I'm running a process as a user in the Administrators group, trying to get a process token for another process. The other process is run by a user not in the Administrators group. Here's the gist of the code I'm using. pid in this code represents the process id of the non-admin process. All of this is on Windows XP SP 2 and all on the same machine. No remote access going on here.
HANDLE handle;
HANDLE token;
handle = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,pid);
token = NULL;
OpenProcessToken(handle,TOKEN_DUPLICATE,&token);
Reference for OpenProcess here: http://msdn.microsoft.com/en-us/library/ms684320%28VS.85%29.aspx
Reference for OpenProcessToken here: http://msdn.microsoft.com/en-us/library/aa379295%28VS.85%29.aspx
OpenProcess succeeds, but no matter what I pass for the DesiredAccess argument to OpenProcessToken, it fails and GetLastError() return ERROR_ACCESS_DENIED. I added some code to understand the privileges of the process running this code and to enable as many as possible, as well as to gather information about the process I'm trying to get a token for. That involved requesting more access (READ_CONTROL | ACCESS_SYSTEM_SECURITY in addition to PROCESS_QUERY_INFORMATION) from OpenProcess and calling GetKernelObjectSecurity(handle). Here's what I've got:
current user: PLEASE_T\dbyron (S-1-5-21-3405506234-1792454352-3826119157-1005) current process: group 0: flags: 0x00000007 sid: S-1-5-21-3405506234-1792454352-3826119157-513 (PLEASE_T\None) current process: group 1: flags: 0x00000007 sid: S-1-1-0 (\Everyone) current process: group 2: flags: 0x0000000F sid: S-1-5-32-544 (BUILTIN\Administrators) current process: group 3: flags: 0x00000007 sid: S-1-5-32-545 (BUILTIN\Users) current process: group 4: flags: 0x00000007 sid: S-1-5-4 (NT AUTHORITY\INTERACTIVE) current process: group 5: flags: 0x00000007 sid: S-1-5-11 (NT AUTHORITY\Authenticated Users) current process: group 6: flags: 0xC0000007 sid: S-1-5-5-0-91553 (no account mapping) current process: group 7: flags: 0x00000007 sid: S-1-2-0 (\LOCAL) SeDebugPrivilege privilege enabled SeTakeOwnershipPrivilege privilege enabled SeSecurityPrivilege privilege enabled SeChangeNotifyPrivilege privilege enabled SeBackupPrivilege privilege enabled SeRestorePrivilege privilege enabled SeSystemtimePrivilege privilege enabled SeShutdownPrivilege privilege enabled SeRemoteShutdownPrivilege privilege enabled SeDebugPrivilege privilege enabled SeSystemEnvironmentPrivilege privilege enabled SeSystemProfilePrivilege privilege enabled SeProfileSingleProcessPrivilege privilege enabled SeIncreaseBasePriorityPrivilege privilege enabled SeLoadDriverPrivilege privilege enabled SeCreatePagefilePrivilege privilege enabled SeIncreaseQuotaPrivilege privilege enabled SeUndockPrivilege privilege enabled SeManageVolumePrivilege privilege enabled SeImpersonatePrivilege privilege enabled SeCreateGlobalPrivilege privilege enabled
I've tried to get every privilege possible, and I think the group information above shows that the process calling OpenTokenProcess is a member of the Administrators group.
Here's the information from GetKernelObjectSecurity:
control(SE_DACL_PRESENT | SE_SELF_RELATIVE, 0x00008004) owner sid: S-1-5-21-3405506234-1792454352-3826119157-2807 (PLEASE_T\dummyusr) group sid: S-1-5-21-3405506234-1792454352-3826119157-513 (PLEASE_T\None) grant: mask(PROCESS_ALL_ACCESS, 0x001F0FFF), flags(0x00000000): S-1-5-21-3405506234-1792454352-3826119157-2807 (PLEASE_T\dummyusr) grant: mask(PROCESS_ALL_ACCESS, 0x001F0FFF), flags(0x00000000): S-1-5-32-544 (BUILTIN\Administrators) grant: mask(PROCESS_ALL_ACCESS, 0x001F0FFF), flags(0x00000000): S-1-5-18 (NT AUTHORITY\SYSTEM)
So it appears that the dummyusr (non-admin) process allows access to the Administrators group. It's possible I'm misinterpreting the So why does OpenProcessToken fail with ERROR_ACCESS_DENIED? I've tried changing TOKEN_DUPLICATE to TOKEN_QUERY but that doesn't change the result.
Am I missing a privilege? What else would deny me access to an access token for this process? I've tried this on a machine with no anti virus software and still I get the same result.
I also tried this running in system context. The info about the current process in that case is:
current user: NT AUTHORITY\SYSTEM (S-1-5-18) current process: group 0: flags: 0x0000000E sid: S-1-5-32-544 (BUILTIN\Administrators) current process: group 1: flags: 0x00000007 sid: S-1-1-0 (\Everyone) current process: group 2: flags: 0x00000007 sid: S-1-5-11 (NT AUTHORITY\Authenticated Users)
Note that the flags are slightly different for the BUILTIN\Administrators group. The administrator process had 0xF and the system process had 0xE. From http://msdn.microsoft.com/en-us/library/aa379624%28VS.85%29.aspx, the 0x1 bit means SE_GROUP_MANDATORY which doesn't seem relevant here.
By default the system context process also had some additional privileges:
SeAuditPrivilege SeCreatePermanentPrivilege SeLockMemoryPrivilege SeTcbPrivilege
But I disabled them all and OpenProcessToken still succeeded in the system context process.
Thanks for your help.
Instead of going into details head first, have you gone down the route of elimination ? -- run the process as LOCAL_SYSTEM and see if that does the trick. After all if God can't do it then no one can :P.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With