none
Problem with AdjustTokenPrivileges call on Windows Vista

    質問

  •  I have the following code that sets privileges using the calls :

    ....

       // enable or disable the privilege
            AdjustTokenPrivileges(hToken, False, TokenPriv, SizeOf(PrevTokenPriv), PrevTokenPriv, ReturnLength);
            Result := GetLastError = ERROR_SUCCESS;
            if not Result then
              //On Windows Vista the following error is raised:
              //exception message : Not all privileges or groups referenced are assigned to the caller.
              raise Exception.Create(SysErrorMessage(GetLastError));

    ....

    It works perfectly fine on Windows XP, 2000 and 2003 but under Windows Vista it raises the error "exception message : Not all privileges or groups referenced are assigned to the caller."

    Any idea of what might be causing this and how to fix it?

    2009年1月26日 14:25

回答

  • On your Vista box, run mmc and then Ctrl-M and add the Group Policy Object Editor snap-in.  Open it in the tree view on the left, and navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment and see your account has the privileges you are trying to enable.

    (Another way of doing that would be running Process Explorer and examining the security token of one of your ELEVATED processes.)


    Sasha Goldshtein | http://blogs.microsoft.co.il/blogs/sasha
    • 回答としてマーク Ale cts 2009年1月26日 15:31
    2009年1月26日 15:17

すべての返信

  • Well, to adjust token privileges you need to have these privileges in the first place.  E.g. you can't adjust the token and grant yourself the "Act as part of the operating system" privilege if you don't have it.

    Because you mention Vista, it's likely that User Account Control is the culprit.  Have you tried running the app explicitly with administrator permissions (i.e. "Run as administrator" from a context menu)?


    Sasha Goldshtein | http://blogs.microsoft.co.il/blogs/sasha
    2009年1月26日 14:43
  • thanks for the answer 

    yes i disabel UAC from my pc and i run my program with administrator permission but the error remains.....

    i work with windows vista 32 bit edition

     

     

    2009年1月26日 14:51
  • OK then, what privileges are you trying to assign?  I.e., provide more context.
    Sasha Goldshtein | http://blogs.microsoft.co.il/blogs/sasha
    2009年1月26日 14:52
  •  I try to set the privileges to write in the registers...
    2009年1月26日 14:57
  • What registers?

    Could you please post a complete code example that demonstrates what you are trying to do?


    Sasha Goldshtein | http://blogs.microsoft.co.il/blogs/sasha
    2009年1月26日 14:59
  • I  try to write a key to  .. under HKEY_LOCAL_MACHINE \ SOTWARE \ test

    SetPrivilege(LPSTR sPrivilege)
    {
     HANDLE hToken;
     TOKEN_PRIVILEGES tkp;

    //TOKEN_ADJUST_PRIVILEGES
     // get the current process token handle
     if (!OpenProcessToken(GetCurrentProcess(),
      TOKEN_IMPERSONATE | TOKEN_QUERY, &hToken))
      {
       //sprintf(Msg, "OpenProcessToken failure");
       //MessageBox(0, Msg,APP_TITLE, MB_OK | MB_ICONINFORMATION); 
       //printf("OpenProcessToken failure\n");
      exit(0);
      }

    // get the LUID for the privilege on the local system
     if (!LookupPrivilegeValue(0, sPrivilege, &tkp.Privileges[0].Luid))
     {
      CloseHandle(hToken);
      //sprintf(Msg, "LookupPrivilegeValue failure");
      //MessageBox(0, Msg,APP_TITLE, MB_OK | MB_ICONINFORMATION); 
      //printf("LookupPrivilegeValue failure\n");
      exit(0);
      }

     // one privilege to set
     tkp.PrivilegeCount = 1;
     tkp.Privileges[0].Attributes = 0;
     tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
     if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES)NULL,
      0) || GetLastError ())
     {
      CloseHandle(hToken);
      //eee = GetLastError();
      //sprintf(Msg, "  GetLastError= %d", eee);
      //MessageBox(0, Msg,APP_TITLE, MB_OK | MB_ICONINFORMATION);
      //sprintf(Msg, "AdjustTokenPrivileges failure  = %d", 0);
      //MessageBox(0, Msg,APP_TITLE, MB_OK | MB_ICONINFORMATION);
      //printf("AdjustTokenPrivileges failure\n");
      exit(0);
      }

     CloseHandle(hToken);

     

    main()

    {

     SetPrivilege(SE_BACKUP_NAME);
     SetPrivilege(SE_RESTORE_NAME);
     SetPrivilege(SE_SECURITY_NAME);
     SetPrivilege(SE_TAKE_OWNERSHIP_NAME);

     

    .. ret = _NtCreateKey(&hKey, KEY_ALL_ACCESS, &obj, 0, 0, REG_OPTION_BACKUP_RESTORE, 0);..

     

     

    but Function SetPrivilege Failed only in Windows Vista...

    }

    2009年1月26日 15:04
  • On your Vista box, run mmc and then Ctrl-M and add the Group Policy Object Editor snap-in.  Open it in the tree view on the left, and navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment and see your account has the privileges you are trying to enable.

    (Another way of doing that would be running Process Explorer and examining the security token of one of your ELEVATED processes.)


    Sasha Goldshtein | http://blogs.microsoft.co.il/blogs/sasha
    • 回答としてマーク Ale cts 2009年1月26日 15:31
    2009年1月26日 15:17
  •  yes, all the privileges you are entitled apllicativo I must write in that key xp in that path I have always freely written
    2009年1月26日 15:31
  • I don't understand if your problem is resolved or not.  One way or another, to write to HKLM\Software you don't need any special privileges.  If you're running as admin, you will have access to that registry key.


    Sasha Goldshtein | http://blogs.microsoft.co.il/blogs/sasha
    2009年1月26日 15:33
  • yes , i reboot my pc and my software write a key in the registry correctly

     

    but it's possible to  disable UAC by my software, rewrite the key, and turn it back without the user noticing if?

     

    thanks

    2009年1月27日 8:11
  •  You can't disable UAC programmatically unless you are already running as an admin, because the registry key that controls UAC has write permission for admins only.

    If you want to write to HKLM in all scenarios (whether UAC is on or off), you need to launch your application as admin.  This can be done by either creating a shortcut with the "Run as administrator" checkbox checked, by executing your app with ShellExecute and using the "runas" verb, or - recommended - by adding a manifest to  your application with requestedExecutionLevel=requireAdministrator.

    There are lots of articles on the web on UAC, you might also find the following helper library useful: www.codeplex.com/UACHelpers


    Sasha Goldshtein | http://blogs.microsoft.co.il/blogs/sasha
    2009年1月27日 9:16
  • i use your software EmbedManifest.exe(UACHelpers32.exe) on Windows Vista Business edition 32 bit

    but returns an error, sotware not compatible with this version but the version I'm using,

    there are  some problems just to run Windows Vista Business Edition ?

    software run only on Windows Vista Home Edition ?

    2009年1月27日 10:56
  • Make sure you are using the 32-bit build on your 32-bit system.


    Sasha Goldshtein | http://blogs.microsoft.co.il/blogs/sasha
    2009年1月27日 11:34
  • yes I use UACHelpers32.exe
    2009年1月27日 12:27
  • Let's make it easier.  You're using Visual Studio 2008 to compile this code, right?  Go to the project settings and find the UAC settings section, change it to "requireAdministrator" and then build.  This should embed the necessary manifest in your app.
    Sasha Goldshtein | http://blogs.microsoft.co.il/blogs/sasha
    2009年1月27日 12:28