SeCreateGlobalPrivilege and detecting multiple process instances

[Eric Twietmeyer]

Hello,

I just found information on SeCreateGlobalPrivilege and its restriction of
normal user accounts from creating kernel objects in the global namespace.

How is one supposed to detect multiple instances of a process running in
different sessions if the first time the process runs in one session it
can't create a kernel object in the global namespace?

I work on an application that for licensing reasons may not be run under
multiple sessions simultaneously on one computer.

What other technique exists to prevent this from happening? Or do I need to
force the end user to get his IT department to enable
SeCreateGlobalPrivilege for the users who might run this app when the
application is installed? This would be an unpleasant solution.

Thanks in advance,

Eric Twietmeyer

[Pavel Lebedinsky]

You could try opening a dummy file for exclusive access. If that fails
with sharing violation it means another instance is already running.

[Eric Twietmeyer]

I just got around to testing things on a Windows Server 2003 box and I am
confused by the results. I decided to try creating an event object in the
Global namespace. I have two users in two sessions, one has admin
privileges, the other doesn't.

I create the event with a security descriptor that grants Everyone all
access and with a name "Global\\Test".

The confusing thing is that I can create this event when logged on as the
normal (non-admin) user, and then when I attempt to create the same in a
different session I get the event with the appropriate ERROR_ALREADY_EXISTS
error.

This works both ways, i.e. whether I create the event object first as the
normal user or as the admin user.

The normal user is part of the remote desktop users group. Do members of
this group have the SeCreateGlobalPrivilege enabled?

-Eric Twietmeyer

"Pavel Lebedinsky" <m_...@hotmail.com> wrote in message
news:uOWqPngg...@TK2MSFTNGP10.phx.gbl...

[Pavel Lebedinsky]

I'm not sure if you really need SeCreateGlobalPrivilege for events.
The docs only say that it is required for memory mapped files
(sections):

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/termserv/termserv/kernel_object_namespaces.asp

You also don't need the privilege if you run in session 0 because
it uses global namespace by default.

[Eric Twietmeyer]

I could not find a definition of "global section" as referenced in the
kernel object namespaces doc page. But there is a KB article on Windows
2000 SP4 referencing this new privilege, SeCreateGlobalPrivilege, KB821546.
There it gives this definition:

The "Create global objects" user right (SeCreateGlobalPrivilege) is a
Windows 2000 security setting that was first introduced in Windows 2000 SP4.
The user right is required for a user account to create global objects in a
Terminal Services session. Note that users can still create session-specific
objects without being assigned this user right. By default, members of the
Administrators group, the System account, and Services that are started by
the Service Control Manager are assigned the "Create global objects" user
right.

There it is pretty explicit that it is used to create "global objects". It
does not reference "global sections" at all.

In any case, just to be safe I'm going to create / open a temporary file
with exclusive access as you first suggested.

I do remain curious though. Is there anyone from MS or an MVP that knows
precisely what SeCreateGlobalPrivilege is for and whether my experience with
it (i.e. able to create globally named event objects while a normal user on
Windows 2003) is expected?

Thanks again for your help Pavel,

Eric Twietmeyer

"Pavel Lebedinsky" <m_...@hotmail.com> wrote in message

news:%23YwUOz9...@TK2MSFTNGP11.phx.gbl...