Re: Process access across logon session.

From: Ivan Brugiolo [MSFT] (ivanbrug_at_online.microsoft.com)
Date: 05/19/03


Date: Mon, 19 May 2003 11:17:04 -0700


Local KD is availalble from WinXP.

You need to get the SD for your process object
GetKernelObjectSecurity(hProcess)
then you need to add an ACE to the DACL
for the "Authenticated Users" group with the access mask of
#define SYNCHRONIZE (0x00100000L).
GetSecurityDescriptorDacl and companion APIs will help you on this way.
I think that 'Authenticated Users" will fit hyour needs,
but you may want to look for the "interactive users" group as well.

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Guogang" <nospam@no_such_domain.com> wrote in message
news:eX2fnEjHDHA.1608@TK2MSFTNGP11.phx.gbl...
> I can't find anything about LKD, is it available for Windows XP
> Professional?
>
> I'll try to refine my question:
> How can I assign "SYNCHRONIZE" access of a process running in USER1
account
> to everyone logged in as any account?
>
> Thanks,
> Guogang
>
> "Ivan Brugiolo [MSFT]" <ivanbrug@online.microsoft.com> wrote in message
> news:Oroom3BHDHA.2852@tk2msftngp13.phx.gbl...
> > TaskManager uses WTSEnumerateProcesses in order to have the list of
> > processes
> > generated by the Terminal Server Service that is running as LocalSystem.
> >
> > You can dump the dacl of a process object in the following way (using
> local
> > KD),
> > otherwise you will have to get the Security Descriptor from
> > the Process Kernel Object and dump it programmatically.
> >
> > This is for OutLook Express. Basically a process can be accessed by
> > localsystem and local administrators,
> > plus the primary group of the owner, by default.
> > If you own the process, you can add more security principals to the DACL
> of
> > the SecurityDescriptor
> > of the process kernel object
> >
> > lkd> !process  81766230 0
> > PROCESS 81766230  SessionId: 0  Cid: 0760    Peb: 7ffdf000  ParentCid:
> 03dc
> >     DirBase: 182f7000  ObjectTable: e2e6b648  HandleCount: 393.
> >     Image: msimn.exe
> >
> > lkd> ?poi(81766230-4)&FFFFFFF8
> > Evaluate expression: -508985248 = e1a98060
> > lkd> !dumpsd e1a98060 -n
> > Revision 1
> > Sbz1 0
> > Control 0x8004
> >     SE_DACL_PRESENT
> >     SE_SELF_RELATIVE
> > Owner: S-1-5-32-544 (Alias: BUILTIN\Administrators)
> > Group: S-1-5-21-XXXXX-YYYYY-ZZZZZZZ-513 (Group: YourDomain\Domain Users)
> > DACL:
> >     AclRevision 2
> >     Sbz1 0
> >     AclSize 52
> >     AceCount 2
> >     Sbz2 0
> >     Ace[0]
> >         AceType 0: ACCESS_ALLOWED_ACE_TYPE
> >         AceFlags 0
> >         AceSize 24
> >         AccessMask 0x1f0fff
> >         S-1-5-32-544 (Alias: BUILTIN\Administrators)
> >     Ace[1]
> >         AceType 0: ACCESS_ALLOWED_ACE_TYPE
> >         AceFlags 0
> >         AceSize 20
> >         AccessMask 0x1f0fff
> >         S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
> > SACL:
> >     (null)
> >
> > -- 
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > Use of any included script samples are subject to the terms specified at
> > http://www.microsoft.com/info/cpyright.htm
> >
> >
> > "Guogang" <nospam@no_such_domain.com> wrote in message
> > news:OOHTgkBHDHA.3604@tk2msftngp13.phx.gbl...
> > > Hi,
> > >
> > > I login as User1, and there is a Windows Service running as User2 in
> > > background (not system). I send an program's processID to the Windows
> > > Service, and use the following command to open it:
> > >
> > > ::OpenProcess(SYNCHRONIZE, FALSE, processID);
> > >
> > > I have "Access Denied error" here.
> > >
> > > I also tried to use: ::EnumProcesses as User2, but I can't see
processes
> > of
> > > User1 in the output. This means basically User2 can't see any
processes
> of
> > > User1. BUT, "Windows Task Manager" running in User2's account can list
> all
> > > the processes running as User1.
> > >
> > > My question:
> > > 1. What permission should User2 has in order to access User1's
process?
> > > 2. Why "Windows Task Manager" can see some processes, that my C++
> program
> > > can't see?
> > >
> > > Thanks,
> > > Guogang
> > >
> > >
> >
> >
>
>


Relevant Pages

  • Re: Process access across logon session.
    ... You need to get the SD for your process object ... then you need to add an ACE to the DACL ... I think that 'Authenticated Users" will fit hyour needs, ... >> If you own the process, you can add more security principals to the DACL ...
    (microsoft.public.security)
  • Re: Customizable security in NTFS? Needs to be extensible & dynamic
    ... immediate access to the folder for the user. ... implementation is used when computing effective access rights. ... user a member of a group results in the user becoming "security ... ACEs to a DACL on NTFS] can be assigned dynamically in the file system on ...
    (microsoft.public.development.device.drivers)
  • Re: Process access across logon session.
    ... > the Process Kernel Object and dump it programmatically. ... > localsystem and local administrators, ... > If you own the process, you can add more security principals to the DACL ...
    (microsoft.public.security)
  • Re: Process access across logon session.
    ... > the Process Kernel Object and dump it programmatically. ... > localsystem and local administrators, ... > If you own the process, you can add more security principals to the DACL ...
    (microsoft.public.win2000.security)
  • RE: Insecure Default Service DACLs in Windows 2003
    ... Unless my understanding of SDDL is way off, ... Perhaps you are confusing the SACL with the DACL? ... Program Manager, Microsoft Solutions for Security ... Security on Microsoft Windows 2000 and Windows Server 2003, MCSA, ...
    (Bugtraq)