OpenEvent() fails on Vista for some processes while trying to open global event
Grzegorz Wróbel
I am creating an event in a global namespace from within a service. The
event is supposed to be accessed (set) by some other processes that
might be running under different credentials in different sessions, so
during its creation I add following DACL: "D:(A;NP;GRGW;;;WD)" to its
security descriptor (read and write access for Everyone). This is
supposed to ensure other processes have rights to open it for read and
write access.
On pre vista OSes it used to be working, on Vista it works too but not
for every process. For some processes OpenEvent(EVENT_MODIFY_STATE,...)
fails with GetLastError() returning 5 (ERROR_ACCESS_DENIED).
I have no idea what might be causing this and where to look now. Is
there any additional security mechanism in Vista that can override
security descriptor of an object?
--
Grzegorz Wr�bel
677265676F727940346E6575726F6E732E636F6D
Pavel A.
--pa
"Grzegorz Wr�bel" </dev/nu...@localhost.localdomain> wrote in message
news:hg9akg$6vg$1...@nemesis.news.neostrada.pl...
Jochen Kalmbach [MVP]
> On pre vista OSes it used to be working, on Vista it works too but not
> for every process. For some processes OpenEvent(EVENT_MODIFY_STATE,...)
> fails with GetLastError() returning 5 (ERROR_ACCESS_DENIED).
Maybe it is the same problem, as with NamesdPipes...
See:
http://msdn.microsoft.com/en-us/library/bb625963.aspx
And here is a german posting about this problem:
http://blog.m-ri.de/index.php/2009/12/08/windows-integrity-control-schreibzugriff-auf-eine-named-pipe-eines-services-ueber-anonymen-zugriff-auf-vista-windows-2008-server-und-windows-7/
=> you must use the following SDDL-String:
#define UNTRUSTED_INTEGRITY_SDDL_SACL _T("S:(ML;;NW;;;S-1-16-0)")
--
Greetings
Jochen
My blog about Win32 and .NET
http://blog.kalmbachnet.de/
Grzegorz Wróbel
> Something related to the integrity classes?
I don't think so. I have excluded such possibility since setting
explicitly access rights to Everyone includes also untrusted level, so
integrity control shouldn't get in the way.
Now after getting two replies suggesting it I have checked it to be sure
and it turns out that the process who fails to open the event has system
integrity level. So it's certainly not it.
The process must have been crippled in some other way. The only
limitation for this process I have found so far is that it has only one
privilege left but that is not the problem as OpenEvent() does not
require any special privileges. Other than that I have found nothing.
Process access token do not have a list of restricting SIDs and the
group accounts associated with a token do not contain any SID with
deny-only attribute:
Token Groups:
Sid: S-1-16-16384 (name: System Mandatory Level) Attributes: 0x00000060
Sid: S-1-1-0 (name: Everyone) Attributes: 0x00000007
Sid: S-1-5-32-545 (name: Users) Attributes: 0x00000007
Sid: S-1-5-6 (name: SERVICE) Attributes: 0x00000007
Sid: S-1-5-11 (name: Authenticated Users) Attributes: 0x00000007
Sid: S-1-5-15 (name: This Organization) Attributes: 0x00000007
Sid: S-1-2-0 (name: LOCAL) Attributes: 0x00000007
Sid: S-1-5-5-0-411953 (name: ) Attributes: 0xc0000007
Why the OpenEvent() is failing with ERROR_ACCESS_DENIED I still don't
know. This process can communicate with the service using interprocess
communication but cannot use an event for synchronization.
Grzegorz Wróbel
> Hi Grzegorz!
>
Hi Jochen,
> See:
> http://msdn.microsoft.com/en-us/library/bb625963.aspx
>
No, it's not it. (See the other reply).
Remy Lebeau
"Grzegorz Wróbel" </dev/nu...@localhost.localdomain> wrote in message news:hg9akg$6vg$1...@nemesis.news.neostrada.pl...
> I am creating an event in a global namespace from within a service.
> The event is supposed to be accessed (set) by some other processes
> that might be running under different credentials in different sessions
Rather then creating a DACL with read/write permissions, try assigning a NULL DACL instead. That will allow unrestricted access to everyone. For example:
SECURITY_DESCRIPTOR sd;
InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&sd, TRUE, NULL, FALSE);
SECURITY_ATTRIBUTES sa = {0};
sa.nLength = sizeof(sa);
sa.lpSecurityDescriptor = &sd;
sa.bInheritHandle = FALSE;
HANDLE hEvent = CreateEvent(&sa, ...);
--
Remy Lebeau (TeamB)
Grzegorz Wróbel
>
> Rather then creating a DACL with read/write permissions, try assigning a NULL DACL instead. That will allow unrestricted access to everyone. For example:
>
Among many things I have tried that as well, but to no avail. That's not
surprising really - if granting read/write permission was enough for
other processes (I granted for Everyone) then it is clearly something
must be wrong with the process that tries to open the event, not with
the event itself. I think there must be some very unusual restrictions
added to that particular process by the service that spawns it.
Grzegorz Wróbel
>
> Why the OpenEvent() is failing with ERROR_ACCESS_DENIED I still don't
> know. This process can communicate with the service using interprocess
> communication but cannot use an event for synchronization.
>
I have rewritten the service to work even if event synchronization is
malfunctioning. Instead of waiting infinitely on the event I've added
finite time-out interval and the service checks if there are any data
sent to it after each of time-out too. Not very elegant, but will work
even if the other process won't be able to set the event.
I would still like to know why OpenEvent() fails in that particular case.
gleaves@hotmail.com > <hugh<underbar>
sessions and namespaces were altered after XP.
I had a similar issue with file mappings, read this to see if does indeed
help:
http://rdn-consulting.com/blog/2007/08/20/kernel-object-namespace-and-vista/
Regards
Hugh
"Grzegorz Wróbel" wrote:
> Grzegorz Wróbel
> 677265676F727940346E6575726F6E732E636F6D
> .
>
gleaves@hotmail.com > <hugh<underbar>
and used in W 7 too. Here is a good write up, hope it helps:
http://windowsteamblog.com/blogs/developers/archive/2009/10/01/session-0-isolation.aspx
Hugh
"Grzegorz Wróbel" wrote:
> Grzegorz Wróbel
> 677265676F727940346E6575726F6E732E636F6D
> .
>
mosesvas
Try changing the integrity of the event to low use this code. Low
integrity process can't access kernel object created from other
integrity levels processes.
static BOOL SetObjectToLowIntegrity(HANDLE hObject, SE_OBJECT_TYPE
type=SE_KERNEL_OBJECT)
{
BOOL bRet = FALSE;
DWORD dwErr = ERROR_SUCCESS;
PSECURITY_DESCRIPTOR pSD = NULL;
PACL pSacl = NULL;
BOOL fSaclPresent = FALSE;
BOOL fSaclDefaulted = FALSE;
// The LABEL_SECURITY_INFORMATION SDDL SACL to be set for low
integrity
LPCWSTR LOW_INTEGRITY_SDDL_SACL_W = L"S:(ML;;NW;;;LW)";
if ( ConvertStringSecurityDescriptorToSecurityDescriptorW
(LOW_INTEGRITY_SDDL_SACL_W, SDDL_REVISION_1, &pSD, NULL ))
{
if (GetSecurityDescriptorSacl
(pSD,&fSaclPresent,&pSacl,&fSaclDefaulted))
{
dwErr = SetSecurityInfo
(hObject,type,LABEL_SECURITY_INFORMATION,NULL,NULL,NULL,pSacl);
bRet = (ERROR_SUCCESS == dwErr);
}
LocalFree ( pSD );
}
return bRet;
}
regards,
vasanth
On Dec 16, 5:36 am, Grzegorz Wróbel </dev/n...@localhost.localdomain>
wrote:
> Grzegorz Wróbel
> 677265676F727940346E6575726F6E732E636F6D
Grzegorz Wróbel
> Hi,
> Try changing the integrity of the event to low use this code. Low
> integrity process can't access kernel object created from other
It has been already mentioned in this thread that process in question
has System Mandatory Level (highest possible).
dc 2000
A question to Grzegorz_Wr?bel -- did you resolve this issue? I'm in the exact same boat. Please share what you found and I'll respond with what I was able to find out.
> On Tuesday, December 15, 2009 7:36 PM Grzegorz_Wr?bel wrote:
> Hi,
>
> I am creating an event in a global namespace from within a service. The
> event is supposed to be accessed (set) by some other processes that
> might be running under different credentials in different sessions, so
> during its creation I add following DACL: "D:(A;NP;GRGW;;;WD)" to its
> security descriptor (read and write access for Everyone). This is
> supposed to ensure other processes have rights to open it for read and
> write access.
>
> On pre vista OSes it used to be working, on Vista it works too but not
> for every process. For some processes OpenEvent(EVENT_MODIFY_STATE,...)
> fails with GetLastError() returning 5 (ERROR_ACCESS_DENIED).
>
> I have no idea what might be causing this and where to look now. Is
> there any additional security mechanism in Vista that can override
> security descriptor of an object?
>
> --
> Grzegorz Wr?bel
> 677265676F727940346E6575726F6E732E636F6D
>> On Tuesday, December 15, 2009 9:06 PM Pavel A. wrote:
>> Something related to the integrity classes?
>> --pa
>>> On Wednesday, December 16, 2009 1:37 AM Jochen Kalmbach [MVP] wrote:
>>> Hi Grzegorz!
>>>
>>>
>>> Maybe it is the same problem, as with NamesdPipes...
>>> See:
>>> http://msdn.microsoft.com/en-us/library/bb625963.aspx
>>>
>>> And here is a german posting about this problem:
>>> http://blog.m-ri.de/index.php/2009/12/08/windows-integrity-control-schreibzugriff-auf-eine-named-pipe-eines-services-ueber-anonymen-zugriff-auf-vista-windows-2008-server-und-windows-7/
>>>
>>> => you must use the following SDDL-String:
>>>
>>> --
>>> Greetings
>>> Jochen
>>>
>>> My blog about Win32 and .NET
>>> http://blog.kalmbachnet.de/
>>>> On Wednesday, December 16, 2009 10:58 AM Grzegorz_Wr?bel wrote:
>>>> Pavel A. wrote:
>>>>
>>>> I do not think so. I have excluded such possibility since setting
>>>> explicitly access rights to Everyone includes also untrusted level, so
>>>> integrity control should not get in the way.
>>>>
>>>> Now after getting two replies suggesting it I have checked it to be sure
>>>> and it turns out that the process who fails to open the event has system
>>>> integrity level. So it is certainly not it.
>>>>
>>>>
>>>> The process must have been crippled in some other way. The only
>>>> limitation for this process I have found so far is that it has only one
>>>> privilege left but that is not the problem as OpenEvent() does not
>>>> require any special privileges. Other than that I have found nothing.
>>>> Process access token do not have a list of restricting SIDs and the
>>>> group accounts associated with a token do not contain any SID with
>>>> deny-only attribute:
>>>>
>>>> Token Groups:
>>>> Sid: S-1-16-16384 (name: System Mandatory Level) Attributes: 0x00000060
>>>> Sid: S-1-1-0 (name: Everyone) Attributes: 0x00000007
>>>> Sid: S-1-5-32-545 (name: Users) Attributes: 0x00000007
>>>> Sid: S-1-5-6 (name: SERVICE) Attributes: 0x00000007
>>>> Sid: S-1-5-11 (name: Authenticated Users) Attributes: 0x00000007
>>>> Sid: S-1-5-15 (name: This Organization) Attributes: 0x00000007
>>>> Sid: S-1-2-0 (name: LOCAL) Attributes: 0x00000007
>>>> Sid: S-1-5-5-0-411953 (name: ) Attributes: 0xc0000007
>>>>
>>>>
>>>> Why the OpenEvent() is failing with ERROR_ACCESS_DENIED I still do not
>>>> know. This process can communicate with the service using interprocess
>>>> communication but cannot use an event for synchronization.
>>>>
>>>>
>>>> --
>>>> Grzegorz Wr?bel
>>>> 677265676F727940346E6575726F6E732E636F6D
>>>>> On Wednesday, December 16, 2009 11:01 AM Grzegorz_Wr?bel wrote:
>>>>> Jochen Kalmbach [MVP] wrote:
>>>>> Hi Jochen,
>>>>>
>>>>>
>>>>> No, it is not it. (See the other reply).
>>>>>
>>>>> --
>>>>> Grzegorz Wr?bel
>>>>> 677265676F727940346E6575726F6E732E636F6D
>>>>>> On Wednesday, December 16, 2009 4:22 PM Remy Lebeau wrote:
>>>>>> sessions
>>>>>>
>>>>>> Rather then creating a DACL with read/write permissions, try assigning a =
>>>>>> NULL DACL instead. That will allow unrestricted access to everyone. =
>>>>>> For example:
>>>>>>
>>>>>> SECURITY_DESCRIPTOR sd;
>>>>>> InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
>>>>>> SetSecurityDescriptorDacl(&sd, TRUE, NULL, FALSE);
>>>>>>
>>>>>> SECURITY_ATTRIBUTES sa =3D {0};
>>>>>> sa.nLength =3D sizeof(sa);=20
>>>>>> sa.lpSecurityDescriptor =3D &sd;
>>>>>> sa.bInheritHandle =3D FALSE;
>>>>>>
>>>>>> HANDLE hEvent =3D CreateEvent(&sa, ...);
>>>>>>
>>>>>> --=20
>>>>>> Remy Lebeau (TeamB)
>>>>>>> On Wednesday, December 16, 2009 9:16 PM Grzegorz_Wr?bel wrote:
>>>>>>> Remy Lebeau wrote:
>>>>>>>
>>>>>>> Among many things I have tried that as well, but to no avail. That's not
>>>>>>> surprising really - if granting read/write permission was enough for
>>>>>>> other processes (I granted for Everyone) then it is clearly something
>>>>>>> must be wrong with the process that tries to open the event, not with
>>>>>>> the event itself. I think there must be some very unusual restrictions
>>>>>>> added to that particular process by the service that spawns it.
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Grzegorz Wr?bel
>>>>>>> 677265676F727940346E6575726F6E732E636F6D
>>>>>>>> On Wednesday, December 16, 2009 9:31 PM Grzegorz_Wr?bel wrote:
>>>>>>>> Grzegorz Wr?bel wrote:
>>>>>>>>
>>>>>>>> I have rewritten the service to work even if event synchronization is
>>>>>>>> malfunctioning. Instead of waiting infinitely on the event I have added
>>>>>>>> finite time-out interval and the service checks if there are any data
>>>>>>>> sent to it after each of time-out too. Not very elegant, but will work
>>>>>>>> even if the other process will not be able to set the event.
>>>>>>>>
>>>>>>>> I would still like to know why OpenEvent() fails in that particular case.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Grzegorz Wr?bel
>>>>>>>> 677265676F727940346E6575726F6E732E636F6D
>>>>>>>>> On Monday, December 21, 2009 6:33 AM Hugogleave wrote:
>>>>>>>>> I suspect this is all caused by something simple, and that is the way
>>>>>>>>> sessions and namespaces were altered after XP.
>>>>>>>>>
>>>>>>>>> I had a similar issue with file mappings, read this to see if does indeed
>>>>>>>>> help:
>>>>>>>>>
>>>>>>>>> http://rdn-consulting.com/blog/2007/08/20/kernel-object-namespace-and-vista/
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>>
>>>>>>>>> Hugh
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "Grzegorz Wr??bel" wrote:
>>>>>>>>>> On Monday, December 21, 2009 6:42 AM Hugogleave wrote:
>>>>>>>>>> The problem is likelu due to the new session 0 isolation introduced in Vista
>>>>>>>>>> and used in W 7 too. Here is a good write up, hope it helps:
>>>>>>>>>>
>>>>>>>>>> http://windowsteamblog.com/blogs/developers/archive/2009/10/01/session-0-isolation.aspx
>>>>>>>>>>
>>>>>>>>>> Hugh
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> "Grzegorz Wr??bel" wrote:
>>>>>>>>>>> On Tuesday, December 22, 2009 8:52 AM mosesvas wrote:
>>>>>>>>>>> Hi,
>>>>>>>>>>> Try changing the integrity of the event to low use this code. Low
>>>>>>>>>>> integrity process cannot access kernel object created from other
>>>>>>>>>>> integrity levels processes.
>>>>>>>>>>> static BOOL SetObjectToLowIntegrity(HANDLE hObject, SE_OBJECT_TYPE
>>>>>>>>>>> type=3DSE_KERNEL_OBJECT)
>>>>>>>>>>> {
>>>>>>>>>>> BOOL bRet =3D FALSE;
>>>>>>>>>>> DWORD dwErr =3D ERROR_SUCCESS;
>>>>>>>>>>> PSECURITY_DESCRIPTOR pSD =3D NULL;
>>>>>>>>>>> PACL pSacl =3D NULL;
>>>>>>>>>>> BOOL fSaclPresent =3D FALSE;
>>>>>>>>>>> BOOL fSaclDefaulted =3D FALSE;
>>>>>>>>>>> // The LABEL_SECURITY_INFORMATION SDDL SACL to be set for low
>>>>>>>>>>> integrity
>>>>>>>>>>> LPCWSTR LOW_INTEGRITY_SDDL_SACL_W =3D L"S:(ML;;NW;;;LW)";
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> if ( ConvertStringSecurityDescriptorToSecurityDescriptorW
>>>>>>>>>>> (LOW_INTEGRITY_SDDL_SACL_W, SDDL_REVISION_1, &pSD, NULL ))
>>>>>>>>>>> {
>>>>>>>>>>> if (GetSecurityDescriptorSacl
>>>>>>>>>>> (pSD,&fSaclPresent,&pSacl,&fSaclDefaulted))
>>>>>>>>>>> {
>>>>>>>>>>> dwErr =3D SetSecurityInfo
>>>>>>>>>>> (hObject,type,LABEL_SECURITY_INFORMATION,NULL,NULL,NULL,pSacl);
>>>>>>>>>>> bRet =3D (ERROR_SUCCESS =3D=3D dwErr);
>>>>>>>>>>> }
>>>>>>>>>>> LocalFree ( pSD );
>>>>>>>>>>> }
>>>>>>>>>>>
>>>>>>>>>>> return bRet;
>>>>>>>>>>>
>>>>>>>>>>> }
>>>>>>>>>>> regards,
>>>>>>>>>>> vasanth
>>>>>>>>>>>
>>>>>>>>>>> wrote:
>>>>>>>>>>>> On Saturday, December 26, 2009 12:39 AM Grzegorz_Wr?bel wrote:
>>>>>>>>>>>> mosesvas wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> It has been already mentioned in this thread that process in question
>>>>>>>>>>>> has System Mandatory Level (highest possible).
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Grzegorz Wr?bel
>>>>>>>>>>>> 677265676F727940346E6575726F6E732E636F6D
>>>>>>>>>>>> Submitted via EggHeadCafe - Software Developer Portal of Choice
>>>>>>>>>>>> Nested IF Statement ? Excel 2007
>>>>>>>>>>>> http://www.eggheadcafe.com/tutorials/aspnet/195df521-46a8-4b2f-a6aa-dad1fb2c63d5/nested-if-statement--excel-2007.aspx
Petr Pospisil
OpenEventW(SYNCHRONIZE,FALSE,L"Global\\SafeticaDlpRemoveHookEvent");
instead
OpenEventW(SYNCHRONIZE,FALSE,L"SafeticaDlpRemoveHookEvent");
when dealing with driver or service event on windows vista++
Submitted via EggHeadCafe - Software Developer Portal of Choice
SharePoint Workflow Custom Input Forms
http://www.eggheadcafe.com/tutorials/aspnet/2a494ffa-c3b0-41e5-9847-80e7cdf3779a/sharepoint-workflow-custom-input-forms.aspx
Petr Pospisil
when creating event use security atribute
smth like that:
BYTE sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(sa);
sa.bInheritHandle = TRUE;
sa.lpSecurityDescriptor = &sd;
InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&sd, TRUE, (PACL) 0, FALSE);
event = CreateEvent(
&sa, // default security attributes
TRUE,// manual-reset event
FALSE,// initial state is nonsignaled
TEXT("SafeticaDlpRemoveHookEvent")
);
Submitted via EggHeadCafe - Software Developer Portal of Choice
ASP.NET Caching Concepts
http://www.eggheadcafe.com/tutorials/aspnet/78de4d09-b013-48c0-8d4a-bedd68f675f5/aspnet-caching-concepts.aspx