Disabling all privileges with AdjustTokenPrivileges using DisableAllPrivileges?
I am trying to strip a process from all privileges using AdjustTokenPrivileges by setting the parameter DisableAllPrivileges to TRUE:
#include <Windows.h>
#include <cwchar>
int main()
auto process = GetCurrentProcess();
HANDLE primary_token;
if (OpenProcessToken(process, TOKEN_ADJUST_PRIVILEGES, &primary_token) == FALSE)
fwprintf(stderr, L"OpenProcessToken: failed");
if (AdjustTokenPrivileges(primary_token, TRUE, nullptr, 0, nullptr, nullptr) == FALSE)
fwprintf(stderr, L"AdjustTokenPrivileges: failed");
CloseHandle(primary_token);
auto event = CreateEventW(nullptr, FALSE, FALSE, nullptr);
WaitForSingleObject(event, INFINITE);
It does not seem to working when viewing the process privileges in Sysinternals Process Explorer.
I solved it by querying all privileges and changing the attribute to SE_PRIVILEGE_REMOVED but I am not sure why setting DisableAllPrivileges to TRUE does not work.
security winapi
asked Nov 15 '18 at 6:55
user10655827user10655827
83
add a comment |
I am trying to strip a process from all privileges using AdjustTokenPrivileges by setting the parameter DisableAllPrivileges to TRUE:
#include <Windows.h>
#include <cwchar>
int main()
auto process = GetCurrentProcess();
HANDLE primary_token;
if (OpenProcessToken(process, TOKEN_ADJUST_PRIVILEGES, &primary_token) == FALSE)
fwprintf(stderr, L"OpenProcessToken: failed");
if (AdjustTokenPrivileges(primary_token, TRUE, nullptr, 0, nullptr, nullptr) == FALSE)
fwprintf(stderr, L"AdjustTokenPrivileges: failed");
CloseHandle(primary_token);
auto event = CreateEventW(nullptr, FALSE, FALSE, nullptr);
WaitForSingleObject(event, INFINITE);
It does not seem to working when viewing the process privileges in Sysinternals Process Explorer.
I solved it by querying all privileges and changing the attribute to SE_PRIVILEGE_REMOVED but I am not sure why setting DisableAllPrivileges to TRUE does not work.
security winapi
asked Nov 15 '18 at 6:55
user10655827user10655827
83
Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
– quant
Nov 15 '18 at 7:13
add a comment |
I am trying to strip a process from all privileges using AdjustTokenPrivileges by setting the parameter DisableAllPrivileges to TRUE:
#include <Windows.h>
#include <cwchar>
int main()
auto process = GetCurrentProcess();
HANDLE primary_token;
if (OpenProcessToken(process, TOKEN_ADJUST_PRIVILEGES, &primary_token) == FALSE)
fwprintf(stderr, L"OpenProcessToken: failed");
if (AdjustTokenPrivileges(primary_token, TRUE, nullptr, 0, nullptr, nullptr) == FALSE)
fwprintf(stderr, L"AdjustTokenPrivileges: failed");
CloseHandle(primary_token);
auto event = CreateEventW(nullptr, FALSE, FALSE, nullptr);
WaitForSingleObject(event, INFINITE);
It does not seem to working when viewing the process privileges in Sysinternals Process Explorer.
I solved it by querying all privileges and changing the attribute to SE_PRIVILEGE_REMOVED but I am not sure why setting DisableAllPrivileges to TRUE does not work.
security winapi
asked Nov 15 '18 at 6:55
user10655827user10655827
83
I am trying to strip a process from all privileges using AdjustTokenPrivileges by setting the parameter DisableAllPrivileges to TRUE:
#include <Windows.h>
#include <cwchar>
int main()
auto process = GetCurrentProcess();
HANDLE primary_token;
if (OpenProcessToken(process, TOKEN_ADJUST_PRIVILEGES, &primary_token) == FALSE)
fwprintf(stderr, L"OpenProcessToken: failed");
if (AdjustTokenPrivileges(primary_token, TRUE, nullptr, 0, nullptr, nullptr) == FALSE)
fwprintf(stderr, L"AdjustTokenPrivileges: failed");
CloseHandle(primary_token);
auto event = CreateEventW(nullptr, FALSE, FALSE, nullptr);
WaitForSingleObject(event, INFINITE);
It does not seem to working when viewing the process privileges in Sysinternals Process Explorer.
I solved it by querying all privileges and changing the attribute to SE_PRIVILEGE_REMOVED but I am not sure why setting DisableAllPrivileges to TRUE does not work.
security winapi
security winapi
asked Nov 15 '18 at 6:55
user10655827user10655827
83
asked Nov 15 '18 at 6:55
user10655827user10655827
83
edited Nov 15 '18 at 7:00
user10655827
asked Nov 15 '18 at 6:55
user10655827user10655827
83
asked Nov 15 '18 at 6:55
user10655827user10655827
83
asked Nov 15 '18 at 6:55
user10655827user10655827
83
83
Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
– quant
Nov 15 '18 at 7:13
add a comment |
Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
– quant
Nov 15 '18 at 7:13
Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
– quant
Nov 15 '18 at 7:13
Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
– quant
Nov 15 '18 at 7:13
add a comment |
1 Answer
1
active
oldest
votes
It does not seem to working when viewing the process privileges in
Sysinternals Process Explorer.
Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.
test code
#ifndef RtlPointerToOffset
#define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
#endif
inline ULONG BOOL_TO_ERROR(BOOL fOk)
return fOk ? NOERROR : GetLastError();
volatile UCHAR guz = 0;
void DumpTokenPrivs(HANDLE hToken)
union
PVOID buf;
PTOKEN_PRIVILEGES ptp;
;
PVOID stack = alloca(guz);
ULONG cb = 0, rcb = 0x40;
ULONG dwError;
do
if (cb < rcb)
cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
if (NOERROR == (dwError = BOOL_TO_ERROR(
GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))
ULONG PrivilegeCount = ptp->PrivilegeCount;
DbgPrint("PrivilegeCount = %un", PrivilegeCount);
if (PrivilegeCount)
PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
do
WCHAR Name[64];
ULONG cch = RTL_NUMBER_OF(Name);
if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))
_swprintf(Name, L"%u-%u",
Privileges->Luid.HighPart, Privileges->Luid.LowPart);
BOOL fResult;
PRIVILEGE_SET ps =
1, PRIVILEGE_SET_ALL_NECESSARY,
Privileges->Luid.LowPart, Privileges->Luid.HighPart
;
if (!PrivilegeCheck(hToken, &ps, &fResult))
DbgPrint("PrivilegeCheck=%un", GetLastError());
DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);
while (Privileges++, --PrivilegeCount);
while (dwError == ERROR_INSUFFICIENT_BUFFER);
void PrivTest()
TOKEN_QUERY, &hToken))
ULONG rcb;
TOKEN_LINKED_TOKEN tlk;
GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
CloseHandle(hToken);
hToken = tlk.LinkedToken;
DumpTokenPrivs(hToken);
if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)
DumpTokenPrivs(hToken);
CloseHandle(hToken);
and output:
PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000003 1 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege
PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000001 0 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege
note that before call was
00000003 1 SeChangeNotifyPrivilege
was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.
after call was
00000001 0 SeChangeNotifyPrivilege
was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.
answered Nov 15 '18 at 12:09
RbMmRbMm
18.2k11226
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53313943%2fdisabling-all-privileges-with-adjusttokenprivileges-using-disableallprivileges%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
It does not seem to working when viewing the process privileges in
Sysinternals Process Explorer.
Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.
test code
#ifndef RtlPointerToOffset
#define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
#endif
inline ULONG BOOL_TO_ERROR(BOOL fOk)
return fOk ? NOERROR : GetLastError();
volatile UCHAR guz = 0;
void DumpTokenPrivs(HANDLE hToken)
union
PVOID buf;
PTOKEN_PRIVILEGES ptp;
;
PVOID stack = alloca(guz);
ULONG cb = 0, rcb = 0x40;
ULONG dwError;
do
if (cb < rcb)
cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
if (NOERROR == (dwError = BOOL_TO_ERROR(
GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))
ULONG PrivilegeCount = ptp->PrivilegeCount;
DbgPrint("PrivilegeCount = %un", PrivilegeCount);
if (PrivilegeCount)
PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
do
WCHAR Name[64];
ULONG cch = RTL_NUMBER_OF(Name);
if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))
_swprintf(Name, L"%u-%u",
Privileges->Luid.HighPart, Privileges->Luid.LowPart);
BOOL fResult;
PRIVILEGE_SET ps =
1, PRIVILEGE_SET_ALL_NECESSARY,
Privileges->Luid.LowPart, Privileges->Luid.HighPart
;
if (!PrivilegeCheck(hToken, &ps, &fResult))
DbgPrint("PrivilegeCheck=%un", GetLastError());
DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);
while (Privileges++, --PrivilegeCount);
while (dwError == ERROR_INSUFFICIENT_BUFFER);
void PrivTest()
TOKEN_QUERY, &hToken))
ULONG rcb;
TOKEN_LINKED_TOKEN tlk;
GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
CloseHandle(hToken);
hToken = tlk.LinkedToken;
DumpTokenPrivs(hToken);
if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)
DumpTokenPrivs(hToken);
CloseHandle(hToken);
and output:
PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000003 1 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege
PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000001 0 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege
note that before call was
00000003 1 SeChangeNotifyPrivilege
was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.
after call was
00000001 0 SeChangeNotifyPrivilege
was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.
answered Nov 15 '18 at 12:09
RbMmRbMm
18.2k11226
add a comment |
It does not seem to working when viewing the process privileges in
Sysinternals Process Explorer.
Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.
test code
#ifndef RtlPointerToOffset
#define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
#endif
inline ULONG BOOL_TO_ERROR(BOOL fOk)
return fOk ? NOERROR : GetLastError();
volatile UCHAR guz = 0;
void DumpTokenPrivs(HANDLE hToken)
union
PVOID buf;
PTOKEN_PRIVILEGES ptp;
;
PVOID stack = alloca(guz);
ULONG cb = 0, rcb = 0x40;
ULONG dwError;
do
if (cb < rcb)
cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
if (NOERROR == (dwError = BOOL_TO_ERROR(
GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))
ULONG PrivilegeCount = ptp->PrivilegeCount;
DbgPrint("PrivilegeCount = %un", PrivilegeCount);
if (PrivilegeCount)
PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
do
WCHAR Name[64];
ULONG cch = RTL_NUMBER_OF(Name);
if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))
_swprintf(Name, L"%u-%u",
Privileges->Luid.HighPart, Privileges->Luid.LowPart);
BOOL fResult;
PRIVILEGE_SET ps =
1, PRIVILEGE_SET_ALL_NECESSARY,
Privileges->Luid.LowPart, Privileges->Luid.HighPart
;
if (!PrivilegeCheck(hToken, &ps, &fResult))
DbgPrint("PrivilegeCheck=%un", GetLastError());
DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);
while (Privileges++, --PrivilegeCount);
while (dwError == ERROR_INSUFFICIENT_BUFFER);
void PrivTest()
TOKEN_QUERY, &hToken))
ULONG rcb;
TOKEN_LINKED_TOKEN tlk;
GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
CloseHandle(hToken);
hToken = tlk.LinkedToken;
DumpTokenPrivs(hToken);
if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)
DumpTokenPrivs(hToken);
CloseHandle(hToken);
and output:
PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000003 1 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege
PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000001 0 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege
note that before call was
00000003 1 SeChangeNotifyPrivilege
was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.
after call was
00000001 0 SeChangeNotifyPrivilege
was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.
answered Nov 15 '18 at 12:09
RbMmRbMm
18.2k11226
add a comment |
It does not seem to working when viewing the process privileges in
Sysinternals Process Explorer.
Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.
test code
#ifndef RtlPointerToOffset
#define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
#endif
inline ULONG BOOL_TO_ERROR(BOOL fOk)
return fOk ? NOERROR : GetLastError();
volatile UCHAR guz = 0;
void DumpTokenPrivs(HANDLE hToken)
union
PVOID buf;
PTOKEN_PRIVILEGES ptp;
;
PVOID stack = alloca(guz);
ULONG cb = 0, rcb = 0x40;
ULONG dwError;
do
if (cb < rcb)
cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
if (NOERROR == (dwError = BOOL_TO_ERROR(
GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))
ULONG PrivilegeCount = ptp->PrivilegeCount;
DbgPrint("PrivilegeCount = %un", PrivilegeCount);
if (PrivilegeCount)
PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
do
WCHAR Name[64];
ULONG cch = RTL_NUMBER_OF(Name);
if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))
_swprintf(Name, L"%u-%u",
Privileges->Luid.HighPart, Privileges->Luid.LowPart);
BOOL fResult;
PRIVILEGE_SET ps =
1, PRIVILEGE_SET_ALL_NECESSARY,
Privileges->Luid.LowPart, Privileges->Luid.HighPart
;
if (!PrivilegeCheck(hToken, &ps, &fResult))
DbgPrint("PrivilegeCheck=%un", GetLastError());
DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);
while (Privileges++, --PrivilegeCount);
while (dwError == ERROR_INSUFFICIENT_BUFFER);
void PrivTest()
TOKEN_QUERY, &hToken))
ULONG rcb;
TOKEN_LINKED_TOKEN tlk;
GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
CloseHandle(hToken);
hToken = tlk.LinkedToken;
DumpTokenPrivs(hToken);
if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)
DumpTokenPrivs(hToken);
CloseHandle(hToken);
and output:
PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000003 1 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege
PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000001 0 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege
note that before call was
00000003 1 SeChangeNotifyPrivilege
was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.
after call was
00000001 0 SeChangeNotifyPrivilege
was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.
answered Nov 15 '18 at 12:09
RbMmRbMm
18.2k11226
It does not seem to working when viewing the process privileges in
Sysinternals Process Explorer.
Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.
test code
#ifndef RtlPointerToOffset
#define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
#endif
inline ULONG BOOL_TO_ERROR(BOOL fOk)
return fOk ? NOERROR : GetLastError();
volatile UCHAR guz = 0;
void DumpTokenPrivs(HANDLE hToken)
union
PVOID buf;
PTOKEN_PRIVILEGES ptp;
;
PVOID stack = alloca(guz);
ULONG cb = 0, rcb = 0x40;
ULONG dwError;
do
if (cb < rcb)
cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
if (NOERROR == (dwError = BOOL_TO_ERROR(
GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))
ULONG PrivilegeCount = ptp->PrivilegeCount;
DbgPrint("PrivilegeCount = %un", PrivilegeCount);
if (PrivilegeCount)
PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
do
WCHAR Name[64];
ULONG cch = RTL_NUMBER_OF(Name);
if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))
_swprintf(Name, L"%u-%u",
Privileges->Luid.HighPart, Privileges->Luid.LowPart);
BOOL fResult;
PRIVILEGE_SET ps =
1, PRIVILEGE_SET_ALL_NECESSARY,
Privileges->Luid.LowPart, Privileges->Luid.HighPart
;
if (!PrivilegeCheck(hToken, &ps, &fResult))
DbgPrint("PrivilegeCheck=%un", GetLastError());
DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);
while (Privileges++, --PrivilegeCount);
while (dwError == ERROR_INSUFFICIENT_BUFFER);
void PrivTest()
TOKEN_QUERY, &hToken))
ULONG rcb;
TOKEN_LINKED_TOKEN tlk;
GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
CloseHandle(hToken);
hToken = tlk.LinkedToken;
DumpTokenPrivs(hToken);
if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)
DumpTokenPrivs(hToken);
CloseHandle(hToken);
and output:
PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000003 1 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege
PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000001 0 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege
note that before call was
00000003 1 SeChangeNotifyPrivilege
was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.
after call was
00000001 0 SeChangeNotifyPrivilege
was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.
answered Nov 15 '18 at 12:09
RbMmRbMm
18.2k11226
answered Nov 15 '18 at 12:09
RbMmRbMm
18.2k11226
answered Nov 15 '18 at 12:09
RbMmRbMm
18.2k11226
answered Nov 15 '18 at 12:09
RbMmRbMm
18.2k11226
18.2k11226
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53313943%2fdisabling-all-privileges-with-adjusttokenprivileges-using-disableallprivileges%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?
– quant
Nov 15 '18 at 7:13