AdjustTokenPrivileges ERROR_NOT_ALL_ASSIGNED

[laasunde]

To make a long story short, a webservice I'm expanding needs to run a c++ dll which tries to execute OpenProcess() but get an Error_Access_Denied. Have since increased aspnet_wp (the process running the webservice) privileges (debugging) but no go. Then read an article in microsoft Win32 QA that states I need to explicitly ask for the SeDebugPrivilege which I'm trying to do in the below code;

After running AdjustTokenPrivileges() GetLastError() return 1300 or ERROR_NOT_ALL_ASSIGNED. MSDN gives the following reason for such a return "The token does not have one or more of the privileges specified in the NewState parameter". Im sort of lost on how to debug this further, appreicate any input.

Code:

bool SetDebugPrivilege()
{
    bool bResult = false;
	HANDLE hToken=NULL;;
	TOKEN_PRIVILEGES tp;

	if (OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES, FALSE, &hToken)) 
	{
		tp.PrivilegeCount = 1;
		if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid))
		{
			tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
		
			int iRes = AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
			if (::GetLastError == ERROR_SUCCESS)
			{
				bResult = true;
			}			
		}
		int iError = ::GetLastError();
		CloseHandle(hToken);		
	}	
	return bResult;
}

[Swapnil_]

I think the process for which u are calling AdjustTokenPrivileges does not have the specified privilege in its token

U can fir call GetTokenInformation to first get the privileges ur process token have then u can call AdjustTokenPrivileges to enable or disable the existing privileges

[laasunde]

Cheers for the reply mate.

Will give your suggestion a try tomorrow.

[laasunde]

Ran this code today and it show me three privileges; SeChangeNotifyPrivilege, SeShutdownPrivileges and SeUndockPrivilege all set to with attribute 3 which I believe is default enabled. However I dont find SeDefultPrivilege in the list.

Code:

HANDLE hToken; 
OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS /*TOKEN_ADJUST_PRIVILEGES*/, FALSE, &hToken)

DWORD lenght; 
TOKEN_PRIVILEGES* ptkp=NULL; 
GetTokenInformation(hToken,TokenPrivileges,ptkp,0,&lenght); 

char name[256]; 
ptkp = (TOKEN_PRIVILEGES*) new char[lenght]; 
if(GetTokenInformation(hToken,TokenPrivileges,ptkp,lenght,&lenght)!=0)
{ 
  for(int i=0;i < ptkp->PrivilegeCount;i++)
  { 				
    lenght=256; 
    LookupPrivilegeName(NULL,&(ptkp->Privileges[i].Luid),name,&lenght); 
    DWORD dwAttri = ptkp->Privileges[i].Attributes;
  } 
}

In the above code I use

Code:

OpenThreadToken(...)

which returns me 3 privileges (it seems). By viewing aspnet_wp.exe (using Process Explorer ) which is the ASPNET web server running this code, it has more then 20 different privileges that are disabled or default enabled.

Could the problem be that a thread doesnt have the same privileges as the process its running form? When trying to use

Code:

OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&hToken)

it fails and returns Error_Access_Denied using GetLastError(); Even using only TOKEN_QUERY access token I get access denied error message.

Any ideas on where I'm going wrong?

Sorry for rambling on about this, its just that I quite confussed atm. Appreciate any input.

[randiechang7]

I was able to add that privilege. This link tells you how to do it using gpedit.msc
https://docs.microsoft.com/en-us/sql...option-windows

Later versions of Windows (8, 10, etc) don't always have gpedit.msc, this video tutorial tells you how to install it using a workaround:
https://www.youtube.com/watch?v=lFBghoA8VTc

After that AdjustTokenPrivileges() is able to enable SE_LOCK_MEMORY_NAME (that privilege exists in the token).