Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

OpenProcess() and OpenProcessToken() access denied

623 views
Skip to first unread message

Luis Miguel Huapaya

unread,
Jul 21, 2004, 3:47:04 PM7/21/04
to
Hi all,

I am running a scheduled task as a domain administrator. The task runs an application which calls OpenProcess() and OpenProcessToken(). However, some of the calls to these APIs failed with GetLastError() = 5 (i.e. Access Denied).

I am puzzled as to why a domain administrator would be denied access to these API calls. Any clues on how to make this work?

cheers,
Luis Miguel Huapaya

Ivan Brugiolo [MSFT]

unread,
Jul 21, 2004, 6:04:41 PM7/21/04
to
Being an administrator does not give you access to all the kernel objects at
will.
For example, the token below is accessible from NetworkService
and LocalSystem, but not Administrators.
The method exposed below should give you the idea
of which accesses are granted to whom in your case.

0: kd> !process 0 0 wmiprvse.exe
PROCESS 8265b1e8 SessionId: 0 Cid: 0a08 Peb: 7ffdd000 ParentCid: 02f0
DirBase: 25f2d000 ObjectTable: e2411140 HandleCount: 145.
Image: wmiprvse.exe

0: kd> !process 8265b1e8 1
PROCESS 8265b1e8 SessionId: 0 Cid: 0a08 Peb: 7ffdd000 ParentCid: 02f0
DirBase: 25f2d000 ObjectTable: e2411140 HandleCount: 145.
Image: wmiprvse.exe
VadRoot 8242ecc8 Vads 94 Clone 0 Private 321. Modified 0. Locked 0.
DeviceMap e14d62a0
Token e115f7e0
ElapsedTime 0:00:07.0273
UserTime 0:00:00.0078
KernelTime 0:00:00.0046
QuotaPoolUsage[PagedPool] 37288
QuotaPoolUsage[NonPagedPool] 3760
Working Set Sizes (now,min,max) (1355, 50, 345) (5420KB, 200KB, 1380KB)
PeakWorkingSetSize 1421
VirtualSize 38 Mb
PeakVirtualSize 39 Mb
PageFaultCount 1531
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 502
Job 82d4f4b0

0: kd> !object e115f7e0
Object: e115f7e0 Type: (833d7158) Token
ObjectHeader: e115f7c8
HandleCount: 0 PointerCount: 20
0: kd> dc e115f7c8 l6
e115f7c8 00000014 00000000 833d7158 04200000 ........Xq=... .
e115f7d8 80893600 e206f575 0:
kd> !sd e206f570
->Revision: 0x1
->Sbz1 : 0x0
->Control : 0x8004
SE_DACL_PRESENT
SE_SELF_RELATIVE
->Owner : S-1-5-20
->Group : S-1-5-20
->Dacl :
->Dacl : ->AclRevision: 0x2
->Dacl : ->Sbz1 : 0x0
->Dacl : ->AclSize : 0x30
->Dacl : ->AceCount : 0x2
->Dacl : ->Sbz2 : 0x0
->Dacl : ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
->Dacl : ->Ace[0]: ->AceFlags: 0x0
->Dacl : ->Ace[0]: ->AceSize: 0x14
->Dacl : ->Ace[0]: ->Mask : 0x000f01ff
->Dacl : ->Ace[0]: ->SID: S-1-5-18

->Dacl : ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
->Dacl : ->Ace[1]: ->AceFlags: 0x0
->Dacl : ->Ace[1]: ->AceSize: 0x14
->Dacl : ->Ace[1]: ->Mask : 0x000f01ff
->Dacl : ->Ace[1]: ->SID: S-1-5-20

->Sacl : is NULL
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"Luis Miguel Huapaya" <LuisMigu...@discussions.microsoft.com> wrote in
message news:EE6F0A6A-37CD-4F64...@microsoft.com...

Luis Miguel Huapaya

unread,
Jul 22, 2004, 11:19:49 AM7/22/04
to
Can you use AdjustTokenPrivileges() against the process token of the running process to gain access to these priviledges? If not, is there a way to enable them while the program is running?

cheers
Luis Miguel Huapaya

Ivan Brugiolo [MSFT]

unread,
Jul 22, 2004, 12:53:17 PM7/22/04
to
I don't see how that would happen in the general case.
For example, you can use SeDebugPrivilege to bypass
the AccessMask in the security descriptor for the following bit
#define PROCESS_VM_OPERATION (0x0008)
#define PROCESS_VM_READ (0x0010)
#define PROCESS_VM_WRITE (0x0020)
but, there is no privilege that will help you in opening a token
for an unspecified access (the requested access mask is not given below).
BTW, from your sentence below it's not clear to me
if you have clear the difference between the role of
discretionary access control and privileges.
In general, the owner of the Token object will have to add an ACE for
Administrators
to allow them doing certain operation.

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"Luis Miguel Huapaya" <LuisMigu...@discussions.microsoft.com> wrote in

message news:864F4F68-4518-4227...@microsoft.com...

Luis Miguel Huapaya

unread,
Jul 22, 2004, 2:06:03 PM7/22/04
to
Well this is all very interesting, but it still doesn't answer my question. How do I make it work? I may not be the most adept at NT security, but if someone could point me in the right direction, I'd appreciate it.

QuietFlowsTheDon

unread,
Jul 22, 2004, 2:23:36 PM7/22/04
to
even if your user account has a privilege, your process' token may have it
disabled.
you need to enable it from within the process.
the following apis in that order will help
LookupPrivilegeValue() -> GetCurrentProcessId() ->
OpenProcess() ->OpenProcessToken() ->AdjustTokenPrivileges() ->
PrivilegeCheck()

"Luis Miguel Huapaya" <LuisMigu...@discussions.microsoft.com> wrote in

message news:54C34D46-1B13-462F...@microsoft.com...

Ivan Brugiolo [MSFT]

unread,
Jul 22, 2004, 3:19:36 PM7/22/04
to
This is relevant only in the hypotesis the privilege check
can bypass the DACL in the Security Descriptor.
Since the DACL is not given, the required access mask is not given,
not much can be added, unfortunately.

One way to make this work is to add an Allowed ACE for Administrators
to the Security Descriptor of the Token object.

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"QuietFlowsTheDon" <ani...@msn.com> wrote in message
news:e0dZDkBc...@TK2MSFTNGP12.phx.gbl...

0 new messages