tags:

views:

556

answers:

1

I'm running a process as a user in the Administrators group, trying to get a process token for another process. The other process is run by a user not in the Administrators group. Here's the gist of the code I'm using. pid in this code represents the process id of the non-admin process. All of this is on Windows XP SP 2 and all on the same machine. No remote access going on here.

HANDLE handle;
HANDLE token;

handle = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,pid);
token = NULL;
OpenProcessToken(handle,TOKEN_DUPLICATE,&token);

Reference for OpenProcess here: http://msdn.microsoft.com/en-us/library/ms684320%28VS.85%29.aspx

Reference for OpenProcessToken here: http://msdn.microsoft.com/en-us/library/aa379295%28VS.85%29.aspx

OpenProcess succeeds, but no matter what I pass for the DesiredAccess argument to OpenProcessToken, it fails and GetLastError() return ERROR_ACCESS_DENIED. I added some code to understand the privileges of the process running this code and to enable as many as possible, as well as to gather information about the process I'm trying to get a token for. That involved requesting more access (READ_CONTROL | ACCESS_SYSTEM_SECURITY in addition to PROCESS_QUERY_INFORMATION) from OpenProcess and calling GetKernelObjectSecurity(handle). Here's what I've got:

current user: PLEASE_T\dbyron (S-1-5-21-3405506234-1792454352-3826119157-1005)
current process: group 0: flags: 0x00000007 sid: S-1-5-21-3405506234-1792454352-3826119157-513 (PLEASE_T\None)
current process: group 1: flags: 0x00000007 sid: S-1-1-0 (\Everyone)
current process: group 2: flags: 0x0000000F sid: S-1-5-32-544 (BUILTIN\Administrators)
current process: group 3: flags: 0x00000007 sid: S-1-5-32-545 (BUILTIN\Users)
current process: group 4: flags: 0x00000007 sid: S-1-5-4 (NT AUTHORITY\INTERACTIVE)
current process: group 5: flags: 0x00000007 sid: S-1-5-11 (NT AUTHORITY\Authenticated Users)
current process: group 6: flags: 0xC0000007 sid: S-1-5-5-0-91553 (no account mapping)
current process: group 7: flags: 0x00000007 sid: S-1-2-0 (\LOCAL)
SeDebugPrivilege privilege enabled
SeTakeOwnershipPrivilege privilege enabled
SeSecurityPrivilege privilege enabled
SeChangeNotifyPrivilege privilege enabled
SeBackupPrivilege privilege enabled
SeRestorePrivilege privilege enabled
SeSystemtimePrivilege privilege enabled
SeShutdownPrivilege privilege enabled
SeRemoteShutdownPrivilege privilege enabled
SeDebugPrivilege privilege enabled
SeSystemEnvironmentPrivilege privilege enabled
SeSystemProfilePrivilege privilege enabled
SeProfileSingleProcessPrivilege privilege enabled
SeIncreaseBasePriorityPrivilege privilege enabled
SeLoadDriverPrivilege privilege enabled
SeCreatePagefilePrivilege privilege enabled
SeIncreaseQuotaPrivilege privilege enabled
SeUndockPrivilege privilege enabled
SeManageVolumePrivilege privilege enabled
SeImpersonatePrivilege privilege enabled
SeCreateGlobalPrivilege privilege enabled

I've tried to get every privilege possible, and I think the group information above shows that the process calling OpenTokenProcess is a member of the Administrators group.

Here's the information from GetKernelObjectSecurity:

control(SE_DACL_PRESENT | SE_SELF_RELATIVE, 0x00008004)
owner sid: S-1-5-21-3405506234-1792454352-3826119157-2807 (PLEASE_T\dummyusr)
group sid: S-1-5-21-3405506234-1792454352-3826119157-513 (PLEASE_T\None)
grant: mask(PROCESS_ALL_ACCESS, 0x001F0FFF), flags(0x00000000): S-1-5-21-3405506234-1792454352-3826119157-2807 (PLEASE_T\dummyusr)
grant: mask(PROCESS_ALL_ACCESS, 0x001F0FFF), flags(0x00000000): S-1-5-32-544 (BUILTIN\Administrators)
grant: mask(PROCESS_ALL_ACCESS, 0x001F0FFF), flags(0x00000000): S-1-5-18 (NT AUTHORITY\SYSTEM)

So it appears that the dummyusr (non-admin) process allows access to the Administrators group. It's possible I'm misinterpreting the So why does OpenProcessToken fail with ERROR_ACCESS_DENIED? I've tried changing TOKEN_DUPLICATE to TOKEN_QUERY but that doesn't change the result.

Am I missing a privilege? What else would deny me access to an access token for this process? I've tried this on a machine with no anti virus software and still I get the same result.

I also tried this running in system context. The info about the current process in that case is:

current user: NT AUTHORITY\SYSTEM (S-1-5-18)
current process: group 0: flags: 0x0000000E sid: S-1-5-32-544 (BUILTIN\Administrators)
current process: group 1: flags: 0x00000007 sid: S-1-1-0 (\Everyone)
current process: group 2: flags: 0x00000007 sid: S-1-5-11 (NT AUTHORITY\Authenticated Users)

Note that the flags are slightly different for the BUILTIN\Administrators group. The administrator process had 0xF and the system process had 0xE. From http://msdn.microsoft.com/en-us/library/aa379624%28VS.85%29.aspx, the 0x1 bit means SE_GROUP_MANDATORY which doesn't seem relevant here.

By default the system context process also had some additional privileges:

SeAuditPrivilege
SeCreatePermanentPrivilege
SeLockMemoryPrivilege
SeTcbPrivilege

But I disabled them all and OpenProcessToken still succeeded in the system context process.

Thanks for your help.

+1  A: 

Instead of going into details head first, have you gone down the route of elimination ? -- run the process as LOCAL_SYSTEM and see if that does the trick. After all if God can't do it then no one can :P.

Hassan Syed
Good idea. I tried it and of course it worked as the system account. Unfortunately no light bulbs went on about why the admin account doesn't work.
dbyron
Another sticking point in these matters is about how you are connected to the target computer. Remote Desktop Connections do not have "console access" by default. If you are indeed developing remotely: I would reccomend the /console or /admin switch (depending on version of windows) -- which you can provide to the RDP client via the connection string.
Hassan Syed
This is all on one machine. No remote access going on here.
dbyron