to you and there is no way to return it back to view, except for rebooting the computer.

Desktop is accessible only if you have WINSTA_ENUMDESKTOPS right for the parent window station. You can enable or disable this right using security editor built into Enum Winsta GUI.

In case of window stations and desktops, Windows NT does not provide documented means for taking ownership on objects for which you don't have any access at all. Therefore, take ownership does not always work.

Switch to desktop feature works only for desktops of WinSta0 window station. This limitation is by design. In Windows NT only desktops of WinSta0 can be displayed on the physical screen.

Sometimes when you create window station or desktop, it disappears when you exit and restart Enum Winsta GUI application. This behavior is by design. In Windows NT object (window station, desktop, event, semaphore, etc.) is automatically removed when last handle to the object is closed. When you create window station or desktop object, Enum Winsta GUI holds open handle to the object until the end of the program. When Enum Winsta GUI program exits all its handles are automatically closed. If no other program references window station or desktop object in question, the object will be automatically removed by Windows NT. To prevent this you may run cmd.exe on the desktop in question. For window station you will have to create a desktop and run cmd.exe on that desktop.

You will have much less restricted access to Enum Winsta GUI if you run it under LocalSystem account. To do so, use Keith Brown's CmdAsUser tool from www.develop.com/kbrown/security/samples.htm, or su.exe from Windows NT Resource Kit.

1. If there are too many window stations and desktops and the tree view must be scrolled, tree view jumps to the end of list every time it is refreshed. This may be very frustrating. Although, on a typical system it is unlikely that there are so many window stations and desktops that they don't fit in the window.
2. Undocumented NT API (NtQueryDirectoryObject???) allows to list all window stations, even those on which caller does not have WINSTA_ENUMERATE right. These functions are used by WinObj utility from www.sysinternals.com.
3. Find a way to take ownership on inaccessible desktops/window stations.