Windows XP Media Center Edition SDK Handling the Limited Access Rights of a Media Center Extender Session
.jpg) |
| Previous | Next |
Handling the Limited Access Rights of a Media Center Extender Session
To deliver the optimum level of security, a Media Center Extender session runs in the context of a limited user account. This account is created during the Media Center Extender installation process. It is hidden from the user and cannot be used outside of a Media Center Extender session.
The following user rights are set for the Media Center Extender limited user account.
- Access this computer from the network (SeNetworkLogonPrivilege)
- Bypass traverse checking (SeChangeNotifyPrivilege)
- Log on locally (SeInteractiveLogonPrivilege)
- Create global objects (SeCreateGlobalPrivilege)
The group membership of the Media Center Extender limited user account includes:
- Remote Desktop Users
- Media Center Remote Device (MCRD) Users
As you design your application to include Media Center Extender users, remember that they cannot access certain resources that are typically accessible to members of the Administrators group. To provide a good user experience, your application should still function properly in spite of this limitation. The restricted resources that your application cannot access from a Media Center Extender session include, but are not limited to, the following.
- Write permission to registry settings in HKEY_LOCAL_MACHINE
- Write permission to file resources in the Program Files directory
- Secure application programming interface (API) calls (for example, calls that access Local Security Authority (LSA) secrets)
Writing to the Windows Registry
Most applications need to save persistent settings in the Windows registry. Developers often choose to store these settings under the HKEY_LOCAL_MACHINE\SOFTWARE key so that the settings are globally available on the computer. However, because the Media Center Extender session runs in the context of a limited user account, an application receives an access-denied error if it attempts to write settings to HKEY_LOCAL_MACHINE\SOFTWARE. For this reason, your application should read and write settings to HKEY_CURRENT_USER\SOFTWARE.
Writing to the File System
If your application needs to write data to the file system, it must write to a location that has write permissions for Media Center Extender users, such as the Shared Documents folder (C:\Documents and Settings\All Users\Documents\My Music). Your application can read and write files and folders in this location, and it is the recommended location for storing all downloaded content. To read and write data in another location in the file system, your application must apply the appropriate security settings to the target folder. Your application should not modify the access control list (ACL) on a folder that your installation package or application does not create. For more information, see Creating or Modifying an ACL on the MSDN Web site.
See Also
| Previous | Next |