GetTokenInformation API

From: Mike Berger (junk@junk.com)
Date: 06/24/02 

From: "Mike Berger" <junk@junk.com>
Date: Mon, 24 Jun 2002 13:01:13 -0500

I am using the GetTokenInformation API with the TokenPrivileges flag for the
TokenInformationClass. I'm not sure how to interpret the results I am
getting. The API returns a structure whose first member is the Privileges
Count. Following the Privileges Count is a variable length
LUID_AND_ATTRIBUTES structure. (The length of this structure is dependant on
the Privileges Count member).

As I use my app running under adminstrator, I get a Count of 19. I go
through each LUID_AND_ATTRIBUTES structure, and do a LookupPrivilegeName
using the LUID portion of the LUID_AND_ATTRIBUTES structure. All this seems
to work fine.

As I go through the ATTRIBUTES portion of the LUID_AND_ATTRIBUTES structure,
MSDN says this value will be SE_PRIVILEGE_ENABLED (0x00000002L),
SE_PRIVILEGE_ENABLED_BY_DEFAULT (0x00000001L), or
SE_PRIVILEGE_USED_FOR_ACCESS (0x80000000L). For a great majority of the
Privileges returned by the TokenPrivileges API, the ATTRIBUTES portion of
the LUID_AND_ATTRIBUTES is 0. I assume that means the privilege is disabled
(???).

My confusion is, first of all, is my assumption that these privileges are
disabled correct ?
If so, why are they even reported via the TokenPrivileges API ?

Does the TokenPrivileges API list all the *possible* privileges that a
particular user's token may have, including the privileges that do not
happen to be enabled at the time of the API call ?
If that is true, then an app could not AdjustTokenPrivileges to enable a
privilege that does not appear in the original list returned by the
TokenPrivileges API ???

Thanks for any insight,

Mike

Relevant Pages

  • Re: Logon broker
    ... I tried this and LoadUserProfile is still failing with Access Denied. ... Do I need to Enable these privileges as well or will the API try ... CreateEnvironmentBlock() ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Logon Broker
    ... I tried this and LoadUserProfile is still failing with Access Denied. ... Do I need to Enable these privileges as well or will the API try ... CreateEnvironmentBlock() ...
    (microsoft.public.platformsdk.security)
  • Re: Getting logged in user from a service?
    ... against the OS services (that is, by directly calling WIN32 Api's) you ... the API available on the *target* machine? ... security constraints, privileges, etc. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Getting logged in user from a service?
    ... against the OS services (that is, by directly calling WIN32 Api's) you have to consider a lot of things at "development" time, things like - is the API available on the *target* machine? ... Most of these things are taken care of by the framework and it's underlying services, whatever these are, and in this particular case the underlying service is native WMI in top of Win32. ... I don't see how using .NET Framework exempts you from worrying about security constraints, privileges, etc. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Getting logged in user from a service?
    ... against the OS services (that is, by directly calling WIN32 Api's) you ... the API available on the *target* machine? ... underlying services, whatever these are, and in this particular case the ... security constraints, privileges, etc. ...
    (microsoft.public.dotnet.languages.csharp)
Quantcast