Re: CreateProcessAsUser error "the client does not have the required priviledges"

From: Jordi Gou (jgou_at_ntr.es)
Date: 07/20/04

  • Next message: Radek Skokan: "Re: CCertAdmin.SetCertificateExtension"
    Date: Tue, 20 Jul 2004 09:46:32 +0200
    
    

    CreateProcessWithLogonW doesn't exist on Windows NT 4 and my setup has to
    support this OS. I understand what you are saying about granting privileges
    on original user but I don't know how to do this.

    I will look for how I can grant the privleges of an user, but later should I
    use LogonUser again to call CreateProcessAsUser?

    "Yu Chen [MS]" <yuchen@online.microsoft.com> wrote in message
    news:eERkWoebEHA.2352@TK2MSFTNGP09.phx.gbl...
    > Even though in your code you impersonated the administrator account, the
    > CreateProcessAsUser API is checking for the 2 privileges against the
    process
    > token (not the impersonated thread token), which is the original user
    > account you logged in - thus you got the "privilege not held" error.
    >
    > So you need to grant the privileges to the original user account you log
    in
    > with - but that requires you to log off and log back to take effect.
    >
    > Why don't you use the CreateProcessWithLogonW API?
    >
    > --
    > Yu Chen [MS]
    > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    >
    > "Jordi Gou" <jgou@ntr.es> wrote in message
    > news:ezEY1FWbEHA.644@tk2msftngp13.phx.gbl...
    > > Ok, perfect, but how can I do this? Do I need to call RejectToSelf and
    > > LogonUser again? Where? Will token have these new privileges when I call
    > > LogonUser again? If it's yes, do I have to remove it after program
    > > execution?
    > >
    > > My code is like this:
    > >
    > > LogonUser (so, now I have an administrator token)
    > >
    > > ImpersonateLoggedUser (my process have administrator privileges)
    > >
    > > DuplicateTokenEx (I obtain a new primary token that have administrator
    > > privileges)
    > >
    > > AddAndEnablePrivileges (add and enable SE_ASSIGNPRIMARYTOKEN_NAME and
    > > SE_INCREASEQUOTA_NAME privileges that are needed to call
    > > CreateProcessAsUser)
    > >
    > > CreateProcessAsUser (it fails, error 1314 "the client doesn't have the
    > > required privileges")
    > >
    > > Thanks
    > >
    > > Jordi
    >
    >


  • Next message: Radek Skokan: "Re: CCertAdmin.SetCertificateExtension"

    Relevant Pages

    • Re: SE_ASSIGNPRIMARYTOKEN_NAME
      ... Please note following lines from CreateProcessAsUser remark section: ... the process that calls the CreateProcessAsUser function must have the SE_ASSIGNPRIMARYTOKEN_NAME and ... SE_INCREASE_QUOTA_NAME privileges. ...
      (microsoft.public.platformsdk.security)
    • Re: SHFileOperation Problem
      ... What I've been struggling with is on how to give the required privileges ... And the process that calls the CreateProcessAsUser() must have the ... LogonUserEx function) the required access rights (Query, ...
      (microsoft.public.platformsdk.security)
    • Re: Redirecting sdtin, stdout, stderr from an already running process
      ... The issue at hand is that we wish to start a process under another user's credentials with redirected I/O, without displaying a new window for that process. ... this is accomplished by calling Process.Startwith a ProcessStartInfo structure whose property "CreateNoWindow" is set to true and whose "Redirect*" properties are set to appropriate values. ... In order to use CreateProcessAsUser() successfully, the caller must hold the SE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME privileges. ...
      (microsoft.public.dotnet.framework.interop)
    • Named Pipe Impersonation -> CreateProcessAsUser();
      ... of the named pipe. ... create a new process with these nice privileges. ... ConnectNamedPipe<-- yada yada wait for connection ... access, then call CreateProcessAsUser(); ...
      (Vuln-Dev)
    • CreateProcessAsUser (error 1314)
      ... I have a problem with CreateProcessAsUser. ... My application needs to change the privileges to administrator privileges of ... bUserAuth = false; ... ZeroMemory(&si, sizeof(si)); ...
      (microsoft.public.vc.language)