Disabling all privileges with AdjustTokenPrivileges using DisableAllPrivileges?











up vote
1
down vote

favorite












I am trying to strip a process from all privileges using AdjustTokenPrivileges by setting the parameter DisableAllPrivileges to TRUE:



#include <Windows.h>

#include <cwchar>



int main()

{

  auto process = GetCurrentProcess();

  HANDLE primary_token;



  if (OpenProcessToken(process, TOKEN_ADJUST_PRIVILEGES, &primary_token) == FALSE)

  {

    fwprintf(stderr, L"OpenProcessToken: failed");

  }



  if (AdjustTokenPrivileges(primary_token, TRUE, nullptr, 0, nullptr, nullptr) == FALSE)

  {

    fwprintf(stderr, L"AdjustTokenPrivileges: failed");

  }



  CloseHandle(primary_token);



  auto event = CreateEventW(nullptr, FALSE, FALSE, nullptr);

  WaitForSingleObject(event, INFINITE);

}


It does not seem to working when viewing the process privileges in Sysinternals Process Explorer.



I solved it by querying all privileges and changing the attribute to SE_PRIVILEGE_REMOVED but I am not sure why setting DisableAllPrivileges to TRUE does not work.






security winapi







share|improve this question
























  • Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
    – quant
    Nov 15 at 7:13















up vote
1
down vote

favorite












I am trying to strip a process from all privileges using AdjustTokenPrivileges by setting the parameter DisableAllPrivileges to TRUE:



#include <Windows.h>

#include <cwchar>



int main()

{

  auto process = GetCurrentProcess();

  HANDLE primary_token;



  if (OpenProcessToken(process, TOKEN_ADJUST_PRIVILEGES, &primary_token) == FALSE)

  {

    fwprintf(stderr, L"OpenProcessToken: failed");

  }



  if (AdjustTokenPrivileges(primary_token, TRUE, nullptr, 0, nullptr, nullptr) == FALSE)

  {

    fwprintf(stderr, L"AdjustTokenPrivileges: failed");

  }



  CloseHandle(primary_token);



  auto event = CreateEventW(nullptr, FALSE, FALSE, nullptr);

  WaitForSingleObject(event, INFINITE);

}


It does not seem to working when viewing the process privileges in Sysinternals Process Explorer.



I solved it by querying all privileges and changing the attribute to SE_PRIVILEGE_REMOVED but I am not sure why setting DisableAllPrivileges to TRUE does not work.






security winapi







share|improve this question
























  • Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
    – quant
    Nov 15 at 7:13













up vote
1
down vote

favorite









up vote
1
down vote

favorite











I am trying to strip a process from all privileges using AdjustTokenPrivileges by setting the parameter DisableAllPrivileges to TRUE:



#include <Windows.h>

#include <cwchar>



int main()

{

  auto process = GetCurrentProcess();

  HANDLE primary_token;



  if (OpenProcessToken(process, TOKEN_ADJUST_PRIVILEGES, &primary_token) == FALSE)

  {

    fwprintf(stderr, L"OpenProcessToken: failed");

  }



  if (AdjustTokenPrivileges(primary_token, TRUE, nullptr, 0, nullptr, nullptr) == FALSE)

  {

    fwprintf(stderr, L"AdjustTokenPrivileges: failed");

  }



  CloseHandle(primary_token);



  auto event = CreateEventW(nullptr, FALSE, FALSE, nullptr);

  WaitForSingleObject(event, INFINITE);

}


It does not seem to working when viewing the process privileges in Sysinternals Process Explorer.



I solved it by querying all privileges and changing the attribute to SE_PRIVILEGE_REMOVED but I am not sure why setting DisableAllPrivileges to TRUE does not work.






security winapi







share|improve this question















I am trying to strip a process from all privileges using AdjustTokenPrivileges by setting the parameter DisableAllPrivileges to TRUE:



#include <Windows.h>

#include <cwchar>



int main()

{

  auto process = GetCurrentProcess();

  HANDLE primary_token;



  if (OpenProcessToken(process, TOKEN_ADJUST_PRIVILEGES, &primary_token) == FALSE)

  {

    fwprintf(stderr, L"OpenProcessToken: failed");

  }



  if (AdjustTokenPrivileges(primary_token, TRUE, nullptr, 0, nullptr, nullptr) == FALSE)

  {

    fwprintf(stderr, L"AdjustTokenPrivileges: failed");

  }



  CloseHandle(primary_token);



  auto event = CreateEventW(nullptr, FALSE, FALSE, nullptr);

  WaitForSingleObject(event, INFINITE);

}


It does not seem to working when viewing the process privileges in Sysinternals Process Explorer.



I solved it by querying all privileges and changing the attribute to SE_PRIVILEGE_REMOVED but I am not sure why setting DisableAllPrivileges to TRUE does not work.






security winapi




security winapi






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 15 at 7:00

























asked Nov 15 at 6:55









user10655827

83




83












  • Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
    – quant
    Nov 15 at 7:13


















  • Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
    – quant
    Nov 15 at 7:13
















Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
– quant
Nov 15 at 7:13




Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
– quant
Nov 15 at 7:13












1 Answer
1






active

oldest

votes

















up vote
1
down vote



accepted











It does not seem to working when viewing the process privileges in
Sysinternals Process Explorer.




Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.



test code



#ifndef RtlPointerToOffset

#define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))

#endif



inline ULONG BOOL_TO_ERROR(BOOL fOk)

{

    return fOk ? NOERROR : GetLastError();

}



volatile UCHAR guz = 0;



void DumpTokenPrivs(HANDLE hToken)

{

    union {

        PVOID buf;

        PTOKEN_PRIVILEGES ptp;

    };



    PVOID stack = alloca(guz);



    ULONG cb = 0, rcb = 0x40;



    ULONG dwError;

    do 

    {

        if (cb < rcb)

        {

            cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);

        }



        if (NOERROR == (dwError = BOOL_TO_ERROR(

            GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))

        {

            ULONG PrivilegeCount = ptp->PrivilegeCount;



            DbgPrint("PrivilegeCount = %un", PrivilegeCount);

            if (PrivilegeCount)

            {

                PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;

                do 

                {

                    WCHAR Name[64];

                    ULONG cch = RTL_NUMBER_OF(Name);

                    if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))

                    {

                        _swprintf(Name, L"{%u-%u}", 

                            Privileges->Luid.HighPart, Privileges->Luid.LowPart);

                    }



                    BOOL fResult;

                    PRIVILEGE_SET ps = { 

                        1, PRIVILEGE_SET_ALL_NECESSARY, { 

                            { Privileges->Luid.LowPart, Privileges->Luid.HighPart } 

                        } 

                    };



                    if (!PrivilegeCheck(hToken, &ps, &fResult))

                    {

                        DbgPrint("PrivilegeCheck=%un", GetLastError());

                    }



                    DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);



                } while (Privileges++, --PrivilegeCount);

            }

        }



    } while (dwError == ERROR_INSUFFICIENT_BUFFER);

}



void PrivTest()

{

    HANDLE hToken;



    if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))

    {

        ULONG rcb;

        TOKEN_LINKED_TOKEN tlk;

        GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);

        CloseHandle(hToken);

        hToken = tlk.LinkedToken;



        DumpTokenPrivs(hToken);



        if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)

        {

            DumpTokenPrivs(hToken);

        }

    }



    CloseHandle(hToken);

}


and output:



PrivilegeCount = 5

00000000 0 SeShutdownPrivilege

00000003 1 SeChangeNotifyPrivilege

00000000 0 SeUndockPrivilege

00000000 0 SeIncreaseWorkingSetPrivilege

00000000 0 SeTimeZonePrivilege

PrivilegeCount = 5

00000000 0 SeShutdownPrivilege

00000001 0 SeChangeNotifyPrivilege

00000000 0 SeUndockPrivilege

00000000 0 SeIncreaseWorkingSetPrivilege

00000000 0 SeTimeZonePrivilege


note that before call was



00000003 1 SeChangeNotifyPrivilege


was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.



after call was 



00000001 0 SeChangeNotifyPrivilege


was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.






share|improve this answer





















    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53313943%2fdisabling-all-privileges-with-adjusttokenprivileges-using-disableallprivileges%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    1
    down vote



    accepted











    It does not seem to working when viewing the process privileges in
    Sysinternals Process Explorer.




    Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.



    test code



    #ifndef RtlPointerToOffset
    
#define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
    
#endif
    

    
inline ULONG BOOL_TO_ERROR(BOOL fOk)
    
{
    
    return fOk ? NOERROR : GetLastError();
    
}
    

    
volatile UCHAR guz = 0;
    

    
void DumpTokenPrivs(HANDLE hToken)
    
{
    
    union {
    
        PVOID buf;
    
        PTOKEN_PRIVILEGES ptp;
    
    };
    

    
    PVOID stack = alloca(guz);
    

    
    ULONG cb = 0, rcb = 0x40;
    

    
    ULONG dwError;
    
    do 
    
    {
    
        if (cb < rcb)
    
        {
    
            cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
    
        }
    

    
        if (NOERROR == (dwError = BOOL_TO_ERROR(
    
            GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))
    
        {
    
            ULONG PrivilegeCount = ptp->PrivilegeCount;
    

    
            DbgPrint("PrivilegeCount = %un", PrivilegeCount);
    
            if (PrivilegeCount)
    
            {
    
                PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
    
                do 
    
                {
    
                    WCHAR Name[64];
    
                    ULONG cch = RTL_NUMBER_OF(Name);
    
                    if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))
    
                    {
    
                        _swprintf(Name, L"{%u-%u}", 
    
                            Privileges->Luid.HighPart, Privileges->Luid.LowPart);
    
                    }
    

    
                    BOOL fResult;
    
                    PRIVILEGE_SET ps = { 
    
                        1, PRIVILEGE_SET_ALL_NECESSARY, { 
    
                            { Privileges->Luid.LowPart, Privileges->Luid.HighPart } 
    
                        } 
    
                    };
    

    
                    if (!PrivilegeCheck(hToken, &ps, &fResult))
    
                    {
    
                        DbgPrint("PrivilegeCheck=%un", GetLastError());
    
                    }
    

    
                    DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);
    

    
                } while (Privileges++, --PrivilegeCount);
    
            }
    
        }
    

    
    } while (dwError == ERROR_INSUFFICIENT_BUFFER);
    
}
    

    
void PrivTest()
    
{
    
    HANDLE hToken;
    

    
    if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
    
    {
    
        ULONG rcb;
    
        TOKEN_LINKED_TOKEN tlk;
    
        GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
    
        CloseHandle(hToken);
    
        hToken = tlk.LinkedToken;
    

    
        DumpTokenPrivs(hToken);
    

    
        if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)
    
        {
    
            DumpTokenPrivs(hToken);
    
        }
    
    }
    

    
    CloseHandle(hToken);
    
}


    and output:



    PrivilegeCount = 5
    
00000000 0 SeShutdownPrivilege
    
00000003 1 SeChangeNotifyPrivilege
    
00000000 0 SeUndockPrivilege
    
00000000 0 SeIncreaseWorkingSetPrivilege
    
00000000 0 SeTimeZonePrivilege
    
PrivilegeCount = 5
    
00000000 0 SeShutdownPrivilege
    
00000001 0 SeChangeNotifyPrivilege
    
00000000 0 SeUndockPrivilege
    
00000000 0 SeIncreaseWorkingSetPrivilege
    
00000000 0 SeTimeZonePrivilege


    note that before call was



    00000003 1 SeChangeNotifyPrivilege


    was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.



    after call was 



    00000001 0 SeChangeNotifyPrivilege


    was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.






    share|improve this answer

























      up vote
      1
      down vote



      accepted











      It does not seem to working when viewing the process privileges in
      Sysinternals Process Explorer.




      Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.



      test code



      #ifndef RtlPointerToOffset
      
#define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
      
#endif
      

      
inline ULONG BOOL_TO_ERROR(BOOL fOk)
      
{
      
    return fOk ? NOERROR : GetLastError();
      
}
      

      
volatile UCHAR guz = 0;
      

      
void DumpTokenPrivs(HANDLE hToken)
      
{
      
    union {
      
        PVOID buf;
      
        PTOKEN_PRIVILEGES ptp;
      
    };
      

      
    PVOID stack = alloca(guz);
      

      
    ULONG cb = 0, rcb = 0x40;
      

      
    ULONG dwError;
      
    do 
      
    {
      
        if (cb < rcb)
      
        {
      
            cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
      
        }
      

      
        if (NOERROR == (dwError = BOOL_TO_ERROR(
      
            GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))
      
        {
      
            ULONG PrivilegeCount = ptp->PrivilegeCount;
      

      
            DbgPrint("PrivilegeCount = %un", PrivilegeCount);
      
            if (PrivilegeCount)
      
            {
      
                PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
      
                do 
      
                {
      
                    WCHAR Name[64];
      
                    ULONG cch = RTL_NUMBER_OF(Name);
      
                    if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))
      
                    {
      
                        _swprintf(Name, L"{%u-%u}", 
      
                            Privileges->Luid.HighPart, Privileges->Luid.LowPart);
      
                    }
      

      
                    BOOL fResult;
      
                    PRIVILEGE_SET ps = { 
      
                        1, PRIVILEGE_SET_ALL_NECESSARY, { 
      
                            { Privileges->Luid.LowPart, Privileges->Luid.HighPart } 
      
                        } 
      
                    };
      

      
                    if (!PrivilegeCheck(hToken, &ps, &fResult))
      
                    {
      
                        DbgPrint("PrivilegeCheck=%un", GetLastError());
      
                    }
      

      
                    DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);
      

      
                } while (Privileges++, --PrivilegeCount);
      
            }
      
        }
      

      
    } while (dwError == ERROR_INSUFFICIENT_BUFFER);
      
}
      

      
void PrivTest()
      
{
      
    HANDLE hToken;
      

      
    if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
      
    {
      
        ULONG rcb;
      
        TOKEN_LINKED_TOKEN tlk;
      
        GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
      
        CloseHandle(hToken);
      
        hToken = tlk.LinkedToken;
      

      
        DumpTokenPrivs(hToken);
      

      
        if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)
      
        {
      
            DumpTokenPrivs(hToken);
      
        }
      
    }
      

      
    CloseHandle(hToken);
      
}


      and output:



      PrivilegeCount = 5
      
00000000 0 SeShutdownPrivilege
      
00000003 1 SeChangeNotifyPrivilege
      
00000000 0 SeUndockPrivilege
      
00000000 0 SeIncreaseWorkingSetPrivilege
      
00000000 0 SeTimeZonePrivilege
      
PrivilegeCount = 5
      
00000000 0 SeShutdownPrivilege
      
00000001 0 SeChangeNotifyPrivilege
      
00000000 0 SeUndockPrivilege
      
00000000 0 SeIncreaseWorkingSetPrivilege
      
00000000 0 SeTimeZonePrivilege


      note that before call was



      00000003 1 SeChangeNotifyPrivilege


      was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.



      after call was 



      00000001 0 SeChangeNotifyPrivilege


      was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.






      share|improve this answer























        up vote
        1
        down vote



        accepted







        up vote
        1
        down vote



        accepted







        It does not seem to working when viewing the process privileges in
        Sysinternals Process Explorer.




        Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.



        test code



        #ifndef RtlPointerToOffset
        
#define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
        
#endif
        

        
inline ULONG BOOL_TO_ERROR(BOOL fOk)
        
{
        
    return fOk ? NOERROR : GetLastError();
        
}
        

        
volatile UCHAR guz = 0;
        

        
void DumpTokenPrivs(HANDLE hToken)
        
{
        
    union {
        
        PVOID buf;
        
        PTOKEN_PRIVILEGES ptp;
        
    };
        

        
    PVOID stack = alloca(guz);
        

        
    ULONG cb = 0, rcb = 0x40;
        

        
    ULONG dwError;
        
    do 
        
    {
        
        if (cb < rcb)
        
        {
        
            cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
        
        }
        

        
        if (NOERROR == (dwError = BOOL_TO_ERROR(
        
            GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))
        
        {
        
            ULONG PrivilegeCount = ptp->PrivilegeCount;
        

        
            DbgPrint("PrivilegeCount = %un", PrivilegeCount);
        
            if (PrivilegeCount)
        
            {
        
                PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
        
                do 
        
                {
        
                    WCHAR Name[64];
        
                    ULONG cch = RTL_NUMBER_OF(Name);
        
                    if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))
        
                    {
        
                        _swprintf(Name, L"{%u-%u}", 
        
                            Privileges->Luid.HighPart, Privileges->Luid.LowPart);
        
                    }
        

        
                    BOOL fResult;
        
                    PRIVILEGE_SET ps = { 
        
                        1, PRIVILEGE_SET_ALL_NECESSARY, { 
        
                            { Privileges->Luid.LowPart, Privileges->Luid.HighPart } 
        
                        } 
        
                    };
        

        
                    if (!PrivilegeCheck(hToken, &ps, &fResult))
        
                    {
        
                        DbgPrint("PrivilegeCheck=%un", GetLastError());
        
                    }
        

        
                    DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);
        

        
                } while (Privileges++, --PrivilegeCount);
        
            }
        
        }
        

        
    } while (dwError == ERROR_INSUFFICIENT_BUFFER);
        
}
        

        
void PrivTest()
        
{
        
    HANDLE hToken;
        

        
    if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
        
    {
        
        ULONG rcb;
        
        TOKEN_LINKED_TOKEN tlk;
        
        GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
        
        CloseHandle(hToken);
        
        hToken = tlk.LinkedToken;
        

        
        DumpTokenPrivs(hToken);
        

        
        if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)
        
        {
        
            DumpTokenPrivs(hToken);
        
        }
        
    }
        

        
    CloseHandle(hToken);
        
}


        and output:



        PrivilegeCount = 5
        
00000000 0 SeShutdownPrivilege
        
00000003 1 SeChangeNotifyPrivilege
        
00000000 0 SeUndockPrivilege
        
00000000 0 SeIncreaseWorkingSetPrivilege
        
00000000 0 SeTimeZonePrivilege
        
PrivilegeCount = 5
        
00000000 0 SeShutdownPrivilege
        
00000001 0 SeChangeNotifyPrivilege
        
00000000 0 SeUndockPrivilege
        
00000000 0 SeIncreaseWorkingSetPrivilege
        
00000000 0 SeTimeZonePrivilege


        note that before call was



        00000003 1 SeChangeNotifyPrivilege


        was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.



        after call was 



        00000001 0 SeChangeNotifyPrivilege


        was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.






        share|improve this answer













        It does not seem to working when viewing the process privileges in
        Sysinternals Process Explorer.




        Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.



        test code



        #ifndef RtlPointerToOffset
        
#define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
        
#endif
        

        
inline ULONG BOOL_TO_ERROR(BOOL fOk)
        
{
        
    return fOk ? NOERROR : GetLastError();
        
}
        

        
volatile UCHAR guz = 0;
        

        
void DumpTokenPrivs(HANDLE hToken)
        
{
        
    union {
        
        PVOID buf;
        
        PTOKEN_PRIVILEGES ptp;
        
    };
        

        
    PVOID stack = alloca(guz);
        

        
    ULONG cb = 0, rcb = 0x40;
        

        
    ULONG dwError;
        
    do 
        
    {
        
        if (cb < rcb)
        
        {
        
            cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
        
        }
        

        
        if (NOERROR == (dwError = BOOL_TO_ERROR(
        
            GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))
        
        {
        
            ULONG PrivilegeCount = ptp->PrivilegeCount;
        

        
            DbgPrint("PrivilegeCount = %un", PrivilegeCount);
        
            if (PrivilegeCount)
        
            {
        
                PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
        
                do 
        
                {
        
                    WCHAR Name[64];
        
                    ULONG cch = RTL_NUMBER_OF(Name);
        
                    if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))
        
                    {
        
                        _swprintf(Name, L"{%u-%u}", 
        
                            Privileges->Luid.HighPart, Privileges->Luid.LowPart);
        
                    }
        

        
                    BOOL fResult;
        
                    PRIVILEGE_SET ps = { 
        
                        1, PRIVILEGE_SET_ALL_NECESSARY, { 
        
                            { Privileges->Luid.LowPart, Privileges->Luid.HighPart } 
        
                        } 
        
                    };
        

        
                    if (!PrivilegeCheck(hToken, &ps, &fResult))
        
                    {
        
                        DbgPrint("PrivilegeCheck=%un", GetLastError());
        
                    }
        

        
                    DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);
        

        
                } while (Privileges++, --PrivilegeCount);
        
            }
        
        }
        

        
    } while (dwError == ERROR_INSUFFICIENT_BUFFER);
        
}
        

        
void PrivTest()
        
{
        
    HANDLE hToken;
        

        
    if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
        
    {
        
        ULONG rcb;
        
        TOKEN_LINKED_TOKEN tlk;
        
        GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
        
        CloseHandle(hToken);
        
        hToken = tlk.LinkedToken;
        

        
        DumpTokenPrivs(hToken);
        

        
        if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)
        
        {
        
            DumpTokenPrivs(hToken);
        
        }
        
    }
        

        
    CloseHandle(hToken);
        
}


        and output:



        PrivilegeCount = 5
        
00000000 0 SeShutdownPrivilege
        
00000003 1 SeChangeNotifyPrivilege
        
00000000 0 SeUndockPrivilege
        
00000000 0 SeIncreaseWorkingSetPrivilege
        
00000000 0 SeTimeZonePrivilege
        
PrivilegeCount = 5
        
00000000 0 SeShutdownPrivilege
        
00000001 0 SeChangeNotifyPrivilege
        
00000000 0 SeUndockPrivilege
        
00000000 0 SeIncreaseWorkingSetPrivilege
        
00000000 0 SeTimeZonePrivilege


        note that before call was



        00000003 1 SeChangeNotifyPrivilege


        was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.



        after call was 



        00000001 0 SeChangeNotifyPrivilege


        was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 15 at 12:09









        RbMm

        16.7k11224




        16.7k11224






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53313943%2fdisabling-all-privileges-with-adjusttokenprivileges-using-disableallprivileges%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Biblatex bibliography style without URLs when DOI exists (in Overleaf with Zotero bibliography)

            Image
            2 2 I have a Zotero bibliography in Overleaf. I use biblatex . usepackage[backend=biber,citestyle=authoryear]{biblatex} addbibresource{zoteroALH.bib} Bibliography entries look like: @book{de_saint-gervais_uniformization_2016, title = {Uniformization of {Riemann} {Surfaces}}, isbn = {978-3-03719-145-3}, url = {https://www.ems-ph.org/books/book.php?proj_nr=198&srch=series%7Chem}, urldate = {2019-02-03}, author = {de Saint-Gervais, Paul Henri}, year = {2016}, doi = {10.4171/145} } In the bibliography down the paper the reference shows like this: There is the DOI, great, but also the URL which is unnecessary when the DOI is there. How can I remove the URL when the DOI is present? biblatex bibliographies overleaf zote
            Read more

            ComboBox Display Member on multiple fields

            Image
            2 I'm trying to set the .DisplayMember property of a ComboBox in C#, but I want to bind it to multiple columns in the .DataSouce . My SQL looks like this: SELECT PersNbr, PersFirstName, PersMiddleName, PersLastName FROM Pers WHERE PersNbr = :persNbr; I'm saving this query in a DataTable so each column selected has it's own column in the Datatable . I want to make the .DisplayMember a combination of PersFirstName + PersMiddleName + PersLastName so their full name appears like this: comboBox.DisplayMemeber = "PersFirstName" + "PersMiddleName" + "PersLastName" I know I can just to this on the query: SELECT PersNbr, (PersFirstName || PersMiddleName || PersLastName) PersName and then just do this: comboBox.DisplayMember = "PersName"; but I
            Read more

            Is it possible to collect Nectar points via Trainline?

            Image
            2 Since I am not eligible for any Railcard, the only available discount/bonus scheme is Nectar Card for me. GWR, SWR, LNER and Virgin Trains allow to collect Nectar points and I have already linked a card to my GWR account. A friend suggested me to use Trainline App, because it can search for bus tickets either. I had a look at the application, but could not see any option for Nectar. Is there a way to collect Nectar points when I buy tickets via Trainline? uk trains loyalty-programs trainline share | improve this question asked Dec 2 '18 at 15:50 ahmedus 3,224 5 19 49
            Read more