RE: 'Access denied.' on OpenProcess() for NT Service under LocalSy

Thank you, Jeffrey.

Paul

""Jeffrey Tan[MSFT]"" wrote:

Hi Paul,

Glad to see you got your problem resolved.

Yes, the MSDN documentation for AdjustTokenPrivileges states that:
"If the PreviousState parameter is not NULL, the handle must also have
TOKEN_QUERY access"

So if you do not need the previous privileges list of the token, you may
just pass NULL for the PreviousState parameter. Then, there is no need to
ask for TOKEN_QUERY permission in the code.

Ok, get back to your question. If you do not have any control over the
target process running account, enabling SE_DEBUG_NAME is essential. Withou
SE_DEBUG_NAME, even your service runs under Administrator or LocalSystem
account, you are not guaranteed with success. The DACL on the target
process object is free to remove allow ACE for Administrators and
LocalSystem.

Since a lot of system Administrators tools need to OpenProcess to any
process object, Windows created SE_DEBUG_NAME privilege as a back door for
the Administrators. This cool privilege just bypasses the security checks
on the process object. So SE_DEBUG_NAME is essential for system
Administration tools.(Administrators group has this privilege by default)

Please note that there is no such security back door for OpenProcessToken
API, so the code runs under Administrators count may even fail while
calling OpenProcessToken. I once wrote a security tool to query all the
token information for all the processes in system, I find it
OpenProcessToken will fail for some services.(These service tokens do not
grant access to Administrators). Some kernel developers argue and believe
that we should add a similiar SE_DEBUG_NAME privilege for OpenProcessToken
API.

Hope this helps.

Best regards,
Jeffrey Tan
.

Relevant Pages

  • RE: Access denied. on OpenProcess() for NT Service under LocalSystem
    ... Since a lot of system Administrators tools need to OpenProcess to any ... process object, Windows created SE_DEBUG_NAME privilege as a back door for ... Microsoft Online Community Support ...
    (microsoft.public.platformsdk.security)
  • Re: passwords Service accounts and services
    ... In these cases we had gone from all users being local administrators to ... Microsoft MVP - Windows Security ... process of applying the policy of "least privilege" trial and error at ... I hope these service accounts do not have excessive permissions ...
    (microsoft.public.windows.server.security)
  • Re: AT command and Access Denied
    ... that you tried to run the AT command, ... I turned on auditing for privilege use and this is the ... > Client Logon ID: ... >> administrator as shown by membership on the local administrators group. ...
    (microsoft.public.win2000.security)
  • Re: Ask administrative user name and password to works pen drive prope
    ... I have windows workstation with windows xp, which has users with only user ... In most of the workstations all external pen drives works ... which has administrative privilege. ... administrators only. ...
    (microsoft.public.windowsxp.general)
  • Re: windows services question
    ... Only LocalSystem and Admins have this privilege in their tokens, ... about the "LocalSystem" account in this regard. ... member of the Administrators group can easily enable SeDebugPrivilege if it ...
    (microsoft.public.win32.programmer.kernel)
Quantcast