Why does OpenProcessToken fail with ERROR_ACCESS_DENIED

14

I'm running a process as a user in the Administrators group, trying to get a process token for another process. The other process is run by a user not in the Administrators group. Here's the gist of the code I'm using. pid in this code represents the process id of the non-admin process. All of this is on Windows XP SP 2 and all on the same machine. No remote access going on here.

HANDLE handle;
HANDLE token;

handle = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,pid);
token = NULL;
OpenProcessToken(handle,TOKEN_DUPLICATE,&token);

Reference for OpenProcess here: http://msdn.microsoft.com/en-us/library/ms684320%28VS.85%29.aspx

Reference for OpenProcessToken here: http://msdn.microsoft.com/en-us/library/aa379295%28VS.85%29.aspx

OpenProcess succeeds, but no matter what I pass for the DesiredAccess argument to OpenProcessToken, it fails and GetLastError() return ERROR_ACCESS_DENIED. I added some code to understand the privileges of the process running this code and to enable as many as possible, as well as to gather information about the process I'm trying to get a token for. That involved requesting more access (READ_CONTROL | ACCESS_SYSTEM_SECURITY in addition to PROCESS_QUERY_INFORMATION) from OpenProcess and calling GetKernelObjectSecurity(handle). Here's what I've got:

current user: PLEASE_T\dbyron (S-1-5-21-3405506234-1792454352-3826119157-1005)
current process: group 0: flags: 0x00000007 sid: S-1-5-21-3405506234-1792454352-3826119157-513 (PLEASE_T\None)
current process: group 1: flags: 0x00000007 sid: S-1-1-0 (\Everyone)
current process: group 2: flags: 0x0000000F sid: S-1-5-32-544 (BUILTIN\Administrators)
current process: group 3: flags: 0x00000007 sid: S-1-5-32-545 (BUILTIN\Users)
current process: group 4: flags: 0x00000007 sid: S-1-5-4 (NT AUTHORITY\INTERACTIVE)
current process: group 5: flags: 0x00000007 sid: S-1-5-11 (NT AUTHORITY\Authenticated Users)
current process: group 6: flags: 0xC0000007 sid: S-1-5-5-0-91553 (no account mapping)
current process: group 7: flags: 0x00000007 sid: S-1-2-0 (\LOCAL)
SeDebugPrivilege privilege enabled
SeTakeOwnershipPrivilege privilege enabled
SeSecurityPrivilege privilege enabled
SeChangeNotifyPrivilege privilege enabled
SeBackupPrivilege privilege enabled
SeRestorePrivilege privilege enabled
SeSystemtimePrivilege privilege enabled
SeShutdownPrivilege privilege enabled
SeRemoteShutdownPrivilege privilege enabled
SeDebugPrivilege privilege enabled
SeSystemEnvironmentPrivilege privilege enabled
SeSystemProfilePrivilege privilege enabled
SeProfileSingleProcessPrivilege privilege enabled
SeIncreaseBasePriorityPrivilege privilege enabled
SeLoadDriverPrivilege privilege enabled
SeCreatePagefilePrivilege privilege enabled
SeIncreaseQuotaPrivilege privilege enabled
SeUndockPrivilege privilege enabled
SeManageVolumePrivilege privilege enabled
SeImpersonatePrivilege privilege enabled
SeCreateGlobalPrivilege privilege enabled

I've tried to get every privilege possible, and I think the group information above shows that the process calling OpenTokenProcess is a member of the Administrators group.

Here's the information from GetKernelObjectSecurity:

control(SE_DACL_PRESENT | SE_SELF_RELATIVE, 0x00008004)
owner sid: S-1-5-21-3405506234-1792454352-3826119157-2807 (PLEASE_T\dummyusr)
group sid: S-1-5-21-3405506234-1792454352-3826119157-513 (PLEASE_T\None)
grant: mask(PROCESS_ALL_ACCESS, 0x001F0FFF), flags(0x00000000): S-1-5-21-3405506234-1792454352-3826119157-2807 (PLEASE_T\dummyusr)
grant: mask(PROCESS_ALL_ACCESS, 0x001F0FFF), flags(0x00000000): S-1-5-32-544 (BUILTIN\Administrators)
grant: mask(PROCESS_ALL_ACCESS, 0x001F0FFF), flags(0x00000000): S-1-5-18 (NT AUTHORITY\SYSTEM)

So it appears that the dummyusr (non-admin) process allows access to the Administrators group. It's possible I'm misinterpreting the So why does OpenProcessToken fail with ERROR_ACCESS_DENIED? I've tried changing TOKEN_DUPLICATE to TOKEN_QUERY but that doesn't change the result.

Am I missing a privilege? What else would deny me access to an access token for this process? I've tried this on a machine with no anti virus software and still I get the same result.

I also tried this running in system context. The info about the current process in that case is:

current user: NT AUTHORITY\SYSTEM (S-1-5-18)
current process: group 0: flags: 0x0000000E sid: S-1-5-32-544 (BUILTIN\Administrators)
current process: group 1: flags: 0x00000007 sid: S-1-1-0 (\Everyone)
current process: group 2: flags: 0x00000007 sid: S-1-5-11 (NT AUTHORITY\Authenticated Users)

Note that the flags are slightly different for the BUILTIN\Administrators group. The administrator process had 0xF and the system process had 0xE. From http://msdn.microsoft.com/en-us/library/aa379624%28VS.85%29.aspx, the 0x1 bit means SE_GROUP_MANDATORY which doesn't seem relevant here.

By default the system context process also had some additional privileges:

SeAuditPrivilege
SeCreatePermanentPrivilege
SeLockMemoryPrivilege
SeTcbPrivilege

But I disabled them all and OpenProcessToken still succeeded in the system context process.

Thanks for your help.

c
security
winapi
asked on Stack Overflow Jan 15, 2010 by dbyron • edited Jan 24, 2010 by dbyron

3 Answers

1

Instead of going into details head first, have you gone down the route of elimination ? -- run the process as LOCAL_SYSTEM and see if that does the trick. After all if God can't do it then no one can :P.

answered on Stack Overflow Jan 15, 2010 by Hassan Syed • edited Jan 15, 2010 by Hassan Syed
0

I guess that the SECURITY_DESCRIPTOR of the targeted process only allow the SYSTEM user to open his process token. This would mean sadly that there's nothing you can do.

answered on Stack Overflow Dec 3, 2013 by Andrei
-1

yes there is a solution you can run a service or an instance of your app as service. this way you will get your code running as system....

Another option (but more intrusive) since you are already admin, is to change the target process acl....

answered on Stack Overflow Nov 10, 2017 by user3409863

User contributions licensed under CC BY-SA 3.0