• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1651
  • Last Modified:

adjustTokenPrivileges problems

     Hi. I'm trying to kick-off a reboot under NT, and this code doesn't seem to work:

procedure tUpgrader._reboot;
  pri        : _token_privileges;
  b          : boolean;
  hToken     : cardinal;
  tiSize     : cardinal; //ti = token information
  hPrivilege : int64;
  r          : integer;
  procedure fatalErr (dc : string);
  var sE : string; iE : integer;
    iE := getLastError;
    if iE<>0 then sE:=sysErrorMessage (iE);
    raise eUpgrader.create (etVisible, 'tUpgrader._reboot', sE, iE, dc);
  if OSVersion.dwPlatformId=VER_PLATFORM_WIN32_NT then begin
  (* from the MSDN help for 'exitWindowsEx':
       Windows NT/2000: To shut down or restart the system, the calling process
       must use the AdjustTokenPrivileges function to enable the SE_SHUTDOWN_NAME
       privilege. For more information about security privileges, see Privileges.*)
  //GRRRRR!!! ;-)

  //get current privileges
    if not lookupPrivilegeValue (nil, 'SeShutdownPrivilege', hPrivilege)
      then fatalErr ('Can''t lookup privilege value for SE_SHUTDOWN_NAME');

    if not openProcessToken (getCurrentProcess, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken)
      then fatalErr ('Can''t open process'' token.');

    pri.PrivilegeCount := 1;
    tiSize:=sizeOf (pri);

    adjustTokenPrivileges (hToken, false, pri, tiSize, oldPri, tiSize);
    if (r<>0) and (r<>ERROR_NOT_ALL_ASSIGNED) then fatalErr ('Couldn''t adjust token privileges.');

  b:=exitWindowsEx (EWX_REBOOT or EWX_FORCE,0);
  if not b then begin
  //hmm, the end-user's log-in-account doesn't have administrator rights to
  //actually force a reboot. Better pop up a window telling them that a manual
  //reboot might be necessary.
    b:=exitWindowsEx (EWX_REBOOT, 0);
  if b
    then _log.report ('forced reboot, NOW.')
    else begin
      _log.report ('Couldn''t reboot, getLastError returns : '+
                   sysErrorMessage (getLastError));
      messageDlg ('You will have to reboot manually.', mtWarning, [mbOK],0);

This code runs just fine, but adjustTokenPrivileges will return with 1300. GetLastError returns 'Not all privileges referenced are assigned to the caller'.

The help on adjustTokenPrivileges says

The AdjustTokenPrivileges function cannot add new privileges to the access token. It can only enable or disable the token's existing privileges. To determine the token's privileges, call the GetTokenInformation function.

But MSDN says on 'privileges' (http://msdn.microsoft.com/isapi/msdnlib.idc?theURL=/library/sdkdoc/winbase/accctrl_42pf.htm)

Before you can perform a privileged operation, you must first enable the necessary privileges in your access token. To do this, call the OpenThreadToken function to get a handle to your primary or impersonation access token, then call the AdjustTokenPrivileges function to enable the necessary privileges. After performing the privileged operation, call AdjustTokenPrivileges again to disable the privileges. For sample code that enables and disables a token's privileges, see Enabling and Disabling Privileges.

I don't get this paradox... BTW, I"m adjusting the *process*'s access token because that is what MSDN showed me at http://msdn.microsoft.com/library/sdkdoc/sysmgmt/shutdown_7z8u.htm
  • 2
1 Solution
This means that you don't have that priviledge. Priviledge can be enabled only if you have it. You can check in User Manager Policies\User rights menu if you have a priviledge to shutdown the system. If you don't - you need to grant yourself this priviledge either in User Manager or by LSA functions, which are not fully documented. You can find some examples of their use in MSDN.
You have some error in your code.
You make the following assignment:
which is wrong.
You should get luid using LookupPriviledgeValue function:
(It's C code, I hope you can convert it)

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now