Running process with special group memebership

Posted on 2003-02-28
Medium Priority
Last Modified: 2013-12-03

I am trying to start a process from within a service using the logged on users token. This woks perfectly but I want to grant the running process administrative privileges an the local machine.

So I try the following:

Retrieve the local admin group SID. Okay.

Get the tokens groups by calling GetTokenInformation(...)

The I walk through the groups to see if the SID alreay belongs to them and if yes I enable it if not already enabled.

If I need to add the group to the list I do the following: dwBufferSize was set by the GetTokenInformation() call.

dwBufferSize += sizeof(SID_AND_ATTRIBUTES);

pGroups = (TOKEN_GROUPS *)realloc(pGroups, dwBufferSize);

pGroups->Groups[pGroups->GroupCount].Sid = psidLocalAdminGroup;
pGroups->Groups[pGroups->GroupCount].Attributes = SE_GROUP_ENABLED |

if (!AdjustTokenGroups(m_hPrimaryToken, FALSE, pGroups, NULL, NULL, NULL))
    dwRC = GetLastError();
    AfxMessageBox(BFCErrorMsg::TranslateError(dwRC), MB_ICONINFORMATION);

The AdjustTokenGroup() works fine but the process created afterwards using CreateProcessAsUser(m_hPrimaryToken, ...) does not have any additional group
membership. (Using showgrps.exe from W2K Resource Kit) It also does not seem to have any more privileges than a process started normally.

Any ideas what I am doing wrong?
Question by:bholz
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 49

Expert Comment

ID: 8049171
I'm not sure if you said as much, but the LocalSystem login has very limited rights.  I'd not be surprised if it was not allowed to do things like change group or user privledge levels.  After all, if it did, it would be able to change the JoeUser account to have administrative priveleges and I'd have to consider that a minor flaw in system security, wouldn't you?

If I misread and you are, in fact, using an admin-level logon when you are making these changes, then you should run some simple tests to change something.  Then log in as an Admin and check the control panel to see if you are having the desired effect.  

Also, you might need to log off the user and then log him back on.

-- Dan

Author Comment

ID: 8051305

I only want to grant an active process a group membership without logging the user off and on again. The group itself does not get a real new member.

This is definitly possible. I already saw it.

As I already learned AdjustTokenGroups() is only able to turn on and off existing group memberships. (Same as EnablePrivileges()).

Instead, LsaLogonUser would fit my needs but I does not have the user credentials to pass to this function. I only have the logged on users primary token.

So any new ideas?

LVL 49

Expert Comment

ID: 8056329
MSDN on AdjustTokenGroups:
TOKEN_ADJUST_GROUPS access is required to enable or disable groups in an access token.  Does your user have this access?  If not, see if giving it that will work.  If not, try LogonUser and ImpersonateLoggedOnUser
-- Dan
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  


Author Comment

ID: 8056372

thank you but this is far mor sophisticated than using LogonUser() and ImpersonateLogonUser()

LsaLogonUser() is the one of the functions able to generate a logon session with additional group memberships. But I don't know how to call LsaLogonUser() without knowing the plaintext username and password.
LVL 49

Expert Comment

ID: 8096133
>> This is definitly possible. I already saw it.

>> this is far more sophisticated than using LogonUser()...
I'm sure that the sophistication level is like really really up there, real high like.  It might take a genius to help you work out a solution to this problem.  I am sorry that I have failed you.  I was silly to think that any old user would not be able elevate himself to an Administer.  WHAT WAS I THINKING?

-- Dan

Author Comment

ID: 8101380
Hey Dan, dont't take it personal... :-))

I am investigating this problem for a long time now and did never find a solution...

It's frustrating!

The tools which do what I need are:

1: HP Openview DTA
2: NetExec

I already try to use an API monitor to watch the API calls but the one I used is not able to monitor a Windows NT service...


Accepted Solution

PashaMod earned 0 total points
ID: 10705450
Closed, 500 points refunded.
Community Support Moderator

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes how to programmatically preset the "Pages per Sheet" option that's available with most printer drivers.   This setting lets you do "n-Up" printing, where two, four, or more pages are printed on each sheet of paper. If your …
This article surveys and compares options for encoding and decoding base64 data.  It includes source code in C++ as well as examples of how to use standard Windows API functions for these tasks. We'll look at the algorithms — how encoding and decodi…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question