Re: Process access across logon session.

From: Guogang (nospam_at_no_such_domain.com)
Date: 05/19/03 

Date: Mon, 19 May 2003 11:07:14 -0700

I can't find anything about LKD, is it available for Windows XP
Professional?

I'll try to refine my question:
How can I assign "SYNCHRONIZE" access of a process running in USER1 account
to everyone logged in as any account?

Thanks,
Guogang

"Ivan Brugiolo [MSFT]" <ivanbrug@online.microsoft.com> wrote in message
news:Oroom3BHDHA.2852@tk2msftngp13.phx.gbl...
> TaskManager uses WTSEnumerateProcesses in order to have the list of
> processes
> generated by the Terminal Server Service that is running as LocalSystem.
>
> You can dump the dacl of a process object in the following way (using
local
> KD),
> otherwise you will have to get the Security Descriptor from
> the Process Kernel Object and dump it programmatically.
>
> This is for OutLook Express. Basically a process can be accessed by
> localsystem and local administrators,
> plus the primary group of the owner, by default.
> If you own the process, you can add more security principals to the DACL
of
> the SecurityDescriptor
> of the process kernel object
>
> lkd> !process 81766230 0
> PROCESS 81766230 SessionId: 0 Cid: 0760 Peb: 7ffdf000 ParentCid:
03dc
> DirBase: 182f7000 ObjectTable: e2e6b648 HandleCount: 393.
> Image: msimn.exe
>
> lkd> ?poi(81766230-4)&FFFFFFF8
> Evaluate expression: -508985248 = e1a98060
> lkd> !dumpsd e1a98060 -n
> Revision 1
> Sbz1 0
> Control 0x8004
> SE_DACL_PRESENT
> SE_SELF_RELATIVE
> Owner: S-1-5-32-544 (Alias: BUILTIN\Administrators)
> Group: S-1-5-21-XXXXX-YYYYY-ZZZZZZZ-513 (Group: YourDomain\Domain Users)
> DACL:
> AclRevision 2
> Sbz1 0
> AclSize 52
> AceCount 2
> Sbz2 0
> Ace[0]
> AceType 0: ACCESS_ALLOWED_ACE_TYPE
> AceFlags 0
> AceSize 24
> AccessMask 0x1f0fff
> S-1-5-32-544 (Alias: BUILTIN\Administrators)
> Ace[1]
> AceType 0: ACCESS_ALLOWED_ACE_TYPE
> AceFlags 0
> AceSize 20
> AccessMask 0x1f0fff
> S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
> SACL:
> (null)
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of any included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
>
> "Guogang" <nospam@no_such_domain.com> wrote in message
> news:OOHTgkBHDHA.3604@tk2msftngp13.phx.gbl...
> > Hi,
> >
> > I login as User1, and there is a Windows Service running as User2 in
> > background (not system). I send an program's processID to the Windows
> > Service, and use the following command to open it:
> >
> > ::OpenProcess(SYNCHRONIZE, FALSE, processID);
> >
> > I have "Access Denied error" here.
> >
> > I also tried to use: ::EnumProcesses as User2, but I can't see processes
> of
> > User1 in the output. This means basically User2 can't see any processes
of
> > User1. BUT, "Windows Task Manager" running in User2's account can list
all
> > the processes running as User1.
> >
> > My question:
> > 1. What permission should User2 has in order to access User1's process?
> > 2. Why "Windows Task Manager" can see some processes, that my C++
program
> > can't see?
> >
> > Thanks,
> > Guogang
> >
> >
>
>

Relevant Pages

  • Re: Process access across logon session.
    ... > the Process Kernel Object and dump it programmatically. ... > localsystem and local administrators, ... > If you own the process, you can add more security principals to the DACL ...
    (microsoft.public.security)
  • Re: Customizable security in NTFS? Needs to be extensible & dynamic
    ... immediate access to the folder for the user. ... implementation is used when computing effective access rights. ... user a member of a group results in the user becoming "security ... ACEs to a DACL on NTFS] can be assigned dynamically in the file system on ...
    (microsoft.public.development.device.drivers)
  • RE: Insecure Default Service DACLs in Windows 2003
    ... Unless my understanding of SDDL is way off, ... Perhaps you are confusing the SACL with the DACL? ... Program Manager, Microsoft Solutions for Security ... Security on Microsoft Windows 2000 and Windows Server 2003, MCSA, ...
    (Bugtraq)
  • Secruity on remote folders
    ... This said, we need to access the security ... Create a new Win32_Trustee ManagementObject from ManagementClass. ... Make sure you're using the scope which points to the remote machine. ... Convert the current Dacl to an array list and add your ...
    (microsoft.public.dotnet.languages.csharp)