CreateProcessAsUsers (error A required privilege is not held by the client)

[Jordi Gou]

Hello,

I want to do something similar but I have problems with CreateProcessAsUser
function. It always returns me 1314 error code (A required privilege is not
held by the client).
What I really want to is give more privileges to current process. I'll
explain. I'm developing a service setup and it needs to call net start and
other things. It should be able to install the service under no
administrator users, so I use, first of all, LogonUser and
ImpersonateLoggedOnUser to convert current process to privileged process.
This part goes well and let me extract files in Program Files folder and
write on LocalMachine registry entry.
I tried to use ShellExecute to call "net start service_name" but it didn't
go well. I read that impersonate token is not inherit by new processes, so
ShellExecute took unprivileged token on its creation.
I think that the solution is CreateProcessAsUser to call "net start
service_name" but when I execute it, the result is 1314 error code (A
required privilege is not held by the client), as I said.
I'm very glad if anyone can help me.

This is the part of code that I use to do everything:

bool ActionsUserAuth(bool bControlActived)
{
bool bUserAuth = false;
TCHAR szUsername[MAXSTRINGLEN];
TCHAR szDomain[MAXSTRINGLEN];
TCHAR szPassword[MAXSTRINGLEN];
HANDLE hToken;
HANDLE hAdminUser;
//bool bExit = false;
//int iTry = 0;
ClsTokenPrivileges TokenInfo;
bExit = false;
bControlActived = true;
if (bControlActived)
{
bUserAuth = (IsCurrentUserLocalAdministrator() == TRUE);
bUserAuth = false;
if ((bUserAuth) && (bDebugMode))
Log(TEXT("ActionsUserAuth: administrator privileges"));
else
Log(TEXT("ActionsUserAuth: non administrator privileges"));
memset(szUsername, 0, sizeof(szUsername));
memset(szDomain, 0, sizeof(szDomain));
memset(szPassword, 0, sizeof(szPassword));
//while ((!bUserAuth) && (iTry < 3))
//{
if (!DlgUserAuth(szUsername, szDomain, szPassword))
{
bExit = true;
if (bDebugMode) Log(TEXT("ActionsUserAuth: User authentication dialog
failed"));
return false;
}
if (!RevertToSelf())
{
if (bDebugMode) Log(TEXT("ActionsUserAuth: Revert To Self"));
return false;
}
// Get the current process token handle...
if( !OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY, &hToken ))
return false;
if (!SetPrivilege(hToken, SE_TCB_NAME, true))
return false;
if (LogonUser(szUsername, szDomain, szPassword, LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, &hAdminUser))
bUserAuth = true;
else
bUserAuth = false;
/*
if (!bUserAuth)
{
if (!bSilentMode)
{
MessageBox(NULL, Diccionary->Get(TEXT("IDS_USERAUTH_ERROR")),
Diccionary->Get(TEXT("IDS_GEN_CAPTIONERROR")), MB_OK);
}
}
else*/
if (bUserAuth)
{
if (!ImpersonateLoggedOnUser(hAdminUser))
MessageBox(NULL, TEXT("Inpersonate Error"), TEXT(""), MB_OK);
/////////////////////////////////////////////////
if (DuplicateTokenEx(hAdminUser, MAXIMUM_ALLOWED, 0, SecurityImpersonation,
TokenPrimary, &hAdminPriv) == 0)
MessageBox(NULL, TEXT("duplicate token Error"), TEXT(""), MB_OK);
if (!SetPrivilege(hAdminPriv, SE_ASSIGNPRIMARYTOKEN_NAME, true))
{
MessageBox(NULL, TEXT("SetPrivilege Error"), TEXT(""), MB_OK);
return false;
}
if (!SetPrivilege(hAdminPriv, SE_INCREASE_QUOTA_NAME, true))
{
MessageBox(NULL, TEXT("SetPrivilege Error"), TEXT(""), MB_OK);
return false;
}

TCHAR szRes[MAXSTRINGLEN];
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
//my_strcpy(szRes, TEXT("C:\\Archivos de programa\\Inquiero Installable
ISD\\prova.exe"));
my_strcpy(szRes, TEXT("\"C:\\Documents and
Settings\\prova\\Escritorio\\prova.exe\""));
TokenInfo.DisplayInformation(TEXT("C:\\token.info"));
if (!CreateProcessAsUser(hAdminPriv, NULL, szRes, NULL, NULL, TRUE,
IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi))
{
TCHAR szError[MAXSTRINGLEN];
wsprintf(szError, TEXT("%d"), GetLastError());
MessageBox(NULL, szError, TEXT(""), MB_OK);
}

/////////////////////////////////////////////////
CloseHandle(hAdminUser);
}
// iTry++;
//}
if (!bUserAuth) return false;
}
return true;
}

[Joe Kaplan (MVP - ADSI)]

Have you read the documentation on LogonUser? It is pretty clear about the
privileges required to call it. Essentially, under Win2K, you need Act as
part of the operating system. Under XP and Win2K3, this restriction is
lifted.

Act as part of the operating system is generally only give to the SYSTEM
account as it is extremely powerful. You probably want to carefully
consider the ramifications of granting the privilege to any other account on
Win2K.

What does this have to do with cryptography though?

Joe K.

"Jordi Gou" <jg...@ntr.es> wrote in message
news:OKuxs2ba...@TK2MSFTNGP10.phx.gbl...

[Jordi Gou]

I don't have the problem in LogonUser. It goes well in Impersonation but not
in CreateProcessAsUser.

Sorry, I also wrote my question on generic security news.

Jordi

"Joe Kaplan (MVP - ADSI)" <joseph....@removethis.accenture.com> wrote
in message news:O40BTwca...@TK2MSFTNGP12.phx.gbl...

[Joe Kaplan (MVP - ADSI)]

I pulled this from the documentation. Maybe this is the issue?

Typically, the process that calls the CreateProcessAsUser function must have
the SE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME privileges.
However, if hToken is a restricted version of the caller's primary token,
the SE_ASSIGNPRIMARYTOKEN_NAME privilege is not required. If the necessary
privileges are not already enabled, CreateProcessAsUser enables them for the
duration of the call. For more information, see Running with Special
Privileges.

Joe K.

"Jordi Gou" <jg...@ntr.es> wrote in message

news:OyrFLLka...@TK2MSFTNGP11.phx.gbl...

[Jordi Gou]

I had read this article few days ago. So I add SE_ASSIGNPRIMARYTOKEN_NAME
privilege to user before enable (because the user didn't have it). Doing
this I get a code that goes well if I execute it with administrator
privileges, but the error "A required privilege is not held by the client"
persists when I execute it with non-administrator privileges.

And I need that my code go well with all kind of users. I don't know what
it's happening because LogonUser gives admin user to current process.

Jordi

"Joe Kaplan (MVP - ADSI)" <joseph....@removethis.accenture.com> wrote

in message news:OlBSL0na...@tk2msftngp13.phx.gbl...

[Joe Kaplan (MVP - ADSI)]

I'm really not sure what to say here. Maybe you need to escalate to PSS.

You might also try some code to enumerate the privileges in your token to
ensure that you have the privileges you think you have.

Joe K.

"Jordi Gou" <jg...@ntr.es> wrote in message

news:umkRwQxa...@tk2msftngp13.phx.gbl...

[Jordi Gou]

I did it. I enumerated the privileges of the token and it has this
privileges. What are you exactly saying when you say "you need to escalate
to PSS"?

Jordi

"Joe Kaplan (MVP - ADSI)" <joseph....@removethis.accenture.com> wrote

in message news:uPCBP40a...@tk2msftngp13.phx.gbl...

[Jordi Gou]

I also saw an COM interface called IID_IServerSecurity that seems to provide
you mechanisms to do the same. Is this a good solution? Do you know how can
I use it?

"Joe Kaplan (MVP - ADSI)" <joseph....@removethis.accenture.com> wrote

in message news:uPCBP40a...@tk2msftngp13.phx.gbl...

[Joe Kaplan (MVP - ADSI)]

Escalate to PSS means open a case with Microsoft Product Support Services.
Depending on your arrangements with MS, this may or man not cost you money.
Perhaps someone else knows the answer to this as well (although asking in
the crypto newsgroup probably isn't the best place).

If the function keeps returning "A required privilege is not held" and you
say you have all the privileges you need, then I'm not sure what else I can
say.

Joe K.

"Jordi Gou" <jg...@ntr.es> wrote in message

news:ukV%23oHWbE...@TK2MSFTNGP11.phx.gbl...