Re: Access denied for OpenProcess(PROCESS_DUP_HANDLE) in service
From: Paul Carter (pacman128_at_gmail.com)
Date: 20 Jul 2005 11:06:13 -0700
Pavel Lebedinsky [MSFT] wrote:
> "Paul Carter" wrote:
> > My code works fine if the client app is also running as the same user,
> > but fails if it is another user. Does the administrator account not
> > have the rights to make the OpenProcess() call on any process? If not,
> > it appears that I need to modify the DACL to give the account this
> > right. Or is there a better way?
> Processes running as regular users typically give access to the user
> account and System only. If you want to open them as administrator
> you have to enable SeDebugPrivilege before calling OpenProcess.
> But even this is probably not necessary in your case - see below.
> > In the older posts I found searching, the posters seem to be attempting
> > to execute DuplicateHandler() in the client process. Isn't it better to
> > run this in the service code (security wise) or am I missing something?
> The usual pattern for this is the client makes a request to the service,
> the service impersonates the client, calls OpenProcess (it doesn't need
> SeDebugPrivilege for this because it's impersonating the client), then
> duplicates the handle into the client process.
> This posting is provided "AS IS" with no warranties, and confers no
Thanks for your reply!
However, if I am reading the docs correctly ImpersonateLoggedOnUser()
(and others) require the SeImpersonatePrivilege which is only supported
on the server versions of Windows. Is this correct?
To give more background:
The basic problem is that the app reads data from a SCSI hard disk in a
proprietary format. The data is not even organized as flat files.
Currently, the app does this by opening up the disk using CreateFile
and " \\.\PHYSICALDRIVEx" This works great but requires administrative
access. The user wants the app to work without admin access. We have
been unable to find a simple privilege to give a user to open the disk
in raw mode other that to make the user an admin. So, we are
investigating having a service run as administrator to open the disk
and duplicate the handle to give to the client app running with normal
The current app is running on Windows 2000/XP workstation. The user
does not want to move to a server version of Windows. If we can't use
ImpersonateXXX() API, can anyone point us to another solution? Would
giving the service process the PROCESS_DUP_HANDLE right on the client
Is there a good online reference/tutorial for the Windows security API?
At the moment, we are a little overwhelmed by it.
-- Paul Carter