给分关于 DefineDosDevice 。

xp中：

Note that only processes running in the LocalSystem context  can call DefineDosDevice to create an MS-DOS device in the Global MS-DOS device namespace.

其中的LocalSystem context怎么理解，或这说怎样用DefineDosDevice 定义一Global 而不是Local 的MS-DOS Device name.

？

不同于2k中的！

Could you give an example?

Defining an MS-DOS Device Name

An MS-DOS device name is a junction that points to the path of an MS-DOS device. These junctions comprise the MS-DOS device namespace. Call the DefineDosDevice and SetVolumeMountPoint functions to create and modify these junctions. DeleteVolumeMountPoint deletes a junction created by SetVolumeMountPoint, and DefineDosDevice deletes junctions it creates.


After an MS-DOS device name is defined, it remains visible to all processes. Before Windows 2000 SP2, a device name remained globally visible until either explicitly removed or the system restarted. Security issues made changes to this policy necessary in later versions of Windows.

Starting with Windows 2000 SP2, when a user that is logged in through an interactive console session (that is, by running a console application on a local machine), any drive letters defined by running a program that calls DefineDosDevice are deleted when the interactive console user logs out. Also, a security policy is implemented regulating the circumstances under which drive letters can be deleted. This deletion policy is defined as follows:


If the user attempting the deletion is logged in as an Administrator, or another account that belongs to the Administrator group, the user can delete any drive letter.
If the user attempting the deletion is not logged in as an Administrator, and is logged in though the interactive console session, the user can delete any drive letter except those created by other users logged in as Administrators through logon sessions that are not the interactive console session, such as background scheduled tasks or during system startup.
If the user attempting the deletion is not logged in as an Administrator, and is logged in though a logon session that is not the interactive console session, the user can delete only the drive letters that he or she has created during the session.
This security fix does not affect Terminal Services sessions, because each Terminal Services session defines its own MS-DOS Device namespace.

In Windows 2000 SP2 and earlier, calls to QueryDosDevice return all MS-DOS devices that have been defined on the local machine.

In Windows XP, the policy changes defined in Windows 2000 SP2 were removed and replaced with an architecture based on the following:


All MS-DOS devices are identified by Windows through an authentication ID. An authentication ID is the LUID (locally unique identifier) associated with each logon session when created.
The visibility of an MS-DOS device names is categorized as global or local, and is defined as such by its inclusion in the Global MS-DOS Device and Local MS-DOS Device namespaces. The contents of MS-DOS devices in the Global namespace can be accessed by all users, and the contents of MS-DOS devices in the Local namespace can be accessed only by the user whose access token contains the AuthenticationID associated with that Local MS-DOS device namespace
Multiple Local MS-DOS Device namespaces and only one Global MS-DOS Device namespace may exist at one time and on one machine.

Note that only processes running in the LocalSystem context can call DefineDosDevice to create an MS-DOS device in the Global MS-DOS device namespace. Also, the Local MS-DOS device namespace corresponding to a specific AuthenticationID is deleted when the last reference to that AuthenticationID is removed.

When your code queries an existing MS-DOS device name by calling QueryDosDevice, it first searches the Local MS-DOS Device namespace. If it is not found there, the function will then search the Global MS-DOS Device namespace. When your code queries all existing MS-DOS device names through this function, the list of names that are returned is dependent on whether it is running in the LocalSystem context. If so, only the MS-DOS device names included in the Global MS-DOS Device namespace will be returned. If not, a concatenation of the device names in the Global and Local MS-DOS Device namespaces will be returned. If a device name exists in both namespaces, QueryDosDevice will return the entry in the Local MS-DOS Device namespace. This also applies to the list of all MS-DOS device names returned by GetLogicalDrives and GetLogicalDriveStrings.

Note that the following scenario may occur:

User A, who is not running within the LocalSystem context, creates a device name in the corresponding Local MS-DOS Device namespace, and that device name does not exist in the Global MS-DOS Device namespace.
User B, who is running within the LocalSystem context, creates the same device name in the Global MS-DOS Device namespace.
In this scenario, User A will not have access to the device name in the Global MS-DOS Device namespace until he or she removes or renames the device name in his or her Local MS-DOS Device namespace. To reduce the likelihood of this scenario occurring, MS-DOS drive letters should be allocated in the Global MS-DOS Device namespace starting with C: and ending with Z:. This sequence should be reversed for the allocation of MS-DOS drive letters in the Local MS-DOS Device namespace.

If you are not running within the LocalSystem context, DefineDosDevice will not allow you to define a device name in the Local MS-DOS Device namespace if that device name already exists in your Local or Global MS-DOS Device namespaces. Call QueryDosDevice before calling DefineDosDevice to determine whether the device name you intend to define exists in your MS-DOS Device namespaces.