Disabling all privileges with AdjustTokenPrivileges using DisableAllPrivileges?











up vote
1
down vote

favorite












I am trying to strip a process from all privileges using AdjustTokenPrivileges by setting the parameter DisableAllPrivileges to TRUE:



#include <Windows.h>
#include <cwchar>

int main()
{
auto process = GetCurrentProcess();
HANDLE primary_token;

if (OpenProcessToken(process, TOKEN_ADJUST_PRIVILEGES, &primary_token) == FALSE)
{
fwprintf(stderr, L"OpenProcessToken: failed");
}

if (AdjustTokenPrivileges(primary_token, TRUE, nullptr, 0, nullptr, nullptr) == FALSE)
{
fwprintf(stderr, L"AdjustTokenPrivileges: failed");
}

CloseHandle(primary_token);

auto event = CreateEventW(nullptr, FALSE, FALSE, nullptr);
WaitForSingleObject(event, INFINITE);
}


It does not seem to working when viewing the process privileges in Sysinternals Process Explorer.



I solved it by querying all privileges and changing the attribute to SE_PRIVILEGE_REMOVED but I am not sure why setting DisableAllPrivileges to TRUE does not work.










share|improve this question
























  • Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
    – quant
    Nov 15 at 7:13















up vote
1
down vote

favorite












I am trying to strip a process from all privileges using AdjustTokenPrivileges by setting the parameter DisableAllPrivileges to TRUE:



#include <Windows.h>
#include <cwchar>

int main()
{
auto process = GetCurrentProcess();
HANDLE primary_token;

if (OpenProcessToken(process, TOKEN_ADJUST_PRIVILEGES, &primary_token) == FALSE)
{
fwprintf(stderr, L"OpenProcessToken: failed");
}

if (AdjustTokenPrivileges(primary_token, TRUE, nullptr, 0, nullptr, nullptr) == FALSE)
{
fwprintf(stderr, L"AdjustTokenPrivileges: failed");
}

CloseHandle(primary_token);

auto event = CreateEventW(nullptr, FALSE, FALSE, nullptr);
WaitForSingleObject(event, INFINITE);
}


It does not seem to working when viewing the process privileges in Sysinternals Process Explorer.



I solved it by querying all privileges and changing the attribute to SE_PRIVILEGE_REMOVED but I am not sure why setting DisableAllPrivileges to TRUE does not work.










share|improve this question
























  • Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
    – quant
    Nov 15 at 7:13













up vote
1
down vote

favorite









up vote
1
down vote

favorite











I am trying to strip a process from all privileges using AdjustTokenPrivileges by setting the parameter DisableAllPrivileges to TRUE:



#include <Windows.h>
#include <cwchar>

int main()
{
auto process = GetCurrentProcess();
HANDLE primary_token;

if (OpenProcessToken(process, TOKEN_ADJUST_PRIVILEGES, &primary_token) == FALSE)
{
fwprintf(stderr, L"OpenProcessToken: failed");
}

if (AdjustTokenPrivileges(primary_token, TRUE, nullptr, 0, nullptr, nullptr) == FALSE)
{
fwprintf(stderr, L"AdjustTokenPrivileges: failed");
}

CloseHandle(primary_token);

auto event = CreateEventW(nullptr, FALSE, FALSE, nullptr);
WaitForSingleObject(event, INFINITE);
}


It does not seem to working when viewing the process privileges in Sysinternals Process Explorer.



I solved it by querying all privileges and changing the attribute to SE_PRIVILEGE_REMOVED but I am not sure why setting DisableAllPrivileges to TRUE does not work.










share|improve this question















I am trying to strip a process from all privileges using AdjustTokenPrivileges by setting the parameter DisableAllPrivileges to TRUE:



#include <Windows.h>
#include <cwchar>

int main()
{
auto process = GetCurrentProcess();
HANDLE primary_token;

if (OpenProcessToken(process, TOKEN_ADJUST_PRIVILEGES, &primary_token) == FALSE)
{
fwprintf(stderr, L"OpenProcessToken: failed");
}

if (AdjustTokenPrivileges(primary_token, TRUE, nullptr, 0, nullptr, nullptr) == FALSE)
{
fwprintf(stderr, L"AdjustTokenPrivileges: failed");
}

CloseHandle(primary_token);

auto event = CreateEventW(nullptr, FALSE, FALSE, nullptr);
WaitForSingleObject(event, INFINITE);
}


It does not seem to working when viewing the process privileges in Sysinternals Process Explorer.



I solved it by querying all privileges and changing the attribute to SE_PRIVILEGE_REMOVED but I am not sure why setting DisableAllPrivileges to TRUE does not work.







security winapi






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 15 at 7:00

























asked Nov 15 at 6:55









user10655827

83




83












  • Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
    – quant
    Nov 15 at 7:13


















  • Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
    – quant
    Nov 15 at 7:13
















Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
– quant
Nov 15 at 7:13




Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
– quant
Nov 15 at 7:13












1 Answer
1






active

oldest

votes

















up vote
1
down vote



accepted











It does not seem to working when viewing the process privileges in
Sysinternals Process Explorer.




Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.



test code



#ifndef RtlPointerToOffset
#define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
#endif

inline ULONG BOOL_TO_ERROR(BOOL fOk)
{
return fOk ? NOERROR : GetLastError();
}

volatile UCHAR guz = 0;

void DumpTokenPrivs(HANDLE hToken)
{
union {
PVOID buf;
PTOKEN_PRIVILEGES ptp;
};

PVOID stack = alloca(guz);

ULONG cb = 0, rcb = 0x40;

ULONG dwError;
do
{
if (cb < rcb)
{
cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
}

if (NOERROR == (dwError = BOOL_TO_ERROR(
GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))
{
ULONG PrivilegeCount = ptp->PrivilegeCount;

DbgPrint("PrivilegeCount = %un", PrivilegeCount);
if (PrivilegeCount)
{
PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
do
{
WCHAR Name[64];
ULONG cch = RTL_NUMBER_OF(Name);
if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))
{
_swprintf(Name, L"{%u-%u}",
Privileges->Luid.HighPart, Privileges->Luid.LowPart);
}

BOOL fResult;
PRIVILEGE_SET ps = {
1, PRIVILEGE_SET_ALL_NECESSARY, {
{ Privileges->Luid.LowPart, Privileges->Luid.HighPart }
}
};

if (!PrivilegeCheck(hToken, &ps, &fResult))
{
DbgPrint("PrivilegeCheck=%un", GetLastError());
}

DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);

} while (Privileges++, --PrivilegeCount);
}
}

} while (dwError == ERROR_INSUFFICIENT_BUFFER);
}

void PrivTest()
{
HANDLE hToken;

if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
{
ULONG rcb;
TOKEN_LINKED_TOKEN tlk;
GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
CloseHandle(hToken);
hToken = tlk.LinkedToken;

DumpTokenPrivs(hToken);

if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)
{
DumpTokenPrivs(hToken);
}
}

CloseHandle(hToken);
}


and output:



PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000003 1 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege
PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000001 0 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege


note that before call was



00000003 1 SeChangeNotifyPrivilege


was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.



after call was



00000001 0 SeChangeNotifyPrivilege


was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.






share|improve this answer





















    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53313943%2fdisabling-all-privileges-with-adjusttokenprivileges-using-disableallprivileges%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    1
    down vote



    accepted











    It does not seem to working when viewing the process privileges in
    Sysinternals Process Explorer.




    Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.



    test code



    #ifndef RtlPointerToOffset
    #define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
    #endif

    inline ULONG BOOL_TO_ERROR(BOOL fOk)
    {
    return fOk ? NOERROR : GetLastError();
    }

    volatile UCHAR guz = 0;

    void DumpTokenPrivs(HANDLE hToken)
    {
    union {
    PVOID buf;
    PTOKEN_PRIVILEGES ptp;
    };

    PVOID stack = alloca(guz);

    ULONG cb = 0, rcb = 0x40;

    ULONG dwError;
    do
    {
    if (cb < rcb)
    {
    cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
    }

    if (NOERROR == (dwError = BOOL_TO_ERROR(
    GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))
    {
    ULONG PrivilegeCount = ptp->PrivilegeCount;

    DbgPrint("PrivilegeCount = %un", PrivilegeCount);
    if (PrivilegeCount)
    {
    PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
    do
    {
    WCHAR Name[64];
    ULONG cch = RTL_NUMBER_OF(Name);
    if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))
    {
    _swprintf(Name, L"{%u-%u}",
    Privileges->Luid.HighPart, Privileges->Luid.LowPart);
    }

    BOOL fResult;
    PRIVILEGE_SET ps = {
    1, PRIVILEGE_SET_ALL_NECESSARY, {
    { Privileges->Luid.LowPart, Privileges->Luid.HighPart }
    }
    };

    if (!PrivilegeCheck(hToken, &ps, &fResult))
    {
    DbgPrint("PrivilegeCheck=%un", GetLastError());
    }

    DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);

    } while (Privileges++, --PrivilegeCount);
    }
    }

    } while (dwError == ERROR_INSUFFICIENT_BUFFER);
    }

    void PrivTest()
    {
    HANDLE hToken;

    if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
    {
    ULONG rcb;
    TOKEN_LINKED_TOKEN tlk;
    GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
    CloseHandle(hToken);
    hToken = tlk.LinkedToken;

    DumpTokenPrivs(hToken);

    if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)
    {
    DumpTokenPrivs(hToken);
    }
    }

    CloseHandle(hToken);
    }


    and output:



    PrivilegeCount = 5
    00000000 0 SeShutdownPrivilege
    00000003 1 SeChangeNotifyPrivilege
    00000000 0 SeUndockPrivilege
    00000000 0 SeIncreaseWorkingSetPrivilege
    00000000 0 SeTimeZonePrivilege
    PrivilegeCount = 5
    00000000 0 SeShutdownPrivilege
    00000001 0 SeChangeNotifyPrivilege
    00000000 0 SeUndockPrivilege
    00000000 0 SeIncreaseWorkingSetPrivilege
    00000000 0 SeTimeZonePrivilege


    note that before call was



    00000003 1 SeChangeNotifyPrivilege


    was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.



    after call was



    00000001 0 SeChangeNotifyPrivilege


    was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.






    share|improve this answer

























      up vote
      1
      down vote



      accepted











      It does not seem to working when viewing the process privileges in
      Sysinternals Process Explorer.




      Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.



      test code



      #ifndef RtlPointerToOffset
      #define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
      #endif

      inline ULONG BOOL_TO_ERROR(BOOL fOk)
      {
      return fOk ? NOERROR : GetLastError();
      }

      volatile UCHAR guz = 0;

      void DumpTokenPrivs(HANDLE hToken)
      {
      union {
      PVOID buf;
      PTOKEN_PRIVILEGES ptp;
      };

      PVOID stack = alloca(guz);

      ULONG cb = 0, rcb = 0x40;

      ULONG dwError;
      do
      {
      if (cb < rcb)
      {
      cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
      }

      if (NOERROR == (dwError = BOOL_TO_ERROR(
      GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))
      {
      ULONG PrivilegeCount = ptp->PrivilegeCount;

      DbgPrint("PrivilegeCount = %un", PrivilegeCount);
      if (PrivilegeCount)
      {
      PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
      do
      {
      WCHAR Name[64];
      ULONG cch = RTL_NUMBER_OF(Name);
      if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))
      {
      _swprintf(Name, L"{%u-%u}",
      Privileges->Luid.HighPart, Privileges->Luid.LowPart);
      }

      BOOL fResult;
      PRIVILEGE_SET ps = {
      1, PRIVILEGE_SET_ALL_NECESSARY, {
      { Privileges->Luid.LowPart, Privileges->Luid.HighPart }
      }
      };

      if (!PrivilegeCheck(hToken, &ps, &fResult))
      {
      DbgPrint("PrivilegeCheck=%un", GetLastError());
      }

      DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);

      } while (Privileges++, --PrivilegeCount);
      }
      }

      } while (dwError == ERROR_INSUFFICIENT_BUFFER);
      }

      void PrivTest()
      {
      HANDLE hToken;

      if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
      {
      ULONG rcb;
      TOKEN_LINKED_TOKEN tlk;
      GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
      CloseHandle(hToken);
      hToken = tlk.LinkedToken;

      DumpTokenPrivs(hToken);

      if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)
      {
      DumpTokenPrivs(hToken);
      }
      }

      CloseHandle(hToken);
      }


      and output:



      PrivilegeCount = 5
      00000000 0 SeShutdownPrivilege
      00000003 1 SeChangeNotifyPrivilege
      00000000 0 SeUndockPrivilege
      00000000 0 SeIncreaseWorkingSetPrivilege
      00000000 0 SeTimeZonePrivilege
      PrivilegeCount = 5
      00000000 0 SeShutdownPrivilege
      00000001 0 SeChangeNotifyPrivilege
      00000000 0 SeUndockPrivilege
      00000000 0 SeIncreaseWorkingSetPrivilege
      00000000 0 SeTimeZonePrivilege


      note that before call was



      00000003 1 SeChangeNotifyPrivilege


      was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.



      after call was



      00000001 0 SeChangeNotifyPrivilege


      was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.






      share|improve this answer























        up vote
        1
        down vote



        accepted







        up vote
        1
        down vote



        accepted







        It does not seem to working when viewing the process privileges in
        Sysinternals Process Explorer.




        Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.



        test code



        #ifndef RtlPointerToOffset
        #define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
        #endif

        inline ULONG BOOL_TO_ERROR(BOOL fOk)
        {
        return fOk ? NOERROR : GetLastError();
        }

        volatile UCHAR guz = 0;

        void DumpTokenPrivs(HANDLE hToken)
        {
        union {
        PVOID buf;
        PTOKEN_PRIVILEGES ptp;
        };

        PVOID stack = alloca(guz);

        ULONG cb = 0, rcb = 0x40;

        ULONG dwError;
        do
        {
        if (cb < rcb)
        {
        cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
        }

        if (NOERROR == (dwError = BOOL_TO_ERROR(
        GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))
        {
        ULONG PrivilegeCount = ptp->PrivilegeCount;

        DbgPrint("PrivilegeCount = %un", PrivilegeCount);
        if (PrivilegeCount)
        {
        PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
        do
        {
        WCHAR Name[64];
        ULONG cch = RTL_NUMBER_OF(Name);
        if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))
        {
        _swprintf(Name, L"{%u-%u}",
        Privileges->Luid.HighPart, Privileges->Luid.LowPart);
        }

        BOOL fResult;
        PRIVILEGE_SET ps = {
        1, PRIVILEGE_SET_ALL_NECESSARY, {
        { Privileges->Luid.LowPart, Privileges->Luid.HighPart }
        }
        };

        if (!PrivilegeCheck(hToken, &ps, &fResult))
        {
        DbgPrint("PrivilegeCheck=%un", GetLastError());
        }

        DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);

        } while (Privileges++, --PrivilegeCount);
        }
        }

        } while (dwError == ERROR_INSUFFICIENT_BUFFER);
        }

        void PrivTest()
        {
        HANDLE hToken;

        if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
        {
        ULONG rcb;
        TOKEN_LINKED_TOKEN tlk;
        GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
        CloseHandle(hToken);
        hToken = tlk.LinkedToken;

        DumpTokenPrivs(hToken);

        if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)
        {
        DumpTokenPrivs(hToken);
        }
        }

        CloseHandle(hToken);
        }


        and output:



        PrivilegeCount = 5
        00000000 0 SeShutdownPrivilege
        00000003 1 SeChangeNotifyPrivilege
        00000000 0 SeUndockPrivilege
        00000000 0 SeIncreaseWorkingSetPrivilege
        00000000 0 SeTimeZonePrivilege
        PrivilegeCount = 5
        00000000 0 SeShutdownPrivilege
        00000001 0 SeChangeNotifyPrivilege
        00000000 0 SeUndockPrivilege
        00000000 0 SeIncreaseWorkingSetPrivilege
        00000000 0 SeTimeZonePrivilege


        note that before call was



        00000003 1 SeChangeNotifyPrivilege


        was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.



        after call was



        00000001 0 SeChangeNotifyPrivilege


        was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.






        share|improve this answer













        It does not seem to working when viewing the process privileges in
        Sysinternals Process Explorer.




        Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.



        test code



        #ifndef RtlPointerToOffset
        #define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
        #endif

        inline ULONG BOOL_TO_ERROR(BOOL fOk)
        {
        return fOk ? NOERROR : GetLastError();
        }

        volatile UCHAR guz = 0;

        void DumpTokenPrivs(HANDLE hToken)
        {
        union {
        PVOID buf;
        PTOKEN_PRIVILEGES ptp;
        };

        PVOID stack = alloca(guz);

        ULONG cb = 0, rcb = 0x40;

        ULONG dwError;
        do
        {
        if (cb < rcb)
        {
        cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
        }

        if (NOERROR == (dwError = BOOL_TO_ERROR(
        GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))
        {
        ULONG PrivilegeCount = ptp->PrivilegeCount;

        DbgPrint("PrivilegeCount = %un", PrivilegeCount);
        if (PrivilegeCount)
        {
        PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
        do
        {
        WCHAR Name[64];
        ULONG cch = RTL_NUMBER_OF(Name);
        if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))
        {
        _swprintf(Name, L"{%u-%u}",
        Privileges->Luid.HighPart, Privileges->Luid.LowPart);
        }

        BOOL fResult;
        PRIVILEGE_SET ps = {
        1, PRIVILEGE_SET_ALL_NECESSARY, {
        { Privileges->Luid.LowPart, Privileges->Luid.HighPart }
        }
        };

        if (!PrivilegeCheck(hToken, &ps, &fResult))
        {
        DbgPrint("PrivilegeCheck=%un", GetLastError());
        }

        DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);

        } while (Privileges++, --PrivilegeCount);
        }
        }

        } while (dwError == ERROR_INSUFFICIENT_BUFFER);
        }

        void PrivTest()
        {
        HANDLE hToken;

        if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
        {
        ULONG rcb;
        TOKEN_LINKED_TOKEN tlk;
        GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
        CloseHandle(hToken);
        hToken = tlk.LinkedToken;

        DumpTokenPrivs(hToken);

        if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)
        {
        DumpTokenPrivs(hToken);
        }
        }

        CloseHandle(hToken);
        }


        and output:



        PrivilegeCount = 5
        00000000 0 SeShutdownPrivilege
        00000003 1 SeChangeNotifyPrivilege
        00000000 0 SeUndockPrivilege
        00000000 0 SeIncreaseWorkingSetPrivilege
        00000000 0 SeTimeZonePrivilege
        PrivilegeCount = 5
        00000000 0 SeShutdownPrivilege
        00000001 0 SeChangeNotifyPrivilege
        00000000 0 SeUndockPrivilege
        00000000 0 SeIncreaseWorkingSetPrivilege
        00000000 0 SeTimeZonePrivilege


        note that before call was



        00000003 1 SeChangeNotifyPrivilege


        was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.



        after call was



        00000001 0 SeChangeNotifyPrivilege


        was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 15 at 12:09









        RbMm

        16.7k11224




        16.7k11224






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53313943%2fdisabling-all-privileges-with-adjusttokenprivileges-using-disableallprivileges%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            mysqli_query(): Empty query in /home/lucindabrummitt/public_html/blog/wp-includes/wp-db.php on line 1924

            How to change which sound is reproduced for terminal bell?

            Can I use Tabulator js library in my java Spring + Thymeleaf project?