diff --git a/doc/pageant.but b/doc/pageant.but
index f25119dd..186d62eb 100644
--- a/doc/pageant.but
+++ b/doc/pageant.but
@@ -159,6 +159,17 @@ by the command, like this:
 
 \c C:\PuTTY\pageant.exe d:\main.ppk -c C:\PuTTY\putty.exe
 
+\S{pageant-cmdline-restrict-acl} Restricting the \i{Windows process ACL}
+
+Pageant supports the same \i\c{-restrict-acl} option as the other
+PuTTY utilities to lock down the Pageant process's access control;
+see \k{using-cmdline-restrict-acl} for why you might want to do this.
+
+By default, if Pageant is started with \c{-restrict-acl}, it won't
+pass this to any PuTTY sessions started from its System Tray submenu.
+Use \c{-restrict-putty-acl} to change this. (Again, see
+\k{using-cmdline-restrict-acl} for details.)
+
 \H{pageant-forward} Using \i{agent forwarding}
 
 Agent forwarding is a mechanism that allows applications on your SSH
diff --git a/doc/using.but b/doc/using.but
index 515e3a4d..b920a414 100644
--- a/doc/using.but
+++ b/doc/using.but
@@ -1071,4 +1071,4 @@ Pageant stores the more critical information (hence benefits more from
 the extra protection), so it's reasonable to want to run Pageant but
 not PuTTY with the ACL restrictions. You can force Pageant to start
 subsidiary PuTTY processes with a restricted ACL if you also pass the
-\c{-restrict-putty-acl} option.
+\i\c{-restrict-putty-acl} option.