Windows Internals 6th Security

访问权限（Access Right）和访问掩码（Access Mask）：

访问权限是一个位标志（bit flag），表示线程可对对象所作的某一个操作，比如：KEY_SET_VALUE访问权限，表明线程可以在某个key下面set value。

访问掩码是一个32位的值，对应于一个对象所支持的所有访问权限。

typedef DWORD ACCESS_MASK;

访问掩码主要可分为4部分：

格式如下：

Access mask format

Bits	Meaning
0–15	Specific rights. Contains the access mask specific to the object type associated with the mask.
16–23	Standard rights. Contains the object's standard access rights.
24	Access system security (ACCESS_SYSTEM_SECURITY). It is used to indicate access to a system access control list (SACL). This type of access requires the calling process to have the SE_SECURITY_NAME (Manage auditing and security log) privilege. If this flag is set in the access mask of an audit access ACE (successful or unsuccessful access), the SACL access will be audited.
25	Maximum allowed (MAXIMUM_ALLOWED).
26–27	Reserved.
28	Generic all (GENERIC_ALL).
29	Generic execute (GENERIC_EXECUTE).
30	Generic write (GENERIC_WRITE).
31	Generic read (GENERIC_READ).

Standard rights bits, 16 to 23, contain the object's standard access rights and can be a combination of the following predefined flags.

Bit	Flag	Meaning
16	DELETE	Delete access.
17	READ_CONTROL	Read access to the owner, group, and discretionary access control list (DACL) of the security descriptor.
18	WRITE_DAC	Write access to the DACL.
19	WRITE_OWNER	Write access to owner.
20	SYNCHRONIZE	Synchronize access.

标准访问权限（共有5个）适用于所有对象。对象特定访问权限（最多有16个）由每种对象自己定义。通用访问权限（共有4个），是标准访问权限和对象特定访问权限的掩码，每种对象都要自定义通用访问权限到标准访问权限/对象特定访问权限的映射(GENERIC_MAPPING)。

例如：文件的GENERIC_READ被映射为:

标准访问权限的READ_CONTROL和SYNCHRONIZE

对象特定访问权限的FILE_READ_DATA, FILE_READ_EA, 和FILE_READ_ATTRIBUTES

通用访问权限主要为了方便用户，用户可以直接要求通用访问权限而不用关心标准访问权限和对象特定访问权限，使用通用访问权限更简单。

http://msdn.microsoft.com/en-us/library/windows/hardware/ff566424%28v=vs.85%29.aspx

列出了文件对象的object specific 访问权限和generic访问权限到standard访问权限和object specific访问权限的映射。

http://msdn.microsoft.com/en-us/library/windows/hardware/ms724878%28v=vs.85%29.aspx

注册表的。