Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Pythin createprocessasuser -- OpenProcessToken, 'Access is denied.'

80 views
Skip to first unread message

Pete Fong

unread,
Jun 14, 2004, 3:15:41 AM6/14/04
to
Dear all,

I am a beginner with Python. I want to write a program as "runas" in
Windows XP.
But I have got the following error:
File "C:\Python23\Lib\site-packages\Pythonwin\pywin\framework\scriptutils.py",
line 310, in RunScript
exec codeObject in __main__.__dict__
File "C:\python\Script1.py", line 30, in ?
File "C:\python\Script1.py", line 14, in AdjustPrivilege
print "Started as: ", win32api.GetUserName()
error: (5, 'OpenProcessToken', 'Access is denied.')

There is my program :

import win32security
import win32process
import win32api
import win32con
import sys
import time
import os
from ntsecuritycon import *


def AdjustPrivilege(priv, enable = 1):
# Get the process token.
flags = TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY
htoken = win32security.OpenProcessToken(win32api.GetCurrentProcess(),
flags)
# Get the ID for the privilege.
id = win32security.LookupPrivilegeValue(None, priv)
# Now obtain the privilege for this process.
# Create a list of the privileges to be added.
if enable:
newPrivileges = [(id, SE_PRIVILEGE_ENABLED)]
else:
newPrivileges = [(id, 0)]
win32security.AdjustTokenPrivileges(handel, 0, newPrivileges)
# and make the adjustment.

handel=win32security.LogonUser('administrator','domain','pwd',win32con.LOGON32_LOGON_INTERACTIVE,win32con.LOGON32_PROVIDER_DEFAULT)

win32security.ImpersonateLoggedOnUser(handel)
AdjustPrivilege(SE_TCB_NAME)
AdjustPrivilege(SE_INCREASE_QUOTA_NAME)
AdjustPrivilege(SE_ASSIGNPRIMARYTOKEN_NAME)
AdjustPrivilege(TOKEN_DUPLICATE)
AdjustPrivilege(TOKEN_IMPERSONATE)
AdjustPrivilege(SE_CHANGE_NOTIFY_NAME)

print "Started as: ", win32api.GetUserName()
#this prints target username, impersonation successful

win32process.CreateProcessAsUser(handel,None,'notepad',None,None,0,0,None,None,win32process.STARTUPINFO())
#os.execv('c:', 'notepad')
#os.execv(path, args)
#runs program, not as target user


win32security.RevertToSelf()
handel.Close()


Could anyone help me ? What's wrong ? Thanks a lot ?

Best Regards,
Pete Fong

Ivan Voras

unread,
Jun 14, 2004, 6:31:34 AM6/14/04
to
Pete Fong wrote:

> I am a beginner with Python. I want to write a program as "runas" in
> Windows XP.

> handel=win32security.LogonUser('administrator','domain','pwd',win32con.LOGON32_LOGON_INTERACTIVE,win32con.LOGON32_PROVIDER_DEFAULT)


IIRC, you can't use these win32 calls if you don't hav e appropriate rights.
Only administrators and backup users can do impersonation (see msdn or such
for details).

(I think Explorer gets around it by delegating the impersonation to some
system service).

Roger Upole

unread,
Jun 14, 2004, 6:17:40 PM6/14/04
to
You'll probably need to call AdjustTokenPrivileges before LogonUser, since
you need
SE_TCB_NAME enabled for the calling process. Also, you don't need to do
ImpersonateUser
in order to call CreateProcessAsUser. If you do, you might have to enable
some privs for
the logon token you're impersonating as well as your original process token.
Another thing to keep in mind is that AdjustTokenPrivileges doesn't fail if
you try to enable a
privilege you don't have at all. win32security.GetTokenInformation(<token
handle>,TokenPrivileges)
will list your privs and their current state.
hth
Roger

"Pete Fong" <pm...@macau.ctm.net> wrote in message
news:9a361bc.04061...@posting.google.com...

Ivan Voras

unread,
Jun 15, 2004, 8:18:50 AM6/15/04
to
Roger Upole wrote:

> You'll probably need to call AdjustTokenPrivileges before LogonUser, since
> you need
> SE_TCB_NAME enabled for the calling process.

Can processes started under users that don't have that privilege acquire it
just like that?

Roger Upole

unread,
Jun 15, 2004, 5:52:41 PM6/15/04
to
No, AdjustTokenPrivileges doesn't actually add privileges.
It just enables privileges that you already have that aren't enabled
by default. Administrative privileges (SE_SECURITY_NAME, SE_TCB_NAME, etc)
generally aren't enabled by default. You can use
win32security.LsaAddAccountRights
to add extra privileges to an account. (You can only do so from an admin
account,
of course)

Roger

"Ivan Voras" <i...@an.voras.fer.hr> wrote in message
news:campmv$hih$2...@bagan.srce.hr...

0 new messages