Results 1 to 5 of 5

Thread: Viewing Token Privileges

  1. #1

    Thread Starter
    Junior Member
    Join Date
    Dec 2017
    Posts
    29

    Viewing Token Privileges

    Privileges can be required to access system resources, and it can be a nuisance when an API call fails because a privilege is not available. This application displays the privileges available to the process token for the current logged on User.
    If run as administrator, it will show the elevated privileges. In general, if a privilege is required for an API function, the application should be running with elevated credentials as a standard user has very few privileges. The application may also need to enable the privilege, before the API function is called.

    For example there are a number of API functions to create a process, and only some of these require privileges:

    • CreateProcessWithTokenW
      must have the SE_IMPERSONATE_NAME privilege.
    • CreateProcessAsUser
      must have the SE_INCREASE_QUOTA_NAME privilege and may require the SE_ASSIGNPRIMARYTOKEN_NAME privilege if the token is not assignable
    • CreateProcessWithLogonW
      requires no special privileges as the new process runs in the security context of the Logon User
    • CreateProcess
      requires no special privileges as the new process runs in the security context of the calling process

    The following screen image illustrates the privileges available for an elevated user.
    Name:  Token Privileges.png
Views: 1961
Size:  115.5 KB

    From this example, the elevated user can call the CreateProcessWithTokenW, but before calling the CreateProcessAsUser, the application must first enable the SeIncreaseQuotaPrivilege. But this API would still return unsuccessful if the token is not assignable, because this elevated user does not have the SeAssignedPrimaryTokenPrivilege.

    This application also has code to enable and disable a privilege.

    The attached project also includes more detailed information on this application.
    TokenPrivilege.zip

  2. #2
    Hyperactive Member
    Join Date
    Jul 2017
    Posts
    344

    Re: Viewing Token Privileges

    OMG, thanks so much!!

  3. #3
    PowerPoster
    Join Date
    Jul 2010
    Location
    NYC
    Posts
    5,647

    Re: Viewing Token Privileges

    If you want to escalate to SYSTEM/TrustedInstaller/LSASS to obtain most of those privileges,

    [VB6] Run process as TrustedInstalled (NT AUTHORITY\SYSTEM) w/ full system privileges

  4. #4
    Hyperactive Member
    Join Date
    Jul 2017
    Posts
    344

    Re: Viewing Token Privileges

    I am just trying to terminate a SYSTEM process.
    The task manager can end it without admin privileges, I think.

    For some reason, I just manage to do it, and I am also not sure if that is because I need full system privileges.

    I have documented my trouble here:

    https://stackoverflow.com/questions/...rror-code-1300

    Just in case you are interested...

  5. #5
    PowerPoster
    Join Date
    Jul 2010
    Location
    NYC
    Posts
    5,647

    Re: Viewing Token Privileges

    If you check in a tool like ProcessHacker, you see that TaskManager runs elevated.


    Edit:
    This looks like something that Microsoft might have *just* broken.

    I just noticed one of my VB6 apps, which enabled a privilege my user holds that can be enabled without elevation, is now being blocked from doing so. It looks like a Windows update may have made it impossible for VB6 apps to obtain any non-default privilege without running elevated.

    Don't know if it's just me right now but all I can suggest is try running elevated, since I can no longer actually test what unelevated VB6 apps can do.
    Last edited by fafalone; Jun 4th, 2022 at 01:21 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width