Re: SHFileOperation Problem

From: Marcelo Grossi <MarceloGrossi@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 15 Apr 2008 06:45:01 -0700

Hello Kellie,

First of all, thank you very much for your comprehensive reply!

I've been trying to have this work for a few hours now and don't seem to be
able to. Here is what I've got so far:

- LogonUserEx - OK
- ImpersonateLoggedOnUser - OK
- CreateProcessAsUser - "Client privileges not held" error

What I've been struggling with is on how to give the required privileges
to the user token. As I understand I need the following privileges/rights on
the user access token for the CreateProcessAsUser() function to work:

- TOKEN_QUERY
- TOKEN_DUPLICATE
- TOKEN_ASSIGN_PRIMARY

And the process that calls the CreateProcessAsUser() must have the
following privileges:

- SE_ASSIGNPRIMARYTOKEN_NAME
- SE_INCREASE_QUOTA_NAME

Now, the latter privileges I can definetly manage easily but I couldn't
find any way to give my Token (the one that I got as a result of the
LogonUserEx function) the required access rights (Query, Duplicate and
Assign Primary..) to be able to call the CreateProcessAsUser() function.

I'm sorry this newb post of mine but I really don't have any experience in
dealing with the Windows Security System. So I'm struggling quite a bit on
this area...

Thanks again for all the help,

Marcelo Grossi
.

Follow-Ups:
- Re: SHFileOperation Problem
  - From: Kellie Fitton

References:
- SHFileOperation Problem
  - From: Marcelo Grossi
- Re: SHFileOperation Problem
  - From: Kellie Fitton

Prev by Date: RE: WMI missing security settings
Next by Date: Re: Smartcard authentication in a multi-tier application
Previous by thread: Re: SHFileOperation Problem
Next by thread: Re: SHFileOperation Problem
Index(es):
- Date
- Thread

Relevant Pages

Re: CreateProcessAsUser error "the client does not have the required priviledges"
... I understand what you are saying about granting privileges ... on original user but I don't know how to do this. ... use LogonUser again to call CreateProcessAsUser? ...
(microsoft.public.platformsdk.security)
Re: SE_ASSIGNPRIMARYTOKEN_NAME
... Please note following lines from CreateProcessAsUser remark section: ... the process that calls the CreateProcessAsUser function must have the SE_ASSIGNPRIMARYTOKEN_NAME and ... SE_INCREASE_QUOTA_NAME privileges. ...
(microsoft.public.platformsdk.security)
Re: Redirecting sdtin, stdout, stderr from an already running process
... The issue at hand is that we wish to start a process under another user's credentials with redirected I/O, without displaying a new window for that process. ... this is accomplished by calling Process.Startwith a ProcessStartInfo structure whose property "CreateNoWindow" is set to true and whose "Redirect*" properties are set to appropriate values. ... In order to use CreateProcessAsUser() successfully, the caller must hold the SE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME privileges. ...
(microsoft.public.dotnet.framework.interop)
CreateProcessAsUser (error 1314)
... I have a problem with CreateProcessAsUser. ... My application needs to change the privileges to administrator privileges of ... bUserAuth = false; ... ZeroMemory(&si, sizeof(si)); ...
(microsoft.public.vc.language)
Named Pipe Impersonation -> CreateProcessAsUser();
... of the named pipe. ... create a new process with these nice privileges. ... ConnectNamedPipe<-- yada yada wait for connection ... access, then call CreateProcessAsUser(); ...
(Vuln-Dev)