• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1034
  • Last Modified:

Running process with special group memebership


I am trying to start a process from within a service using the logged on users token. This woks perfectly but I want to grant the running process administrative privileges an the local machine.

So I try the following:

Retrieve the local admin group SID. Okay.

Get the tokens groups by calling GetTokenInformation(...)

The I walk through the groups to see if the SID alreay belongs to them and if yes I enable it if not already enabled.

If I need to add the group to the list I do the following: dwBufferSize was set by the GetTokenInformation() call.

dwBufferSize += sizeof(SID_AND_ATTRIBUTES);

pGroups = (TOKEN_GROUPS *)realloc(pGroups, dwBufferSize);

pGroups->Groups[pGroups->GroupCount].Sid = psidLocalAdminGroup;
pGroups->Groups[pGroups->GroupCount].Attributes = SE_GROUP_ENABLED |

if (!AdjustTokenGroups(m_hPrimaryToken, FALSE, pGroups, NULL, NULL, NULL))
    dwRC = GetLastError();
    AfxMessageBox(BFCErrorMsg::TranslateError(dwRC), MB_ICONINFORMATION);

The AdjustTokenGroup() works fine but the process created afterwards using CreateProcessAsUser(m_hPrimaryToken, ...) does not have any additional group
membership. (Using showgrps.exe from W2K Resource Kit) It also does not seem to have any more privileges than a process started normally.

Any ideas what I am doing wrong?
  • 3
  • 3
1 Solution
I'm not sure if you said as much, but the LocalSystem login has very limited rights.  I'd not be surprised if it was not allowed to do things like change group or user privledge levels.  After all, if it did, it would be able to change the JoeUser account to have administrative priveleges and I'd have to consider that a minor flaw in system security, wouldn't you?

If I misread and you are, in fact, using an admin-level logon when you are making these changes, then you should run some simple tests to change something.  Then log in as an Admin and check the control panel to see if you are having the desired effect.  

Also, you might need to log off the user and then log him back on.

-- Dan
bholzAuthor Commented:

I only want to grant an active process a group membership without logging the user off and on again. The group itself does not get a real new member.

This is definitly possible. I already saw it.

As I already learned AdjustTokenGroups() is only able to turn on and off existing group memberships. (Same as EnablePrivileges()).

Instead, LsaLogonUser would fit my needs but I does not have the user credentials to pass to this function. I only have the logged on users primary token.

So any new ideas?

MSDN on AdjustTokenGroups:
TOKEN_ADJUST_GROUPS access is required to enable or disable groups in an access token.  Does your user have this access?  If not, see if giving it that will work.  If not, try LogonUser and ImpersonateLoggedOnUser
-- Dan
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

bholzAuthor Commented:

thank you but this is far mor sophisticated than using LogonUser() and ImpersonateLogonUser()

LsaLogonUser() is the one of the functions able to generate a logon session with additional group memberships. But I don't know how to call LsaLogonUser() without knowing the plaintext username and password.
>> This is definitly possible. I already saw it.

>> this is far more sophisticated than using LogonUser()...
I'm sure that the sophistication level is like really really up there, real high like.  It might take a genius to help you work out a solution to this problem.  I am sorry that I have failed you.  I was silly to think that any old user would not be able elevate himself to an Administer.  WHAT WAS I THINKING?

-- Dan
bholzAuthor Commented:
Hey Dan, dont't take it personal... :-))

I am investigating this problem for a long time now and did never find a solution...

It's frustrating!

The tools which do what I need are:

1: HP Openview DTA
2: NetExec

I already try to use an API monitor to watch the API calls but the one I used is not able to monitor a Windows NT service...

Closed, 500 points refunded.
Community Support Moderator

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now