none
CreateFileMapping fails with Access denied after impersonating a regular user RRS feed

  • Question

  • Hi,

    I have an application running in debug mode, from under MS Visual Studio 2010 launched to run as administrator, on Windows 7 SP1 (x64).

    This Application runs another proxy helper app, and it communicates with it over shared memory. The application impersonates the user connecting to it, and it tries to call CreateFileMapping to create a shared memory while impersonating users. The entire Administrators group is allowed to create global objects from "Create global objects" local security policy. However, the name that I pass to CreateFileMapping should be a local to session (the name does not include the "Global\" prefix).

    If the user being impersonated is member of local Administrators, the CreateFileMapping works without problems.

    The problem is that if I connect as a regular (non-administrator) user, CreateFileMapping fails. I tried to provide different SECURITY_ATTRIBUTES parameters, from NULL, to one granting permissions to all users (and administrators) without success.

    The odd thing is that the application works as expected when it actually runs as a service (even if I start the same debug version).

    Therefore, the only difference is that it runs in session 0 when running as a service; however, I am not clear why the error when running as a desktop application.

    Can somebody help with this please?

    Thank you,

    Dan

    Friday, November 15, 2013 9:51 PM

Answers

  • Since it works when user is a local Admin and as a service (which runs as as an Admin) and fails only when user is non-Admin, the issue is that your code doesn't work anytime the user is non-Admin.  

    Years ago I wrote some code to make a SECURITY_ATTRIBUTES for everyone.  The code is in this Google Group archive.  You might want to compare it to your code.

    Thanks,
    David

    Saturday, November 16, 2013 5:56 AM

All replies

  • Since it works when user is a local Admin and as a service (which runs as as an Admin) and fails only when user is non-Admin, the issue is that your code doesn't work anytime the user is non-Admin.  

    Years ago I wrote some code to make a SECURITY_ATTRIBUTES for everyone.  The code is in this Google Group archive.  You might want to compare it to your code.

    Thanks,
    David

    Saturday, November 16, 2013 5:56 AM
  • David, thank you for your reply.

    Although I have my code used/validated from a long time for setting permissions on folders/files, I did try using yours as well, but with no success. Moreover, since the call should create the shared memory, it is my understanding that the parameter passes as (LPSECURITY_ATTRIBUTES) should change the permissions on the new object, in order for other processes to eventually open the same shared memory. However, it should not prevent me to create it ...

    The issue seems to be with impersonating that non-Admin user, but what it puzzles me is that it works when running as a service, but not when running in a user's session, although running as admin ...

    And that is what I would like to find the explanation for .

    Regards,

    Dan

    Monday, November 18, 2013 5:55 PM
  • Hi,

    Please take a look at Igor’s replies from this link.

    And link below for your reference.

    File Mapping Security and Access Rights

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa366559(v=vs.85).aspx

    Best Wishes,

    May


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Tuesday, November 26, 2013 4:11 AM
  • A non-admin user does not have privilege to create a global shared memory. But in you case you are creating a local SM. I think it can be created without any extra security attributes. What errorcode is returned by GetLastError()?

    Thanks, Renjith V R

    Tuesday, November 26, 2013 9:43 AM