I am trying to use the following code to start a process in the security
context of a different user, and all the calls succeed except for the call
to CreateProcessAsUser. GetLastError indicates error 1314 - "A required
privilege is not held by the client". Any clue what may be the cause for
this error?
The process using this code runs as an admin on a WinXP Pro machine.
Any help will be highly appreciated.
Thanks,
A
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
HANDLE token;
HANDLE newToken;
if( LogonUser( userName, ".", password, LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT, &token ) )
{
if( ImpersonateLoggedOnUser( token ) )
{
if( DuplicateTokenEx( token, TOKEN_ALL_ACCESS, 0,
SecurityIdentification, TokenPrimary, &newToken ) )
{
if( CreateProcessAsUser( newToken,
processFileName,
cmdLine, // Command line.
NULL, // Process handle not inheritable.
NULL, // Thread handle not inheritable.
FALSE, // Set handle inheritance to FALSE.
0, // No creation flags.
0, // Use parent's environment block.
startupDir,
&si, // Pointer to STARTUPINFO structure.
&pi ) // Pointer to PROCESS_INFORMATION structure.
)
{
///close handles etc...
///....
Well... the administrators group does not have all privileges by
default, although they could certainly grant themselves all the
needed privileges to accomplish a task if they wanted to.
However, once a privilege is granted to the user it will have two
states, either Enabled or Disabled. Most privileges are disabled
by default, and that will require the application program to
explicitly turn them on in order to be able to use them. Moreover,
the process that calls the API CreateProcessAsUser() must have the
following privileges:
SE_ASSIGNPRIMARYTOKEN_NAME
SE_INCREASE_QUOTA_NAME
So, if you have been granted those privileges then you can use
the following APIs to enable them from your application:
GetCurrentProcess()
OpenProcessToken() using TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY
LookupPrivilegeValue()
AdjustTokenPrivileges()
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/getcurrentprocess.asp
Hope these information helps,
Kellie.
"Typically, the process that calls the CreateProcessAsUser function must
have the SE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME privileges.
However, if hToken is a restricted version of the caller's primary token,
the SE_ASSIGNPRIMARYTOKEN_NAME privilege is not required. If the necessary
privileges are not already enabled, CreateProcessAsUser enables them for the
duration of the call. For more information, see Running with Special
Privileges."
"Kellie Fitton" <KELLIE...@YAHOO.COM> wrote in message
news:1138722774.9...@f14g2000cwb.googlegroups.com...
> explicitly turn them on in order to be able to use them. Moreover,
> the process that calls the API CreateProcessAsUser() must have the
> following privileges:
>
> SE_ASSIGNPRIMARYTOKEN_NAME
> SE_INCREASE_QUOTA_NAME
>
It seems, based on the other reply I got, that setting these privileges
explicitly is not necessary, but I still tried doing it, with the same
result - the call to CreateProcessAsUser still returns error 1314.
I am at a total loss as to what the reason for this is, and I would
appreciate it if anybody could post a solution.
Thanks,
A
> Actually, if you read the documentation for CreateProcessAsUser, you will
> see that it automatically attempts to enable those two privileges. Thus
> attempting to manually enable them will change nothing here.
You are right - I tried to enable them explicitly, but I got the same error.
Any idea what to do to fix this?
Thanks,
A
Windows does not support per-application security settings, only
per-user security, so, you need to emulate per-application security
via user based security. Also, the API AdjustTokenPrivileges() canNot
grant new privileges, it just can enable/disable privileges that the
token holds, you simply canNot enable a privilege you don't have,
the system administrator must grant those privileges to the users.
The common way to solve the logOn problems with the APIs LogonUser()
and CreateProcessAsUser(), is to create a service process that acts as
a logOn broker, or that performs the privileged operations on behalf
of the endUser, then use some form of IPC mechanism such as mailSolt
or named pipe, to communicate with the service process from your main
application.
Kellie.
Actually that's what I am trying to do. I created a test user with limited
privileges, and I am trying to create a process running as this user from
another process running as admin, which in theory should have all the
privileges. I even made the test user member of the admin group temporarily,
to make sure that it is actually capable of running the spawned process, but
even that failed.
> Also, the API AdjustTokenPrivileges() canNot
> grant new privileges, it just can enable/disable privileges that the
> token holds, you simply canNot enable a privilege you don't have,
> the system administrator must grant those privileges to the users.
>
Shouldn't the admin account (as which the main process is running) hold all
the privileges?
> The common way to solve the logOn problems with the APIs LogonUser()
> and CreateProcessAsUser(), is to create a service process that acts as
> a logOn broker, or that performs the privileged operations on behalf
> of the endUser, then use some form of IPC mechanism such as mailSolt
> or named pipe, to communicate with the service process from your main
> application.
>
This sounds like a solution, but it would make setup and administration of
the whole application even more complicated than it already is, so before
doing this, I'd like to make sure I tried everything else.
Thanks for your reply!
A
Another valid option is using the API CreateProcessWithLogonW(),
this would spawn your application in the correct security context
and the function does exactly the same thing as LogonUserEx() and
CreateProcessAsUser(), and does not require any special privileges,
just make sure that the user account you specify is allowed to logIn
Interactively to your machine, you check that in the domain/local
policies.
Kellie
Is this failing on only a particular box or on every XP machine you have
tried?
Can you check (in secpol.msc) that the admin user really does have those
privileges granted to it (either directly or through group membership)?
"a" <xxx...@pacbell.net> wrote in message
news:BpODf.48886$PL5....@newssvr11.news.prodigy.com...
I tried on another XP machine (not Pro though), and I am getting the same
error.
> Can you check (in secpol.msc) that the admin user really does have those
> privileges granted to it (either directly or through group membership)?
I looked in there, but couldn't find any privileges that seem to match these
2 names SE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME.
I also have to admit that I am far from being an expert in managing an XP
machine, especially when it comes to security and privilege settings.
A
>
> The common way to solve the logOn problems with the APIs LogonUser()
> and CreateProcessAsUser(), is to create a service process that acts as
> a logOn broker, or that performs the privileged operations on behalf
> of the endUser, then use some form of IPC mechanism such as mailSolt
> or named pipe, to communicate with the service process from your main
> application.
>
After many tests am no closer to fixing this error than I was when I
started, so I decided I would try going with a NT service. Once I write this
service though, how do I install it? I saw that Win2k resource kit has some
tools for this task, but I don't have it - are there any free tools out
there to do this?
Thanks,
A
"a" <xxx...@pacbell.net> wrote in message
news:aebEf.21578$Jd.2...@newssvr25.news.prodigy.net...
Thanks - searching for this in MSDN I found a MS sample that shows all there
is about writing,installing running and uninstalling a service. I hope this
will finally solve my CreateProcessAsUser problem.
A
Just in case you care, I am using this setup and now everything seems to be
working fine - thanks for the suggestion!
A
Glad you sorted out the problem.
Kellie.