locked
Modifying Privileges for NT/SERVICES RRS feed

  • Question

  • Hi all,

    I am not sure whether this is possible since I am new to Windows API. I have created a service where SeCreateSymbolicLink privilege is disabled. I am trying to enable the privilege using the following code. The code executes with no errors but I dont see the the privilege enabled.

    Please help me.

    Thanks,

    smpari

     

    if (!OpenProcessToken(pHandle,
    		TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
                 &hToken))
        {
         fprintf(fp, "OpenProcessToken failed: %u\n", GetLastError());
         
    	} else {
    		fprintf(fp, "OpenProcessToken Succeeded: %u\n", GetLastError());
    	}
    
    	if (LookupPrivilegeValue(NULL, SE_CREATE_SYMBOLIC_LINK_NAME, &tkp.Privileges->Luid)) {
    		fprintf(fp, "LookupPrivilegeValue Succeeded: %u\n", GetLastError());
    	} else {
    		fprintf(fp, "LookupPrivilegeValue failed: %u\n", GetLastError());
    	}
    	tkp.PrivilegeCount = 1; // one privilege to set  
    	tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    	
    	 // Get the CreateLink privilege for this process.
     
      if (AdjustTokenPrivileges(hToken, TRUE, &tkp, 0,
       (PTOKEN_PRIVILEGES)NULL, 0)) {
    		 fprintf(fp, "AdjustTokenPrivileges Succeeded: %u\n", GetLastError());
    	} else {
    		fprintf(fp, "AdjustTokenPrivileges failed: %u\n", GetLastError());
    	}

     

    • Moved by Jesse Jiang Friday, July 8, 2011 3:03 AM (From:Visual C++ Language)
    Friday, July 1, 2011 3:56 AM

All replies

  • can you check with the following code

     

     AdjustTokenPrivileges(hToken, TRUE, &tkp, 0,
       (PTOKEN_PRIVILEGES)NULL, 0);
     
      if (GetLastError() != ERROR_SUCCESS)
       AfxMessageBox("Failed to adjust the token privileges.");
    



    Thanks and Regards Selvam http://www15.brinkster.com/selvamselvam/
    Saturday, July 2, 2011 9:26 AM
  • Hi Selvam,

     

    Thanks for your reply. But, AdjustTokenPrivilege returns BOOL type, and you are trying to check with GetLastError(). I cant get your point why should we try this,

    Please help me to understand your method.

     

    Thanks


    Monday, July 4, 2011 11:02 AM
  • I have read 'AdjustTokenPrivileges()' function description.

    In description it is written as ' To determine whether the function adjusted all of the specified privileges, call GetLastError,'

    Following is the link:

    http://msdn.microsoft.com/en-us/library/aa375202(VS.85).aspx


    Raman
    • Proposed as answer by Jesse Jiang Wednesday, July 6, 2011 2:44 AM
    Monday, July 4, 2011 11:13 AM
  • Hello,

     

    Would you mind letting me know the result of the suggestions? If you need further assistance, feel free to let me know. I will be more than happy to be of assistance.

     

    Best regards,

    Jesse


    Jesse Jiang [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Wednesday, July 6, 2011 2:44 AM
  • Hi

    I have modified the code as follows. The API returns 0. I am not sure what could be my mistake in this.

     


      if (!OpenProcessToken(pHandle,
    		TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
                 &hToken))
        {
         fprintf(fp, "OpenProcessToken failed: %u\n", GetLastError());
         
    	} else {
    		fprintf(fp, "OpenProcessToken Succeeded: \n");
    	}
    
    	if (LookupPrivilegeValue(NULL, SE_CREATE_SYMBOLIC_LINK_NAME, &tkp.Privileges->Luid)) {
    		fprintf(fp, "LookupPrivilegeValue Succeeded: %u\n", GetLastError());
    	} else {
    		fprintf(fp, "LookupPrivilegeValue failed: %u\n", GetLastError());
    	}
    	tkp.PrivilegeCount = 1; // one privilege to set  
    	tkp.Privileges[0].Attributes = SE_PRIVILEGE_REMOVED;
    	
    	if (ERROR_SUCCESS == AdjustTokenPrivileges(hToken, TRUE, &tkp, 0,
       (PTOKEN_PRIVILEGES)NULL, 0)) {
    		fprintf(fp, "AdjustTokenPrivileges Succeeded:\n");
    	} else {
    		fprintf(fp, "AdjustTokenPrivileges Failed: %u \n", GetLastError());
    	}
    
    



    Output:

    OpenProcessToken Succeeded
    LookupPrivilegeValue Succeeded: 0
    AdjustTokenPrivileges Failed: 0

     

    Thanks,

    smpari
    Thursday, July 7, 2011 8:18 AM
  • What is the exact user account that you are using for this service?


    This is a signature

    Any samples given are not meant to have error checking or show best practices. They are meant to just illustrate a point. I may also give inefficient code or introduce some problems to discourage copy/paste coding. This is because the major point of my posts is to aid in the learning process.
    Visit my (not very good) blog at
    http://ccprogramming.wordpress.com/
    Thursday, July 7, 2011 12:05 PM
  • Posting a reply in response to my previous post.

    The reason why I am asking this is rather important. If it is a local user account you must make sure that the user has that privilege in the first place. So either and administrator account, or a user account which you have assigned this privilege to using the local security editor or in a domain environment the group policy.

    For service accounts, the following list shows the privileges and the default state on Windows 7.

    User NT AUTHORITY\SYSTEM
    Privilege name: SeAssignPrimaryTokenPrivilege Disabled
    Privilege name: SeAuditPrivilege Enabled
    Privilege name: SeBackupPrivilege Disabled
    Privilege name: SeChangeNotifyPrivilege Enabled
    Privilege name: SeCreateGlobalPrivilege Enabled
    Privilege name: SeCreatePagefilePrivilege Enabled
    Privilege name: SeCreatePermanentPrivilege Enabled
    Privilege name: SeCreateSymbolicLinkPrivilege Enabled
    Privilege name: SeDebugPrivilege Enabled
    Privilege name: SeImpersonatePrivilege Enabled
    Privilege name: SeIncreaseBasePriorityPrivilege Enabled
    Privilege name: SeIncreaseQuotaPrivilege Disabled
    Privilege name: SeIncreaseWorkingSetPrivilege Enabled
    Privilege name: SeLoadDriverPrivilege Disabled
    Privilege name: SeLockMemoryPrivilege Enabled
    Privilege name: SeManageVolumePrivilege Disabled
    Privilege name: SeProfileSingleProcessPrivilege Enabled
    Privilege name: SeRestorePrivilege Disabled
    Privilege name: SeSecurityPrivilege Disabled
    Privilege name: SeShutdownPrivilege Disabled
    Privilege name: SeSystemEnvironmentPrivilege Disabled
    Privilege name: SeSystemProfilePrivilege Enabled
    Privilege name: SeSystemtimePrivilege Disabled
    Privilege name: SeTakeOwnershipPrivilegeDisabled
    Privilege name: SeTcbPrivilege Enabled
    Privilege name: SeTimeZonePrivilege Enabled
    Privilege name: SeUndockPrivilege Disabled
    
    User NT AUTHORITY\LOCAL SERVICE
    Privilege name: SeAssignPrimaryTokenPrivilege Disabled
    Privilege name: SeAuditPrivilege Disabled
    Privilege name: SeChangeNotifyPrivilege Enabled
    Privilege name: SeCreateGlobalPrivilege Enabled
    Privilege name: SeImpersonatePrivilege Enabled
    Privilege name: SeIncreaseQuotaPrivilege Disabled
    Privilege name: SeIncreaseWorkingSetPrivilege Disabled
    Privilege name: SeShutdownPrivilege Disabled
    Privilege name: SeSystemtimePrivilege Disabled
    Privilege name: SeTimeZonePrivilege Disabled
    Privilege name: SeUndockPrivilege Disabled
    
    User NT AUTHORITY\NETWORK SERVICE
    Privilege name: SeAssignPrimaryTokenPrivilege Disabled
    Privilege name: SeAuditPrivilege Disabled
    Privilege name: SeChangeNotifyPrivilege Enabled
    Privilege name: SeCreateGlobalPrivilege Enabled
    Privilege name: SeImpersonatePrivilege Enabled
    Privilege name: SeIncreaseQuotaPrivilege Disabled
    Privilege name: SeIncreaseWorkingSetPrivilege Disabled
    Privilege name: SeShutdownPrivilege Disabled
    Privilege name: SeTimeZonePrivilege Disabled
    Privilege name: SeUndockPrivilege Disabled

    So if you look closely, the only account which is allowed to create a symbolic link is Local System, and the privilege is enabled by default. So are you trying to enable a privilege which is already enabled here?


    This is a signature

    Any samples given are not meant to have error checking or show best practices. They are meant to just illustrate a point. I may also give inefficient code or introduce some problems to discourage copy/paste coding. This is because the major point of my posts is to aid in the learning process.
    Visit my (not very good) blog at
    http://ccprogramming.wordpress.com/
    Thursday, July 7, 2011 5:14 PM
  • Hi smpari,

     

    I think your issue should be raised in the Security for Applications in Microsoft Windows. I believe they will know more information of this issue than us, and I will move this one to that forum.

     

    Thanks for your understanding,

     

    Best regards,

    Jesse


    Jesse Jiang [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Friday, July 8, 2011 3:02 AM