Disabling all privileges with AdjustTokenPrivileges using DisableAllPrivileges?










1















I am trying to strip a process from all privileges using AdjustTokenPrivileges by setting the parameter DisableAllPrivileges to TRUE:



#include <Windows.h>
#include <cwchar>

int main()

auto process = GetCurrentProcess();
HANDLE primary_token;

if (OpenProcessToken(process, TOKEN_ADJUST_PRIVILEGES, &primary_token) == FALSE)

fwprintf(stderr, L"OpenProcessToken: failed");


if (AdjustTokenPrivileges(primary_token, TRUE, nullptr, 0, nullptr, nullptr) == FALSE)

fwprintf(stderr, L"AdjustTokenPrivileges: failed");


CloseHandle(primary_token);

auto event = CreateEventW(nullptr, FALSE, FALSE, nullptr);
WaitForSingleObject(event, INFINITE);



It does not seem to working when viewing the process privileges in Sysinternals Process Explorer.



I solved it by querying all privileges and changing the attribute to SE_PRIVILEGE_REMOVED but I am not sure why setting DisableAllPrivileges to TRUE does not work.










share|improve this question
























  • Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?

    – quant
    Nov 15 '18 at 7:13















1















I am trying to strip a process from all privileges using AdjustTokenPrivileges by setting the parameter DisableAllPrivileges to TRUE:



#include <Windows.h>
#include <cwchar>

int main()

auto process = GetCurrentProcess();
HANDLE primary_token;

if (OpenProcessToken(process, TOKEN_ADJUST_PRIVILEGES, &primary_token) == FALSE)

fwprintf(stderr, L"OpenProcessToken: failed");


if (AdjustTokenPrivileges(primary_token, TRUE, nullptr, 0, nullptr, nullptr) == FALSE)

fwprintf(stderr, L"AdjustTokenPrivileges: failed");


CloseHandle(primary_token);

auto event = CreateEventW(nullptr, FALSE, FALSE, nullptr);
WaitForSingleObject(event, INFINITE);



It does not seem to working when viewing the process privileges in Sysinternals Process Explorer.



I solved it by querying all privileges and changing the attribute to SE_PRIVILEGE_REMOVED but I am not sure why setting DisableAllPrivileges to TRUE does not work.










share|improve this question
























  • Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?

    – quant
    Nov 15 '18 at 7:13













1












1








1








I am trying to strip a process from all privileges using AdjustTokenPrivileges by setting the parameter DisableAllPrivileges to TRUE:



#include <Windows.h>
#include <cwchar>

int main()

auto process = GetCurrentProcess();
HANDLE primary_token;

if (OpenProcessToken(process, TOKEN_ADJUST_PRIVILEGES, &primary_token) == FALSE)

fwprintf(stderr, L"OpenProcessToken: failed");


if (AdjustTokenPrivileges(primary_token, TRUE, nullptr, 0, nullptr, nullptr) == FALSE)

fwprintf(stderr, L"AdjustTokenPrivileges: failed");


CloseHandle(primary_token);

auto event = CreateEventW(nullptr, FALSE, FALSE, nullptr);
WaitForSingleObject(event, INFINITE);



It does not seem to working when viewing the process privileges in Sysinternals Process Explorer.



I solved it by querying all privileges and changing the attribute to SE_PRIVILEGE_REMOVED but I am not sure why setting DisableAllPrivileges to TRUE does not work.










share|improve this question
















I am trying to strip a process from all privileges using AdjustTokenPrivileges by setting the parameter DisableAllPrivileges to TRUE:



#include <Windows.h>
#include <cwchar>

int main()

auto process = GetCurrentProcess();
HANDLE primary_token;

if (OpenProcessToken(process, TOKEN_ADJUST_PRIVILEGES, &primary_token) == FALSE)

fwprintf(stderr, L"OpenProcessToken: failed");


if (AdjustTokenPrivileges(primary_token, TRUE, nullptr, 0, nullptr, nullptr) == FALSE)

fwprintf(stderr, L"AdjustTokenPrivileges: failed");


CloseHandle(primary_token);

auto event = CreateEventW(nullptr, FALSE, FALSE, nullptr);
WaitForSingleObject(event, INFINITE);



It does not seem to working when viewing the process privileges in Sysinternals Process Explorer.



I solved it by querying all privileges and changing the attribute to SE_PRIVILEGE_REMOVED but I am not sure why setting DisableAllPrivileges to TRUE does not work.







security winapi






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 15 '18 at 7:00







user10655827

















asked Nov 15 '18 at 6:55









user10655827user10655827

83




83












  • Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?

    – quant
    Nov 15 '18 at 7:13

















  • Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?

    – quant
    Nov 15 '18 at 7:13
















Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?

– quant
Nov 15 '18 at 7:13





Because I don't see any question mark in your post ... what exactly is your question? Why setting DisableAllPrivileges to TRUE did not work? Why your new solution worked? Something else?

– quant
Nov 15 '18 at 7:13












1 Answer
1






active

oldest

votes


















1















It does not seem to working when viewing the process privileges in
Sysinternals Process Explorer.




Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.



test code



#ifndef RtlPointerToOffset
#define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
#endif

inline ULONG BOOL_TO_ERROR(BOOL fOk)

return fOk ? NOERROR : GetLastError();


volatile UCHAR guz = 0;

void DumpTokenPrivs(HANDLE hToken)

union
PVOID buf;
PTOKEN_PRIVILEGES ptp;
;

PVOID stack = alloca(guz);

ULONG cb = 0, rcb = 0x40;

ULONG dwError;
do

if (cb < rcb)

cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);


if (NOERROR == (dwError = BOOL_TO_ERROR(
GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))

ULONG PrivilegeCount = ptp->PrivilegeCount;

DbgPrint("PrivilegeCount = %un", PrivilegeCount);
if (PrivilegeCount)

PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
do

WCHAR Name[64];
ULONG cch = RTL_NUMBER_OF(Name);
if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))

_swprintf(Name, L"%u-%u",
Privileges->Luid.HighPart, Privileges->Luid.LowPart);


BOOL fResult;
PRIVILEGE_SET ps =
1, PRIVILEGE_SET_ALL_NECESSARY,
Privileges->Luid.LowPart, Privileges->Luid.HighPart

;

if (!PrivilegeCheck(hToken, &ps, &fResult))

DbgPrint("PrivilegeCheck=%un", GetLastError());


DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);

while (Privileges++, --PrivilegeCount);



while (dwError == ERROR_INSUFFICIENT_BUFFER);


void PrivTest()
TOKEN_QUERY, &hToken))

ULONG rcb;
TOKEN_LINKED_TOKEN tlk;
GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
CloseHandle(hToken);
hToken = tlk.LinkedToken;

DumpTokenPrivs(hToken);

if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)

DumpTokenPrivs(hToken);



CloseHandle(hToken);



and output:



PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000003 1 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege
PrivilegeCount = 5
00000000 0 SeShutdownPrivilege
00000001 0 SeChangeNotifyPrivilege
00000000 0 SeUndockPrivilege
00000000 0 SeIncreaseWorkingSetPrivilege
00000000 0 SeTimeZonePrivilege


note that before call was



00000003 1 SeChangeNotifyPrivilege


was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.



after call was



00000001 0 SeChangeNotifyPrivilege


was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.






share|improve this answer






















    Your Answer






    StackExchange.ifUsing("editor", function ()
    StackExchange.using("externalEditor", function ()
    StackExchange.using("snippets", function ()
    StackExchange.snippets.init();
    );
    );
    , "code-snippets");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "1"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53313943%2fdisabling-all-privileges-with-adjusttokenprivileges-using-disableallprivileges%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1















    It does not seem to working when viewing the process privileges in
    Sysinternals Process Explorer.




    Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.



    test code



    #ifndef RtlPointerToOffset
    #define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
    #endif

    inline ULONG BOOL_TO_ERROR(BOOL fOk)

    return fOk ? NOERROR : GetLastError();


    volatile UCHAR guz = 0;

    void DumpTokenPrivs(HANDLE hToken)

    union
    PVOID buf;
    PTOKEN_PRIVILEGES ptp;
    ;

    PVOID stack = alloca(guz);

    ULONG cb = 0, rcb = 0x40;

    ULONG dwError;
    do

    if (cb < rcb)

    cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);


    if (NOERROR == (dwError = BOOL_TO_ERROR(
    GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))

    ULONG PrivilegeCount = ptp->PrivilegeCount;

    DbgPrint("PrivilegeCount = %un", PrivilegeCount);
    if (PrivilegeCount)

    PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
    do

    WCHAR Name[64];
    ULONG cch = RTL_NUMBER_OF(Name);
    if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))

    _swprintf(Name, L"%u-%u",
    Privileges->Luid.HighPart, Privileges->Luid.LowPart);


    BOOL fResult;
    PRIVILEGE_SET ps =
    1, PRIVILEGE_SET_ALL_NECESSARY,
    Privileges->Luid.LowPart, Privileges->Luid.HighPart

    ;

    if (!PrivilegeCheck(hToken, &ps, &fResult))

    DbgPrint("PrivilegeCheck=%un", GetLastError());


    DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);

    while (Privileges++, --PrivilegeCount);



    while (dwError == ERROR_INSUFFICIENT_BUFFER);


    void PrivTest()
    TOKEN_QUERY, &hToken))

    ULONG rcb;
    TOKEN_LINKED_TOKEN tlk;
    GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
    CloseHandle(hToken);
    hToken = tlk.LinkedToken;

    DumpTokenPrivs(hToken);

    if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)

    DumpTokenPrivs(hToken);



    CloseHandle(hToken);



    and output:



    PrivilegeCount = 5
    00000000 0 SeShutdownPrivilege
    00000003 1 SeChangeNotifyPrivilege
    00000000 0 SeUndockPrivilege
    00000000 0 SeIncreaseWorkingSetPrivilege
    00000000 0 SeTimeZonePrivilege
    PrivilegeCount = 5
    00000000 0 SeShutdownPrivilege
    00000001 0 SeChangeNotifyPrivilege
    00000000 0 SeUndockPrivilege
    00000000 0 SeIncreaseWorkingSetPrivilege
    00000000 0 SeTimeZonePrivilege


    note that before call was



    00000003 1 SeChangeNotifyPrivilege


    was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.



    after call was



    00000001 0 SeChangeNotifyPrivilege


    was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.






    share|improve this answer



























      1















      It does not seem to working when viewing the process privileges in
      Sysinternals Process Explorer.




      Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.



      test code



      #ifndef RtlPointerToOffset
      #define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
      #endif

      inline ULONG BOOL_TO_ERROR(BOOL fOk)

      return fOk ? NOERROR : GetLastError();


      volatile UCHAR guz = 0;

      void DumpTokenPrivs(HANDLE hToken)

      union
      PVOID buf;
      PTOKEN_PRIVILEGES ptp;
      ;

      PVOID stack = alloca(guz);

      ULONG cb = 0, rcb = 0x40;

      ULONG dwError;
      do

      if (cb < rcb)

      cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);


      if (NOERROR == (dwError = BOOL_TO_ERROR(
      GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))

      ULONG PrivilegeCount = ptp->PrivilegeCount;

      DbgPrint("PrivilegeCount = %un", PrivilegeCount);
      if (PrivilegeCount)

      PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
      do

      WCHAR Name[64];
      ULONG cch = RTL_NUMBER_OF(Name);
      if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))

      _swprintf(Name, L"%u-%u",
      Privileges->Luid.HighPart, Privileges->Luid.LowPart);


      BOOL fResult;
      PRIVILEGE_SET ps =
      1, PRIVILEGE_SET_ALL_NECESSARY,
      Privileges->Luid.LowPart, Privileges->Luid.HighPart

      ;

      if (!PrivilegeCheck(hToken, &ps, &fResult))

      DbgPrint("PrivilegeCheck=%un", GetLastError());


      DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);

      while (Privileges++, --PrivilegeCount);



      while (dwError == ERROR_INSUFFICIENT_BUFFER);


      void PrivTest()
      TOKEN_QUERY, &hToken))

      ULONG rcb;
      TOKEN_LINKED_TOKEN tlk;
      GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
      CloseHandle(hToken);
      hToken = tlk.LinkedToken;

      DumpTokenPrivs(hToken);

      if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)

      DumpTokenPrivs(hToken);



      CloseHandle(hToken);



      and output:



      PrivilegeCount = 5
      00000000 0 SeShutdownPrivilege
      00000003 1 SeChangeNotifyPrivilege
      00000000 0 SeUndockPrivilege
      00000000 0 SeIncreaseWorkingSetPrivilege
      00000000 0 SeTimeZonePrivilege
      PrivilegeCount = 5
      00000000 0 SeShutdownPrivilege
      00000001 0 SeChangeNotifyPrivilege
      00000000 0 SeUndockPrivilege
      00000000 0 SeIncreaseWorkingSetPrivilege
      00000000 0 SeTimeZonePrivilege


      note that before call was



      00000003 1 SeChangeNotifyPrivilege


      was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.



      after call was



      00000001 0 SeChangeNotifyPrivilege


      was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.






      share|improve this answer

























        1












        1








        1








        It does not seem to working when viewing the process privileges in
        Sysinternals Process Explorer.




        Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.



        test code



        #ifndef RtlPointerToOffset
        #define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
        #endif

        inline ULONG BOOL_TO_ERROR(BOOL fOk)

        return fOk ? NOERROR : GetLastError();


        volatile UCHAR guz = 0;

        void DumpTokenPrivs(HANDLE hToken)

        union
        PVOID buf;
        PTOKEN_PRIVILEGES ptp;
        ;

        PVOID stack = alloca(guz);

        ULONG cb = 0, rcb = 0x40;

        ULONG dwError;
        do

        if (cb < rcb)

        cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);


        if (NOERROR == (dwError = BOOL_TO_ERROR(
        GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))

        ULONG PrivilegeCount = ptp->PrivilegeCount;

        DbgPrint("PrivilegeCount = %un", PrivilegeCount);
        if (PrivilegeCount)

        PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
        do

        WCHAR Name[64];
        ULONG cch = RTL_NUMBER_OF(Name);
        if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))

        _swprintf(Name, L"%u-%u",
        Privileges->Luid.HighPart, Privileges->Luid.LowPart);


        BOOL fResult;
        PRIVILEGE_SET ps =
        1, PRIVILEGE_SET_ALL_NECESSARY,
        Privileges->Luid.LowPart, Privileges->Luid.HighPart

        ;

        if (!PrivilegeCheck(hToken, &ps, &fResult))

        DbgPrint("PrivilegeCheck=%un", GetLastError());


        DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);

        while (Privileges++, --PrivilegeCount);



        while (dwError == ERROR_INSUFFICIENT_BUFFER);


        void PrivTest()
        TOKEN_QUERY, &hToken))

        ULONG rcb;
        TOKEN_LINKED_TOKEN tlk;
        GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
        CloseHandle(hToken);
        hToken = tlk.LinkedToken;

        DumpTokenPrivs(hToken);

        if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)

        DumpTokenPrivs(hToken);



        CloseHandle(hToken);



        and output:



        PrivilegeCount = 5
        00000000 0 SeShutdownPrivilege
        00000003 1 SeChangeNotifyPrivilege
        00000000 0 SeUndockPrivilege
        00000000 0 SeIncreaseWorkingSetPrivilege
        00000000 0 SeTimeZonePrivilege
        PrivilegeCount = 5
        00000000 0 SeShutdownPrivilege
        00000001 0 SeChangeNotifyPrivilege
        00000000 0 SeUndockPrivilege
        00000000 0 SeIncreaseWorkingSetPrivilege
        00000000 0 SeTimeZonePrivilege


        note that before call was



        00000003 1 SeChangeNotifyPrivilege


        was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.



        after call was



        00000001 0 SeChangeNotifyPrivilege


        was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.






        share|improve this answer














        It does not seem to working when viewing the process privileges in
        Sysinternals Process Explorer.




        Sysinternals Process Explorer show wrong image. DisableAllPrivileges work as excepted - remove SE_PRIVILEGE_ENABLED attribute from all privileges in token. but some privileges can also have SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. SeChangeNotifyPrivilege for example have this attribute. it remain unchanged, what and show your image. but anyway only SE_PRIVILEGE_ENABLED attribute used in PrivilegeCheck or SePrivilegeCheck api. so you really effective disable all privileges in your token, including SeChangeNotifyPrivilege. all calls, which require concrete privilege, which have not SE_PRIVILEGE_ENABLED attribute in your token - fail, even if SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute exist.



        test code



        #ifndef RtlPointerToOffset
        #define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) ))
        #endif

        inline ULONG BOOL_TO_ERROR(BOOL fOk)

        return fOk ? NOERROR : GetLastError();


        volatile UCHAR guz = 0;

        void DumpTokenPrivs(HANDLE hToken)

        union
        PVOID buf;
        PTOKEN_PRIVILEGES ptp;
        ;

        PVOID stack = alloca(guz);

        ULONG cb = 0, rcb = 0x40;

        ULONG dwError;
        do

        if (cb < rcb)

        cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);


        if (NOERROR == (dwError = BOOL_TO_ERROR(
        GetTokenInformation(hToken, TokenPrivileges, buf, cb, &rcb))))

        ULONG PrivilegeCount = ptp->PrivilegeCount;

        DbgPrint("PrivilegeCount = %un", PrivilegeCount);
        if (PrivilegeCount)

        PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
        do

        WCHAR Name[64];
        ULONG cch = RTL_NUMBER_OF(Name);
        if (!LookupPrivilegeNameW(0, &Privileges->Luid, Name, &cch))

        _swprintf(Name, L"%u-%u",
        Privileges->Luid.HighPart, Privileges->Luid.LowPart);


        BOOL fResult;
        PRIVILEGE_SET ps =
        1, PRIVILEGE_SET_ALL_NECESSARY,
        Privileges->Luid.LowPart, Privileges->Luid.HighPart

        ;

        if (!PrivilegeCheck(hToken, &ps, &fResult))

        DbgPrint("PrivilegeCheck=%un", GetLastError());


        DbgPrint("%08x %x %Sn", Privileges->Attributes, fResult, Name);

        while (Privileges++, --PrivilegeCount);



        while (dwError == ERROR_INSUFFICIENT_BUFFER);


        void PrivTest()
        TOKEN_QUERY, &hToken))

        ULONG rcb;
        TOKEN_LINKED_TOKEN tlk;
        GetTokenInformation(hToken, TokenLinkedToken, &tlk, sizeof(tlk), &rcb);
        CloseHandle(hToken);
        hToken = tlk.LinkedToken;

        DumpTokenPrivs(hToken);

        if (AdjustTokenPrivileges(hToken, TRUE, 0, 0, 0, 0) && GetLastError() == NOERROR)

        DumpTokenPrivs(hToken);



        CloseHandle(hToken);



        and output:



        PrivilegeCount = 5
        00000000 0 SeShutdownPrivilege
        00000003 1 SeChangeNotifyPrivilege
        00000000 0 SeUndockPrivilege
        00000000 0 SeIncreaseWorkingSetPrivilege
        00000000 0 SeTimeZonePrivilege
        PrivilegeCount = 5
        00000000 0 SeShutdownPrivilege
        00000001 0 SeChangeNotifyPrivilege
        00000000 0 SeUndockPrivilege
        00000000 0 SeIncreaseWorkingSetPrivilege
        00000000 0 SeTimeZonePrivilege


        note that before call was



        00000003 1 SeChangeNotifyPrivilege


        was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED attributes and PrivilegeCheck say that privilege is enabled.



        after call was



        00000001 0 SeChangeNotifyPrivilege


        was mean SE_PRIVILEGE_ENABLED_BY_DEFAULT attributes and PrivilegeCheck say that privilege is disabled.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 15 '18 at 12:09









        RbMmRbMm

        18.2k11226




        18.2k11226





























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53313943%2fdisabling-all-privileges-with-adjusttokenprivileges-using-disableallprivileges%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            這個網誌中的熱門文章

            How to read a connectionString WITH PROVIDER in .NET Core?

            Node.js Script on GitHub Pages or Amazon S3

            Museum of Modern and Contemporary Art of Trento and Rovereto