Re: OpenProcessToken access denied

From: Jeffrey Hamblin (jhamblin_at_online.microsoft.com)
Date: 12/03/03 

Date: Wed, 3 Dec 2003 14:17:48 -0800

Brian,

This could be caused by several things.
First, what access are you requesting in your call to OpenProcessToken? If
you only want to query the TokenUser then you only need TOKEN_QUERY.
Second, are you able to open the process for PROCESS_QUERY_INFORMATION?
That is required to get at the process token.

mkas.exe might be putting a stricter DACL on its process token or the
process object itself.

I don't know for certain what Process Explorer is doing. Perhaps it is
using the TakeOwnership privilege to get access to the object (requesting
WRITE_OWNER, changing the DACL to grant itself access, then changing it
back) after the normal access check fails. If you are admin then you have
this privilege in your token by default.

You will have to look at the security descriptors on the process and its
token to be certain. HTH,

Jeff

"Brian" <anonymous@discussions.microsoft.com> wrote in message
news:00f901c3b9ca$a9131bc0$a401280a@phx.gbl...
> Here's my problem:
>
> I'm trying to get the users of a running process on a
> Win2k server for a monitoring application. Basically,
> there are about 40-50 of this process (mkas.exe) running
> on the server at any given time. Each one runs under the
> domain account of the client computer. I can verify this
> by using Sysinternals Process Explorer.
>
> The problem is, when I try to get the user by using
> OpenProcessToken, I get error 127 - Access Denied. This
> only seems to happen on the mkas.exe process. The
> application looks up the users of a process just fine
> when the process's user isn't a domain account (ie - it's
> running under a local account).
>
> So my question is, what's going on? I know it can't be
> the permissions on the server's logged-in account, since
> the Sysinternals Process Explorer can bring up the users
> just fine. What could it be doing that I'm not?
>
> Thanks in advance,
> Brian

Relevant Pages

  • RE: VB.NET Win Service throws SecurityException on ServiceControll
    ... Process Explorer I find that only Admin's have full control. ... "2KAPPS\powr_winservice" account. ... I suspect this account has no permission to stop the service ... it may be mapped to the SecurityException ...
    (microsoft.public.platformsdk.security)
  • Re: A little bit of math
    ... _must not_ be a string. ... someone requesting withdrawl from a bank account actually has the ... accelleration control in an automobile handles a request to ...
    (comp.lang.tcl)
  • Re: Poor Security Measures Waste Time
    ... about getting a login account with a system token. ... I saw evidence of this through Process Explorer. ... I found out about how Admin rights were not ...
    (microsoft.public.windows.vista.security)
  • Re: Bigots Continue to Expose Their Stupidity
    ... accounts by requesting a password change. ... the e-mail registered as the owner of the account that a request ... the idiots who keep making up phony entries &insisting they're mine. ...
    (soc.culture.jewish)
  • Re: Impersonation and BackupWrite
    ... would be easier to isolate the issue in dedicated tool and "play" with that. ... "boris" wrote: ... The user has all required privileges enabled and when the account is set ... process explorer and all required are enabled. ...
    (microsoft.public.win32.programmer.kernel)