OpenProcess fails with Access Denied on Win2003
From: Will (will4wright_at_community.nospam)
Date: 09/25/04
- Next message: Karl Albrecht: "LogonUser fails"
- Previous message: David Cross [MS]: "Re: Enroll user cert from AD using CAPICOM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 25 Sep 2004 11:04:16 -0700
I have a service that runs in the "Local System" account. This services
needs to get the timing information (.e.g Creation Time) of all processes .
The information is retrieved by first opening the process using
OpenProcess( ) and then using the returned process handle in
GetProcessTimes( ). The code is something like the following:
// Get a handle to the process.
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwProcessId);
if (hProcess != NULL) {
// Get the process times
bRet = GetProcessTimes(hProcess, &creationTime, &exitTime, &kernelTime,
&userTime);
if (bRet) {
// Do some work
...
} else {
// Handle the error
...
}
} else {
// Handle the error
...
}
On Windows 2000 this works fine for every process. However on Windows 2003
the OpenProcess( ) call fails with "Access Denied" for any process that is
running under the "LOCAL SERVICE" or "NETWORK SERVICE" accounts. This kinda
surprises me as I would have thought that the System account would have had
sufficient 'authority' to open these processes.
If I run the same code from an account that is in the "Local Administrators"
group, I get the same results. Which I find even more surprising... since
this means that a process running under an Administrator account can query
"SYSTEM@ owned processes, but not "LOCAL SERVICE" or "NETWORK SERVICE" owned
processes.
I know that if I enable the SE_DEBUG_NAME privilege, the OpenProcess( )
then works. But this seems a bit like using a sledgehammer to crack a
walnut.
Can anyone offer an alternative to enabling SE_DEBUG_NAME? And an
explanation for the current behaviour would also be greatly appreciated.
Thanks,
Will
- Next message: Karl Albrecht: "LogonUser fails"
- Previous message: David Cross [MS]: "Re: Enroll user cert from AD using CAPICOM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
