Re: SeIncreaseQuotaPrivilege

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 04/29/04 

Date: Wed, 28 Apr 2004 21:08:54 -0700

I do not believe that this right has anything to do with your issue.
This right in itself does nothing, changes nothing, except the ability
of the account to exercise this right. So, your questions about whether
anything should have changed - no; and about whether the code needs
to do something to use this right - yes. However, increasing the process
scheduling priority is not going to cure your situation, and may starve
other more important processes of CPU cycles.
You are likely running out of tables entries in one or more of the system
allocation tables. What you should do is redesign what you are doing,
as spawing separate processes to run cscript sounds, well, rather wierd.
Cscript is not able to do anything you are unable to do in managed code
in your provider. 

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Anthony LaMark" <anthony@eXcSoftware.com> wrote in message
news:%23x4TTUYLEHA.3944@tk2msftngp13.phx.gbl...
> Hi All,
>
> I have written a WMI Event Provider (dll) which calls CreateProcess.  The
> WMI Event Provider (which is hosted by wmiprvse.exe) will call
CreateProcess
> numerous times (I would say a high volume of times...ideally in the
> hundreds).  The process it calls is CScript.exe.  Currently, when
> CreateProcess gets called around 22 times (I know, strange and
> unfortunately, a very low number), I begin to get errors on the call to
> CreateProcess where GetLastError=0x718 (base 16, hex), 1816 (base 10,
dec),
> ERROR_NOT_ENOUGH_QUOTA, "Not enough quota is available to process this
> command.".  I noticed there is a user right SeIncreaseQuotaPrivilege.
Here
> is the description from the Resouce Kit docs:
>
> Increase quotas (SeIncreaseQuotaPrivilege)
>  Allows a process that has Write Property access to another process to
> increase the processor quota that is assigned to the other process. This
> privilege is useful for system tuning, but it can be abused, as in a
> denial-of-service attack.
> By default, this privilege is assigned to Administrators.
>
> The wmiprvse.exe process is being hosted/launched by svchost.exe.  Both
are
> running as "NT AUTHORITY\SYSTEM".  So I went into Administrative
> Tools->Local Security Policy->Local Policies->User Rights
Assignment->Adjust
> Memory quotas and added the SYSTEM account (BTW, the existing accounts
> already with that right were: Administrator, IWAM_X, LOCAL_SERVICE,
> NETWORK_SERVICE).  Rebooted (just in case since I don't know if I need to)
> and re-ran my test.  Same results.
>
> Other points of interest in this problem
> I am creating these "children" processes and assigning them to a job
object.
> Under wmiprvse.exe (courtsey of the WMI Event Provider dll) there are
> multiple job objects so the processes are spread out across multiple jobs
> (there is business logic which determines what job object is goes in but
> that is irrelevant to the problem (I think), especially since the error
> occurs on CreateProcess and not one of the job related APIs, specifically
> AssignProcessToJobObject).
>
>
> What I don't understand and am looking for an answers on:
>
> [Questions]
> 1.  Even if you assign the right SeIncreaseQuotaPrivilegs to the account
> which is running svchost.exe and wmiprvse.exe, doesn't the program logic
> need to issue some Win32 API (???) to request to "increase the quota"?
> 2.  If Question 1 above is true, does svchost.exe and/or wmiprvse
implement
> the logic to issue the Win32 API?
> 3.  If Question 1 above is true and Question 2 above is true then:
>     a. the procedure I did (described above) is faulty and
>     b. then, what is the right procedure? (registry, COM+ config., etc.)
>
> 4.  If Question 1 above is false, does the logic of CreateProcess check to
> see if you have this user right and if so, tries to bump up the quota?
> 5.  If Question 4 above is true then:
>     a. the procedure I did (described above) is faulty and
>     b. then, what is the right procedure?
>
> Thank you for the help in advance,
> Tony
>
>
>
>
>

Relevant Pages

  • Re: Why does explorer assign a job object to some processes and no
    ... assigning these children to a Job Object. ... process from Explorer it is assigned one already hence we cannot assign ... Thats the background to the question, why is it assigning a job object ... process to one of these jobs you need to define a manifest for the ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Why does explorer assign a job object to some processes and no
    ... assigning these children to a Job Object. ... process from Explorer it is assigned one already hence we cannot assign ... Thats the background to the question, why is it assigning a job object ... process to one of these jobs you need to define a manifest for the ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Why does explorer assign a job object to some processes and not ot
    ... Explorer it is assigned one already hence we cannot assign another Job ... it does not have a Job Object. ... Thats the background to the question, why is it assigning a job object when ... I execute the app from a folder, but when executed from the command line it ...
    (microsoft.public.win32.programmer.kernel)