Running process with special group memebership
Posted on 2003-02-28
I am trying to start a process from within a service using the logged on users token. This woks perfectly but I want to grant the running process administrative privileges an the local machine.
So I try the following:
Retrieve the local admin group SID. Okay.
Get the tokens groups by calling GetTokenInformation(...)
The I walk through the groups to see if the SID alreay belongs to them and if yes I enable it if not already enabled.
If I need to add the group to the list I do the following: dwBufferSize was set by the GetTokenInformation() call.
dwBufferSize += sizeof(SID_AND_ATTRIBUTES);
pGroups = (TOKEN_GROUPS *)realloc(pGroups, dwBufferSize);
pGroups->Groups[pGroups->GroupCount].Sid = psidLocalAdminGroup;
pGroups->Groups[pGroups->GroupCount].Attributes = SE_GROUP_ENABLED |
if (!AdjustTokenGroups(m_hPrimaryToken, FALSE, pGroups, NULL, NULL, NULL))
dwRC = GetLastError();
The AdjustTokenGroup() works fine but the process created afterwards using CreateProcessAsUser(m_hPrimaryToken, ...) does not have any additional group
membership. (Using showgrps.exe from W2K Resource Kit) It also does not seem to have any more privileges than a process started normally.
Any ideas what I am doing wrong?