How to get SE_SYSTEMTIME_NAME in Win7?

Question

On Win 7, I have used SECPOL.MSC to give all users (and myself, by name) the right to set the system time (likewise with GPEDIT.MSC).  But none of several apps of mine can acquire the SE_SYSTEMTIME_NAME privilege.  What do I need to do?  Thanks!

 - Vince

Answer 1

How are you determining that you don't have it? If you run your application as an administrator does it get this privilege, does your system have UAC enabled?

---

This is a signature

Any samples given are not meant to have error checking or show best practices. They are meant to just illustrate a point. I may also give inefficient code or introduce some problems to discourage copy/paste coding. This is because the major point of my posts is to aid in the learning process.

Do you want Visual Studio 11 Express to be freely installable on Windows 7 and able to write regular C++ applications? Please vote for this.

Answer 2

How are you determining that you don't have it? If you run your application as an administrator does it get this privilege, does your system have UAC enabled?

---

This is a signature

Any samples given are not meant to have error checking or show best practices. They are meant to just illustrate a point. I may also give inefficient code or introduce some problems to discourage copy/paste coding. This is because the major point of my posts is to aid in the learning process.

Do you want Visual Studio 11 Express to be freely installable on Windows 7 and able to write regular C++ applications? Please vote for this.

UAC is enabled.  If I run it as an admin, I don't even need to ask for SE_SYSTEMTIME_NAME.   I know I don't have it because after

	if ( !AdjustTokenPrivileges(hToken, FALSE, &tpNewPriv, NULL, NULL, NULL) 
			|| GetLastError() == ERROR_NOT_ALL_ASSIGNED )

LastError is 1300 (Not all privileges or groups referenced are assigned to the caller) and a subsequent SetSystemTime() gives error 0x522 (A required privilege is not held by the client.).

 - Vince

Answer 3

I take it that the account that you are trying to get this to work on is an administrator account which was restricted with UAC?

Then that is your most likely problem. When UAC strips privileges out of an administrator token to make a restricted token, it doesn't check the the local security policy, it just strips out a fixed list of privileges and sets a fixed list of groups as deny only.

I bet if you used a regular user account, not a restricted admin account you would have the this privilege.

---

This is a signature

Any samples given are not meant to have error checking or show best practices. They are meant to just illustrate a point. I may also give inefficient code or introduce some problems to discourage copy/paste coding. This is because the major point of my posts is to aid in the learning process.

Do you want Visual Studio 11 Express to be freely installable on Windows 7 and able to write regular C++ applications? Please vote for this.

Answer 4

I take it that the account that you are trying to get this to work on is an administrator account which was restricted with UAC?

Then that is your most likely problem. When UAC strips privileges out of an administrator token to make a restricted token, it doesn't check the the local security policy, it just strips out a fixed list of privileges and sets a fixed list of groups as deny only.

I bet if you used a regular user account, not a restricted admin account you would have the this privilege.

---

This is a signature

Any samples given are not meant to have error checking or show best practices. They are meant to just illustrate a point. I may also give inefficient code or introduce some problems to discourage copy/paste coding. This is because the major point of my posts is to aid in the learning process.

Do you want Visual Studio 11 Express to be freely installable on Windows 7 and able to write regular C++ applications? Please vote for this.

I would have bet against it, but you seem to be right.  I created an ordinary user and ran CMD with RUNAS.EXE.  CMD's TIME command was able to set the time (whereas it is not able to do so for me, an admin and under UAC).  Well that's just ducky (and IMHO, dumb)!  Do you imagine there's any way around it?  Thanks.

 - Vince

Answer 5

It is annoying but the only two ways around this is to either elevate (either elevate either your process ur use something like the elevation moniker, or putting in the manifest to run with the highest available credentials) or to use LogonUser to get a limited user account token and then impersonate.

I know this is annoying, I had a similar problem with this myself. The fact that UAC removes a fixed set of privileges does catch people who want to change the limited users privileges out.

---

This is a signature

Any samples given are not meant to have error checking or show best practices. They are meant to just illustrate a point. I may also give inefficient code or introduce some problems to discourage copy/paste coding. This is because the major point of my posts is to aid in the learning process.

Do you want Visual Studio 11 Express to be freely installable on Windows 7 and able to write regular C++ applications? Please vote for this.