Disabling all privileges with AdjustTokenPrivileges using DisableAllPrivileges?
up vote
1
down vote
favorite
I am trying to strip a process from all privileges using AdjustTokenPrivileges by setting the parameter DisableAllPrivileges to TRUE:
#include <Windows.h>
#include <cwchar>
int main()
{
auto process = GetCurrentProcess();
HANDLE primary_token;
if (OpenProcessToken(process, TOKEN_ADJUST_PRIVILEGES, &primary_token) == FALSE)
{
fwprintf(stderr, L"OpenProcessToken: failed");
}
if (AdjustTokenPrivileges(primary_token, TRUE, nullptr, 0, nullptr, nullptr) == FALSE)
{
fwprintf(stderr, L"AdjustTokenPrivileges: failed");
}
CloseHandle(primary_token);
auto event = CreateEventW(nullptr, FALSE, FALSE, nullptr);
WaitForSingleObject(event, INFINITE);
}
It does not seem to working when viewing the process privileges in Sysinternals Process Explorer.
I solved it by querying all privileges and changing the attribute to SE_PRIVILEGE_REMOVED but I am not sure why setting DisableAllPrivileges to TRUE does not work.
security winapi
asked Nov 15 at 6:55
user10655827
83
add a comment |
up vote
1
down vote
favorite
I am trying to strip a process from all privileges using AdjustTokenPrivileges by setting the parameter DisableAllPrivileges to TRUE:
#include <Windows.h>
#include <cwchar>
int main()
{
auto process = GetCurrentProcess();
HANDLE primary_token;
if (OpenProcessToken(process, TOKEN_ADJUST_PRIVILEGES, &primary_token) == FALSE)
{
fwprintf(stderr, L"OpenProcessToken: failed");
}
if (AdjustTokenPrivileges(primary_token, TRUE, nullptr, 0, nullptr, nullptr) == FALSE)
{
fwprintf(stderr, L"AdjustTokenPrivileges: failed");
}
CloseHandle(primary_token);
auto event = CreateEventW(nullptr, FALSE, FALSE, nullptr);
WaitForSingleObject(event, INFINITE);
}
It does not seem to working when viewing the process privileges in Sysinternals Process Explorer.
I solved it by querying all privileges and changing the attribute to SE_PRIVILEGE_REMOVED but I am not sure why setting DisableAllPrivileges to TRUE does not work.
security winapi
asked Nov 15 at 6:55
user10655827
83
Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
– quant
Nov 15 at 7:13
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I am trying to strip a process from all privileges using AdjustTokenPrivileges by setting the parameter DisableAllPrivileges to TRUE:
#include <Windows.h>
#include <cwchar>
int main()
{
auto process = GetCurrentProcess();
HANDLE primary_token;
if (OpenProcessToken(process, TOKEN_ADJUST_PRIVILEGES, &primary_token) == FALSE)
{
fwprintf(stderr, L"OpenProcessToken: failed");
}
if (AdjustTokenPrivileges(primary_token, TRUE, nullptr, 0, nullptr, nullptr) == FALSE)
{
fwprintf(stderr, L"AdjustTokenPrivileges: failed");
}
CloseHandle(primary_token);
auto event = CreateEventW(nullptr, FALSE, FALSE, nullptr);
WaitForSingleObject(event, INFINITE);
}
It does not seem to working when viewing the process privileges in Sysinternals Process Explorer.
I solved it by querying all privileges and changing the attribute to SE_PRIVILEGE_REMOVED but I am not sure why setting DisableAllPrivileges to TRUE does not work.
security winapi
asked Nov 15 at 6:55
user10655827
83
I am trying to strip a process from all privileges using AdjustTokenPrivileges by setting the parameter DisableAllPrivileges to TRUE:
#include <Windows.h>
#include <cwchar>
int main()
{
auto process = GetCurrentProcess();
HANDLE primary_token;
if (OpenProcessToken(process, TOKEN_ADJUST_PRIVILEGES, &primary_token) == FALSE)
{
fwprintf(stderr, L"OpenProcessToken: failed");
}
if (AdjustTokenPrivileges(primary_token, TRUE, nullptr, 0, nullptr, nullptr) == FALSE)
{
fwprintf(stderr, L"AdjustTokenPrivileges: failed");
}
CloseHandle(primary_token);
auto event = CreateEventW(nullptr, FALSE, FALSE, nullptr);
WaitForSingleObject(event, INFINITE);
}
It does not seem to working when viewing the process privileges in Sysinternals Process Explorer.
I solved it by querying all privileges and changing the attribute to SE_PRIVILEGE_REMOVED but I am not sure why setting DisableAllPrivileges to TRUE does not work.
security winapi
security winapi
asked Nov 15 at 6:55
user10655827
83
asked Nov 15 at 6:55
user10655827
83
edited Nov 15 at 7:00
asked Nov 15 at 6:55
user10655827
83
asked Nov 15 at 6:55
user10655827
83
asked Nov 15 at 6:55
user10655827
83
83
Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
– quant
Nov 15 at 7:13
add a comment |
Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
– quant
Nov 15 at 7:13
Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
– quant
Nov 15 at 7:13
Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
– quant
Nov 15 at 7:13
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
It does not seem to working when viewing the process privileges in
Sysinternals Process Explorer.
Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.
test code
#ifndef RtlPointerToOffset
#define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
#endif
inline ULONG BOOL_TO_ERROR(BOOL fOk)
{
return fOk ? NOERROR : GetLastError();
}
volatile UCHAR guz = 0;
void DumpTokenPrivs(HANDLE hToken)
{
union {
PVOID buf;
PTOKEN_PRIVILEGES ptp;
};
PVOID stack = alloca(guz);
ULONG cb = 0, rcb = 0x40;
ULONG dwError;
do
{
if (cb < rcb)
{
cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
}
if (NOERROR == (dwError = BOOL_TO_ERROR(
GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))
{
ULONG PrivilegeCount = ptp->PrivilegeCount;
DbgPrint("PrivilegeCount = %un", PrivilegeCount);
if (PrivilegeCount)
{
PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
do
{
WCHAR Name[64];
ULONG cch = RTL_NUMBER_OF(Name);
if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))
{
_swprintf(Name, L"{%u-%u}",
Privileges->Luid.HighPart, Privileges->Luid.LowPart);
}
BOOL fResult;
PRIVILEGE_SET ps = {
1, PRIVILEGE_SET_ALL_NECESSARY, {
{ Privileges->Luid.LowPart, Privileges->Luid.HighPart }
}
};
if (!PrivilegeCheck(hToken, &ps, &fResult))
{
DbgPrint("PrivilegeCheck=%un", GetLastError());
}
DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);
} while (Privileges++, --PrivilegeCount);
}
}
} while (dwError == ERROR_INSUFFICIENT_BUFFER);
}
void PrivTest()
{
HANDLE hToken;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
{
ULONG rcb;
TOKEN_LINKED_TOKEN tlk;
GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
CloseHandle(hToken);
hToken = tlk.LinkedToken;
DumpTokenPrivs(hToken);
if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)
{
DumpTokenPrivs(hToken);
}
}
CloseHandle(hToken);
}
and output:
PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000003 1 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege
PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000001 0 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege
note that before call was
00000003 1 SeChangeNotifyPrivilege
was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.
after call was
00000001 0 SeChangeNotifyPrivilege
was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.
answered Nov 15 at 12:09
RbMm
16.7k11224
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
It does not seem to working when viewing the process privileges in
Sysinternals Process Explorer.
Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.
test code
#ifndef RtlPointerToOffset
#define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
#endif
inline ULONG BOOL_TO_ERROR(BOOL fOk)
{
return fOk ? NOERROR : GetLastError();
}
volatile UCHAR guz = 0;
void DumpTokenPrivs(HANDLE hToken)
{
union {
PVOID buf;
PTOKEN_PRIVILEGES ptp;
};
PVOID stack = alloca(guz);
ULONG cb = 0, rcb = 0x40;
ULONG dwError;
do
{
if (cb < rcb)
{
cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
}
if (NOERROR == (dwError = BOOL_TO_ERROR(
GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))
{
ULONG PrivilegeCount = ptp->PrivilegeCount;
DbgPrint("PrivilegeCount = %un", PrivilegeCount);
if (PrivilegeCount)
{
PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
do
{
WCHAR Name[64];
ULONG cch = RTL_NUMBER_OF(Name);
if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))
{
_swprintf(Name, L"{%u-%u}",
Privileges->Luid.HighPart, Privileges->Luid.LowPart);
}
BOOL fResult;
PRIVILEGE_SET ps = {
1, PRIVILEGE_SET_ALL_NECESSARY, {
{ Privileges->Luid.LowPart, Privileges->Luid.HighPart }
}
};
if (!PrivilegeCheck(hToken, &ps, &fResult))
{
DbgPrint("PrivilegeCheck=%un", GetLastError());
}
DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);
} while (Privileges++, --PrivilegeCount);
}
}
} while (dwError == ERROR_INSUFFICIENT_BUFFER);
}
void PrivTest()
{
HANDLE hToken;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
{
ULONG rcb;
TOKEN_LINKED_TOKEN tlk;
GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
CloseHandle(hToken);
hToken = tlk.LinkedToken;
DumpTokenPrivs(hToken);
if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)
{
DumpTokenPrivs(hToken);
}
}
CloseHandle(hToken);
}
and output:
PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000003 1 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege
PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000001 0 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege
note that before call was
00000003 1 SeChangeNotifyPrivilege
was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.
after call was
00000001 0 SeChangeNotifyPrivilege
was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.
answered Nov 15 at 12:09
RbMm
16.7k11224
add a comment |
up vote
1
down vote
accepted
It does not seem to working when viewing the process privileges in
Sysinternals Process Explorer.
Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.
test code
#ifndef RtlPointerToOffset
#define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
#endif
inline ULONG BOOL_TO_ERROR(BOOL fOk)
{
return fOk ? NOERROR : GetLastError();
}
volatile UCHAR guz = 0;
void DumpTokenPrivs(HANDLE hToken)
{
union {
PVOID buf;
PTOKEN_PRIVILEGES ptp;
};
PVOID stack = alloca(guz);
ULONG cb = 0, rcb = 0x40;
ULONG dwError;
do
{
if (cb < rcb)
{
cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
}
if (NOERROR == (dwError = BOOL_TO_ERROR(
GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))
{
ULONG PrivilegeCount = ptp->PrivilegeCount;
DbgPrint("PrivilegeCount = %un", PrivilegeCount);
if (PrivilegeCount)
{
PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
do
{
WCHAR Name[64];
ULONG cch = RTL_NUMBER_OF(Name);
if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))
{
_swprintf(Name, L"{%u-%u}",
Privileges->Luid.HighPart, Privileges->Luid.LowPart);
}
BOOL fResult;
PRIVILEGE_SET ps = {
1, PRIVILEGE_SET_ALL_NECESSARY, {
{ Privileges->Luid.LowPart, Privileges->Luid.HighPart }
}
};
if (!PrivilegeCheck(hToken, &ps, &fResult))
{
DbgPrint("PrivilegeCheck=%un", GetLastError());
}
DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);
} while (Privileges++, --PrivilegeCount);
}
}
} while (dwError == ERROR_INSUFFICIENT_BUFFER);
}
void PrivTest()
{
HANDLE hToken;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
{
ULONG rcb;
TOKEN_LINKED_TOKEN tlk;
GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
CloseHandle(hToken);
hToken = tlk.LinkedToken;
DumpTokenPrivs(hToken);
if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)
{
DumpTokenPrivs(hToken);
}
}
CloseHandle(hToken);
}
and output:
PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000003 1 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege
PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000001 0 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege
note that before call was
00000003 1 SeChangeNotifyPrivilege
was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.
after call was
00000001 0 SeChangeNotifyPrivilege
was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.
answered Nov 15 at 12:09
RbMm
16.7k11224
add a comment |
up vote
1
down vote
accepted
up vote
1
down vote
accepted
It does not seem to working when viewing the process privileges in
Sysinternals Process Explorer.
Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.
test code
#ifndef RtlPointerToOffset
#define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
#endif
inline ULONG BOOL_TO_ERROR(BOOL fOk)
{
return fOk ? NOERROR : GetLastError();
}
volatile UCHAR guz = 0;
void DumpTokenPrivs(HANDLE hToken)
{
union {
PVOID buf;
PTOKEN_PRIVILEGES ptp;
};
PVOID stack = alloca(guz);
ULONG cb = 0, rcb = 0x40;
ULONG dwError;
do
{
if (cb < rcb)
{
cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
}
if (NOERROR == (dwError = BOOL_TO_ERROR(
GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))
{
ULONG PrivilegeCount = ptp->PrivilegeCount;
DbgPrint("PrivilegeCount = %un", PrivilegeCount);
if (PrivilegeCount)
{
PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
do
{
WCHAR Name[64];
ULONG cch = RTL_NUMBER_OF(Name);
if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))
{
_swprintf(Name, L"{%u-%u}",
Privileges->Luid.HighPart, Privileges->Luid.LowPart);
}
BOOL fResult;
PRIVILEGE_SET ps = {
1, PRIVILEGE_SET_ALL_NECESSARY, {
{ Privileges->Luid.LowPart, Privileges->Luid.HighPart }
}
};
if (!PrivilegeCheck(hToken, &ps, &fResult))
{
DbgPrint("PrivilegeCheck=%un", GetLastError());
}
DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);
} while (Privileges++, --PrivilegeCount);
}
}
} while (dwError == ERROR_INSUFFICIENT_BUFFER);
}
void PrivTest()
{
HANDLE hToken;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
{
ULONG rcb;
TOKEN_LINKED_TOKEN tlk;
GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
CloseHandle(hToken);
hToken = tlk.LinkedToken;
DumpTokenPrivs(hToken);
if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)
{
DumpTokenPrivs(hToken);
}
}
CloseHandle(hToken);
}
and output:
PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000003 1 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege
PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000001 0 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege
note that before call was
00000003 1 SeChangeNotifyPrivilege
was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.
after call was
00000001 0 SeChangeNotifyPrivilege
was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.
answered Nov 15 at 12:09
RbMm
16.7k11224
It does not seem to working when viewing the process privileges in
Sysinternals Process Explorer.
Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.
test code
#ifndef RtlPointerToOffset
#define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
#endif
inline ULONG BOOL_TO_ERROR(BOOL fOk)
{
return fOk ? NOERROR : GetLastError();
}
volatile UCHAR guz = 0;
void DumpTokenPrivs(HANDLE hToken)
{
union {
PVOID buf;
PTOKEN_PRIVILEGES ptp;
};
PVOID stack = alloca(guz);
ULONG cb = 0, rcb = 0x40;
ULONG dwError;
do
{
if (cb < rcb)
{
cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
}
if (NOERROR == (dwError = BOOL_TO_ERROR(
GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))
{
ULONG PrivilegeCount = ptp->PrivilegeCount;
DbgPrint("PrivilegeCount = %un", PrivilegeCount);
if (PrivilegeCount)
{
PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
do
{
WCHAR Name[64];
ULONG cch = RTL_NUMBER_OF(Name);
if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))
{
_swprintf(Name, L"{%u-%u}",
Privileges->Luid.HighPart, Privileges->Luid.LowPart);
}
BOOL fResult;
PRIVILEGE_SET ps = {
1, PRIVILEGE_SET_ALL_NECESSARY, {
{ Privileges->Luid.LowPart, Privileges->Luid.HighPart }
}
};
if (!PrivilegeCheck(hToken, &ps, &fResult))
{
DbgPrint("PrivilegeCheck=%un", GetLastError());
}
DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);
} while (Privileges++, --PrivilegeCount);
}
}
} while (dwError == ERROR_INSUFFICIENT_BUFFER);
}
void PrivTest()
{
HANDLE hToken;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
{
ULONG rcb;
TOKEN_LINKED_TOKEN tlk;
GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
CloseHandle(hToken);
hToken = tlk.LinkedToken;
DumpTokenPrivs(hToken);
if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)
{
DumpTokenPrivs(hToken);
}
}
CloseHandle(hToken);
}
and output:
PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000003 1 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege
PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000001 0 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege
note that before call was
00000003 1 SeChangeNotifyPrivilege
was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.
after call was
00000001 0 SeChangeNotifyPrivilege
was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.
answered Nov 15 at 12:09
RbMm
16.7k11224
answered Nov 15 at 12:09
RbMm
16.7k11224
answered Nov 15 at 12:09
RbMm
16.7k11224
answered Nov 15 at 12:09
RbMm
16.7k11224
16.7k11224
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53313943%2fdisabling-all-privileges-with-adjusttokenprivileges-using-disableallprivileges%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
– quant
Nov 15 at 7:13