Microsoft Platform SDK Security Discussions
 
Windows 2008 R2
(1)
CreateProcessAsUser
(1)
AdjustTokenPrivileges
(1)
LookupPrivilegeValue
(1)
GetLastError
(1)
Database
(1)
BEnablePrivilege
(1)
FormatMessage
(1)

Windows 2008 R2 CreateProcessAsUser Impersonation Issue

Asked By Neeraj Sathe
17-Nov-09 02:50 AM
Reply
Following program is failing when I run it on Windows 2008 Enterprise
Edition R2. However the program works well in Windows 2008 Standard
Edition.

The program calls LogonUser to create access token for the specified
user. After creating access token I am attaching several access
privileges to the token. Once the token is ready I am calling
CreateProcessAsUser API to spawn a different process which fails with
Error string as "A required privilege is not held by the client".

static int ErrMsg (char *pchMsg, int iErr, int iLevel, char
*pchBuffer) {
int iRes = 0;
char *pchPtr = NULL;

if (iErr == 0)
iErr = GetLastError ();

if (!pchPtr) {
switch (iErr) {
case REGDB_E_CLASSNOTREG:
pchPtr = "A specified class is not registered in the registration
database. Also can indicate that the type of server you requested in
the CLSCTX enumeration is not registered or the values for the server
types in the registry are corrupt.";
break;
case CLASS_E_NOAGGREGATION:
pchPtr = "This class cannot be created as part of an aggregate.";
break;
case E_NOINTERFACE:
pchPtr = "The specified class does not implement the requested
interface, or the controlling IUnknown does not expose the requested
interface.";
break;
}
}

if (!pchPtr)
iRes = FormatMessage (FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
iErr,
0,
(char *)&pchPtr,
1024,
NULL);


if (iRes > 0) {
printf ("%s: %s", pchMsg, pchPtr);
if (pchBuffer)
sprintf (pchBuffer, "%s: %s", pchMsg, pchPtr);
LocalFree (pchPtr);
} else if (pchPtr) {
printf ("%s: %s", pchMsg, pchPtr);
if (pchBuffer)
sprintf (pchBuffer, "%s: %s", pchMsg, pchPtr);
} else {
printf ("%s (%d)", pchMsg, iErr);
if (pchBuffer)
sprintf (pchBuffer, "%s (%d)", pchMsg, iErr);
}

return (0);
}


static BOOL SetPrivilege (HANDLE hToken,
LPCTSTR Privilege,
BOOL bEnablePrivilege
) {
TOKEN_PRIVILEGES tp;
LUID luid;
TOKEN_PRIVILEGES tpPrevious;
DWORD cbPrevious=sizeof(TOKEN_PRIVILEGES);
BOOL bRes;

if (!LookupPrivilegeValue ( NULL, Privilege, &luid )) {
ErrMsg ("LookupPrivilegeValue", 0, 0, NULL);
return FALSE;
}

//
// first pass.  get current privilege setting
//
tp.PrivilegeCount           = 1;
tp.Privileges[0].Luid       = luid;
tp.Privileges[0].Attributes = 0;

bRes = AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
&tpPrevious,
&cbPrevious
);

if (!bRes) {
ErrMsg ("AdjustTokenPrivileges", NULL, 0, NULL);
Previous Discussion:  CryptoAPI AES without expanding the buffer size for cyphertext
Post Question To EggHeadCafe