EnumWinsta GUI
Window Stations and Desktops Explorer

Enum Winsta GUI displays list of window stations and desktops on your Windows NT/2000/XP system and allows to play with their security settings. It even allows things like running cmd.exe on your logon desktop!

1. Download

You can download EnumWinstaGui and use it in any way you desire. If you modify the program, please change copyright notice accordingly. The program is provided "as is". Author assumes no responsibility with respect to this program.

2. Motivation

For a long time I was intrigued by Windows NT system of desktops and windows stations, and their security settings. This was very interesting and scarcely documented corner of Windows NT. I was particularly attracted to the mysterious WinLogon desktop, which is supposed to be a stronghold of Windows NT security inaccessible to mere mortals. I was really fascinated when I finally succeeded to create my own windows on WinLogon desktop (click here for important tip). My research efforts culminated with this program. Of course, I did not invent everything myself. A lot of credit goes to Keith Brown and his Security Samples Gallery.

3. Features

With Enum Winsta GUI you can: Right-click on window station or desktop name opens context menu that contains list of possible actions.

4. Screen Shot

EnumWinstaGui screen shot

5. Limitations

5.1. Windows 95/98 Are Not Supported

Enum Winsta GUI will not run on Windows 95/98.
There is no point running Enum Winsta GUI on Windows 95/98 anyway, because Windows 95/98 do not support window stations and desktops. Enum Winsta GUI runs on Windows NT 4.0 SP4 or higher, and on Windows 2000. On Windows NT 4.0 new security editors (AclUI.DLL) is required.

5.2. Inaccessible Window Stations

Enum Winsta GUI displays only those window stations for which your user accountt has WINSTA_ENUMERATE right. Therefore, it is possible that some "invisible" window stations exist. Windows NT does not have documented way of displaying all window stations regardless of WINSTA_ENUMERATE right.

Furthermore, if you remove WINSTA_ENUMERATE right from a windows station, it becomes "invisible" to you and there is no way to return it back to view, except for rebooting the computer.

5.3. Inaccessible Desktops

Desktop is accessible only if you have WINSTA_ENUMDESKTOPS right for the parent window station. You can enable or disable this right using security editor built into Enum Winsta GUI.

5.4. Take Ownership

In case of window stations and desktops, Windows NT does not provide documented means for taking ownership on objects for which you don't have any access at all. Therefore, take ownership does not always work.

5.5. Switch To Desktop

Switch to desktop feature works only for desktops of WinSta0 window station. This limitation is by design. In Windows NT only desktops of WinSta0 can be displayed on the physical screen.

5.6. Creating Window Stations and Desktops

Sometimes when you create window station or desktop, it disappears when you exit and restart Enum Winsta GUI application. This behavior is by design. In Windows NT object (window station, desktop, event, semaphore, etc.) is automatically removed when last handle to the object is closed. When you create window station or desktop object, Enum Winsta GUI holds open handle to the object until the end of the program. When Enum Winsta GUI program exits all its handles are automatically closed. If no other program references window station or desktop object in question, the object will be automatically removed by Windows NT. To prevent this you may run cmd.exe on the desktop in question. For window station you will have to create a desktop and run cmd.exe on that desktop.

5.7. Access to Winlogon Desktop

It seems that in order to open Winlogon desktop, one needs DESKTOP_READOBJECTS and DESKTOP_WRITEOBJECTS rights, even if they are not specified in AccessMask parameter of OpenDesktop(). This is unique for Winlogon - all other desktops behave properly with OpenDesktop. Since even administrators normally don't have those rights on Winlogon desktop, Winlogon can normally be opened only by LocalSystem account.

6. Running Enum Winsta GUI Under LocalSystem Account

You will have much less restricted access to Enum Winsta GUI if you run it under LocalSystem account. To do so, use Keith Brown's CmdAsUser tool from www.develop.com/kbrown/security/samples.htm, or su.exe from Windows NT Resource Kit.

7. To Do List

  1. If there are too many window stations and desktops and the tree view must be scrolled, tree view jumps to the end of list every time it is refreshed. This may be very frustrating. Although, on a typical system it is unlikely that there are so many window stations and desktops that they don't fit in the window.
  2. Undocumented NT API (NtQueryDirectoryObject???) allows to list all window stations, even those on which caller does not have WINSTA_ENUMERATE right. These functions are used by WinObj utility from www.sysinternals.com.
  3. Find a way to take ownership on inaccessible desktops/window stations.