About the MSDN code example, "Enabling and Disabling Privileges"

Question

MSDN article, Enabling and Disabling Privileges in C++, provided a code example to show how to enable or disable a privilege in an access token.

I quote the part in questioned:

tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
    tp.Privileges[0].Attributes = 0;

What is the meaning of the zero value for Attributes member?

According to the documentation of TOKEN_PRIVILEGES structure, the attributes of a privilege can be a combination of the following values:

• SE_PRIVILEGE_ENABLED  (it is 0x00000002L in WinNT.h)
• SE_PRIVILEGE_ENABLED_BY_DEFAULT  (it is 0x00000001L in WinNT.h)
• SE_PRIVILEGE_REMOVED  (it is 0x00000004L in WinNT.h)
• SE_PRIVILEGE_USED_FOR_ACCESS  (it is 0x80000000L in WinNT.h)

So, we don't see any valid constant with a value of zero. I guess, the zero is equal to SE_PRIVILEGE_REMOVED.

Once more, if the zero means disabling all privileges, I doubt it because disabling all privileges can be done simply by setting DisableAllPrivileges parameter of AdjustTokenPrivileges() to TRUE.

Anybody here could explain what the zero value really does?

Answer 1

There's a difference between disabling a privilege, which allows you to enable it again later, and removing a privilege from the token. Removing the privilege means that it cannot be later re-enabled.

Passing zero means that the SE_PRIVILEGE_ENABLED bit is not set, therefore that privilege is disabled.

Tokens contain a number of privileges when they're created. The SeChangeNotifyPrivilege, known as 'Bypass traverse checking' in the User Rights Assignment section of Local Security Policy/Group Policy, is always enabled by default, and shouldn't ever be disabled (see KB823659 for details). Therefore the DisableAllPrivileges parameter isn't actually useful.

User Account Control (Windows Vista and later) takes the raw logon token, clones it, and uses the SE_PRIVILEGE_REMOVED flag to create the 'filtered token' that is used to start the shell. The raw token is then hidden away so that the 'Run as Administrator' feature can use it to start programs.

You can see the privileges enabled in the process token using Sysinternals Process Explorer.

Answer 2

If SE_PRIVILEGE_REMOVED was equivalent to zero it would be defined as such. Given the definitions that are there, I would suggest that a zero values means no privileges have ever been enabled, or subsequently used/removed: There are, and never have been, any token privileges.