Adjust tokens on non-privileged accounts (C, Windows)

Question

I'm using the following code (which is a sample from the MSDN slightly modified) to check whether i have debug privileges on a process. If I don't I try to set them.

int SetDebugPriv()
{
    HANDLE TokenHandle;
    LUID lpLuid;
    TOKEN_PRIVILEGES NewState;

    if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &TokenHandle))
    {
     //failed
     return 0;
    }

    if(!LookupPrivilegeValue(NULL, "SeDebugPrivilege" , &lpLuid))
    {
     //failed
     CloseHandle(TokenHandle);
     return 0;
    }

    NewState.PrivilegeCount = 1;
    NewState.Privileges[0].Luid = lpLuid;
    NewState.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

    if(!AdjustTokenPrivileges(TokenHandle, FALSE, &NewState, sizeof(NewState), NULL, NULL))
    {
     //failed
     CloseHandle(TokenHandle);
     return 0;
    }

    CloseHandle(TokenHandle);
    return 1;
}

Now, under certain account on Windows XP and 2003 I am getting an access denied error when trying to set the token. My guess is that I cannot set that specific token because I have no permission to do that. How would I set the debug token on non admin accounts or account that have low privileges?

code is appreciated.

thanks

Answer 1

You can't. If you could, it'd be a massive security hole (SeDebugPrivilege has more mojo than Administrator).

AdjustTokenPrivileges turns on a privilege that the token has, but that isn't enabled. For example, SeShutdownPrivilege is one of these.

You have to add the privilege to the user account, and then the user has to log out and back in again (to get a new token with the privilege).

To add the privileges to the user account programmatically, start with this: http://support.microsoft.com/kb/132958