I want to do something similar but I have problems with CreateProcessAsUser
function. It always returns me 1314 error code (A required privilege is not
held by the client).
What I really want to is give more privileges to current process. I'll
explain. I'm developing a service setup and it needs to call net start and
other things. It should be able to install the service under no
administrator users, so I use, first of all, LogonUser and
ImpersonateLoggedOnUser to convert current process to privileged process.
This part goes well and let me extract files in Program Files folder and
write on LocalMachine registry entry.
I tried to use ShellExecute to call "net start service_name" but it didn't
go well. I read that impersonate token is not inherit by new processes, so
ShellExecute took unprivileged token on its creation.
I think that the solution is CreateProcessAsUser to call "net start
service_name" but when I execute it, the result is 1314 error code (A
required privilege is not held by the client), as I said.
I'm very glad if anyone can help me.
This is the part of code that I use to do everything:
bool ActionsUserAuth(bool bControlActived)
{
bool bUserAuth = false;
TCHAR szUsername[MAXSTRINGLEN];
TCHAR szDomain[MAXSTRINGLEN];
TCHAR szPassword[MAXSTRINGLEN];
HANDLE hToken;
HANDLE hAdminUser;
//bool bExit = false;
//int iTry = 0;
ClsTokenPrivileges TokenInfo;
bExit = false;
bControlActived = true;
if (bControlActived)
{
bUserAuth = (IsCurrentUserLocalAdministrator() == TRUE);
bUserAuth = false;
if ((bUserAuth) && (bDebugMode))
Log(TEXT("ActionsUserAuth: administrator privileges"));
else
Log(TEXT("ActionsUserAuth: non administrator privileges"));
memset(szUsername, 0, sizeof(szUsername));
memset(szDomain, 0, sizeof(szDomain));
memset(szPassword, 0, sizeof(szPassword));
//while ((!bUserAuth) && (iTry < 3))
//{
if (!DlgUserAuth(szUsername, szDomain, szPassword))
{
bExit = true;
if (bDebugMode) Log(TEXT("ActionsUserAuth: User authentication dialog
failed"));
return false;
}
if (!RevertToSelf())
{
if (bDebugMode) Log(TEXT("ActionsUserAuth: Revert To Self"));
return false;
}
// Get the current process token handle...
if( !OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY, &hToken ))
return false;
if (!SetPrivilege(hToken, SE_TCB_NAME, true))
return false;
if (LogonUser(szUsername, szDomain, szPassword, LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, &hAdminUser))
bUserAuth = true;
else
bUserAuth = false;
/*
if (!bUserAuth)
{
if (!bSilentMode)
{
MessageBox(NULL, Diccionary->Get(TEXT("IDS_USERAUTH_ERROR")),
Diccionary->Get(TEXT("IDS_GEN_CAPTIONERROR")), MB_OK);
}
}
else*/
if (bUserAuth)
{
if (!ImpersonateLoggedOnUser(hAdminUser))
MessageBox(NULL, TEXT("Inpersonate Error"), TEXT(""), MB_OK);
/////////////////////////////////////////////////
if (DuplicateTokenEx(hAdminUser, MAXIMUM_ALLOWED, 0, SecurityImpersonation,
TokenPrimary, &hAdminPriv) == 0)
MessageBox(NULL, TEXT("duplicate token Error"), TEXT(""), MB_OK);
if (!SetPrivilege(hAdminPriv, SE_ASSIGNPRIMARYTOKEN_NAME, true))
{
MessageBox(NULL, TEXT("SetPrivilege Error"), TEXT(""), MB_OK);
return false;
}
if (!SetPrivilege(hAdminPriv, SE_INCREASE_QUOTA_NAME, true))
{
MessageBox(NULL, TEXT("SetPrivilege Error"), TEXT(""), MB_OK);
return false;
}
TCHAR szRes[MAXSTRINGLEN];
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
//my_strcpy(szRes, TEXT("C:\\Archivos de programa\\Inquiero Installable
ISD\\prova.exe"));
my_strcpy(szRes, TEXT("\"C:\\Documents and
Settings\\prova\\Escritorio\\prova.exe\""));
TokenInfo.DisplayInformation(TEXT("C:\\token.info"));
if (!CreateProcessAsUser(hAdminPriv, NULL, szRes, NULL, NULL, TRUE,
IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi))
{
TCHAR szError[MAXSTRINGLEN];
wsprintf(szError, TEXT("%d"), GetLastError());
MessageBox(NULL, szError, TEXT(""), MB_OK);
}
/////////////////////////////////////////////////
CloseHandle(hAdminUser);
}
// iTry++;
//}
if (!bUserAuth) return false;
}
return true;
}
Act as part of the operating system is generally only give to the SYSTEM
account as it is extremely powerful. You probably want to carefully
consider the ramifications of granting the privilege to any other account on
Win2K.
What does this have to do with cryptography though?
Joe K.
"Jordi Gou" <jg...@ntr.es> wrote in message
news:OKuxs2ba...@TK2MSFTNGP10.phx.gbl...
Sorry, I also wrote my question on generic security news.
Jordi
"Joe Kaplan (MVP - ADSI)" <joseph....@removethis.accenture.com> wrote
in message news:O40BTwca...@TK2MSFTNGP12.phx.gbl...
Typically, the process that calls the CreateProcessAsUser function must have
the SE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME privileges.
However, if hToken is a restricted version of the caller's primary token,
the SE_ASSIGNPRIMARYTOKEN_NAME privilege is not required. If the necessary
privileges are not already enabled, CreateProcessAsUser enables them for the
duration of the call. For more information, see Running with Special
Privileges.
Joe K.
"Jordi Gou" <jg...@ntr.es> wrote in message
news:OyrFLLka...@TK2MSFTNGP11.phx.gbl...
And I need that my code go well with all kind of users. I don't know what
it's happening because LogonUser gives admin user to current process.
Jordi
"Joe Kaplan (MVP - ADSI)" <joseph....@removethis.accenture.com> wrote
in message news:OlBSL0na...@tk2msftngp13.phx.gbl...
You might also try some code to enumerate the privileges in your token to
ensure that you have the privileges you think you have.
Joe K.
"Jordi Gou" <jg...@ntr.es> wrote in message
news:umkRwQxa...@tk2msftngp13.phx.gbl...
Jordi
"Joe Kaplan (MVP - ADSI)" <joseph....@removethis.accenture.com> wrote
in message news:uPCBP40a...@tk2msftngp13.phx.gbl...
"Joe Kaplan (MVP - ADSI)" <joseph....@removethis.accenture.com> wrote
in message news:uPCBP40a...@tk2msftngp13.phx.gbl...
If the function keeps returning "A required privilege is not held" and you
say you have all the privileges you need, then I'm not sure what else I can
say.
Joe K.
"Jordi Gou" <jg...@ntr.es> wrote in message
news:ukV%23oHWbE...@TK2MSFTNGP11.phx.gbl...