Re: SeCreateGlobalPrivilege and detecting multiple process instances
From: Eric Twietmeyer (notvalid_at_noisp.com)
Date: 09/26/03
- Next message: Michel Gallant: "Re: Binary data in CAPICOM through C#"
- Previous message: Michel Gallant: "Re: Binary data in CAPICOM through C#"
- In reply to: Pavel Lebedinsky: "Re: SeCreateGlobalPrivilege and detecting multiple process instances"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 26 Sep 2003 09:24:26 -0700
I could not find a definition of "global section" as referenced in the
kernel object namespaces doc page. But there is a KB article on Windows
2000 SP4 referencing this new privilege, SeCreateGlobalPrivilege, KB821546.
There it gives this definition:
The "Create global objects" user right (SeCreateGlobalPrivilege) is a
Windows 2000 security setting that was first introduced in Windows 2000 SP4.
The user right is required for a user account to create global objects in a
Terminal Services session. Note that users can still create session-specific
objects without being assigned this user right. By default, members of the
Administrators group, the System account, and Services that are started by
the Service Control Manager are assigned the "Create global objects" user
right.
There it is pretty explicit that it is used to create "global objects". It
does not reference "global sections" at all.
In any case, just to be safe I'm going to create / open a temporary file
with exclusive access as you first suggested.
I do remain curious though. Is there anyone from MS or an MVP that knows
precisely what SeCreateGlobalPrivilege is for and whether my experience with
it (i.e. able to create globally named event objects while a normal user on
Windows 2003) is expected?
Thanks again for your help Pavel,
Eric Twietmeyer
"Pavel Lebedinsky" <m_pll@hotmail.com> wrote in message
news:%23YwUOz9gDHA.1048@TK2MSFTNGP11.phx.gbl...
> I'm not sure if you really need SeCreateGlobalPrivilege for events.
> The docs only say that it is required for memory mapped files
> (sections):
>
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/termserv/termserv/kernel_object_namespaces.asp
>
> You also don't need the privilege if you run in session 0 because
> it uses global namespace by default.
>
> "Eric Twietmeyer" wrote:
>
> > I just got around to testing things on a Windows Server 2003 box and I
am
> > confused by the results. I decided to try creating an event object in
the
> > Global namespace. I have two users in two sessions, one has admin
> > privileges, the other doesn't.
> >
> > I create the event with a security descriptor that grants Everyone all
> > access and with a name "Global\\Test".
> >
> > The confusing thing is that I can create this event when logged on as
the
> > normal (non-admin) user, and then when I attempt to create the same in a
> > different session I get the event with the appropriate
> ERROR_ALREADY_EXISTS
> > error.
> >
> > This works both ways, i.e. whether I create the event object first as
the
> > normal user or as the admin user.
> >
> > The normal user is part of the remote desktop users group. Do members
of
> > this group have the SeCreateGlobalPrivilege enabled?
> >
> > -Eric Twietmeyer
> >
> >
> > "Pavel Lebedinsky" <m_pll@hotmail.com> wrote in message
> > news:uOWqPnggDHA.1752@TK2MSFTNGP10.phx.gbl...
> > > You could try opening a dummy file for exclusive access. If that fails
> > > with sharing violation it means another instance is already running.
> > >
> > > "Eric Twietmeyer" wrote:
> > >
> > > > Hello,
> > > >
> > > > I just found information on SeCreateGlobalPrivilege and its
> restriction
> > of
> > > > normal user accounts from creating kernel objects in the global
> > namespace.
> > > >
> > > > How is one supposed to detect multiple instances of a process
running
> in
> > > > different sessions if the first time the process runs in one session
> it
> > > > can't create a kernel object in the global namespace?
> > > >
> > > > I work on an application that for licensing reasons may not be run
> under
> > > > multiple sessions simultaneously on one computer.
> > > >
> > > > What other technique exists to prevent this from happening? Or do I
> > need
> > > to
> > > > force the end user to get his IT department to enable
> > > > SeCreateGlobalPrivilege for the users who might run this app when
the
> > > > application is installed? This would be an unpleasant solution.
> > > >
> > > > Thanks in advance,
> > > >
> > > > Eric Twietmeyer
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Michel Gallant: "Re: Binary data in CAPICOM through C#"
- Previous message: Michel Gallant: "Re: Binary data in CAPICOM through C#"
- In reply to: Pavel Lebedinsky: "Re: SeCreateGlobalPrivilege and detecting multiple process instances"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
