Solved

Initialize Security attributes for CreateJobObject()

Posted on 2003-10-27
9
1,714 Views
Last Modified: 2013-12-03

Hi All,
       Unfortunately, I've never gotten a chance to  pass a non-NULL value to a LPSECURITY_ATTRIBUTES before.
And now, when I tried I'm doomed. Well, let me explain what I'm trying to do.

       I create a Job object with CreateJobObject(). Then I try to assign a process handle to it using AssignProcessToJobObject().

This is  what I tried.
1) Called OpenProcess() on my target processID with following access rights.
   PROCESS_CREATE_THREAD |
   PROCESS_QUERY_INFORMATION |
   PROCESS_VM_OPERATION |
   PROCESS_SET_QUOTA |
   PROCESS_TERMINATE |
   PROCESS_VM_WRITE |
   PROCESS_VM_READ,

     Success !! I got the handle.

2) Called CreateJobObject(NULL, NULL).
    Wow! I got a  job handle with default rigths.

3) I called AssignProcessToJobObject() with the above 2 handles
    Duh!! Error 5, Access Denied !!!

    The error here could be because of the access rights of the Process object OR the Job Object.
I dont think the process object is the bad guy because I specify all the required flags to perform the Assign operation.
So, I believe my Job handle doesnot come with JOB_OBJECT_ASSIGN_PROCESS right, which I thought a part of default rights.
   
    In brief, my question is : How to Initialize a SECURITY_ATTRIBUTES with JOB_OBJECT_ASSIGN_PROCESS rights, which I can pass to CreateJobObject(), or how to setup SECURITY_ATTRIBUTES structure in general for a given access right.

    I tried searching Google for CreateJobObject JOB_OBJECT_ASSIGN_PROCESS and and all I'm finding is MSDN library entry for CreateJobObject in English and Japanese :)

    I'd be glad if you could provide me with some code snippets.
    Please dont give me MSDN links again..  

Thanks
~ J
0
Comment
Question by:mxjijo
  • 5
  • 4
9 Comments
 
LVL 16

Expert Comment

by:_nn_
ID: 9632143
Experiments :

1) Called OpenProcess() on my target processID with following access rights.
   PROCESS_ALL_ACCESS

     Success !! I got the handle.

2) Called CreateJobObject(NULL, NULL).
    Wow! I got a  job handle with default rigths.

3) I called AssignProcessToJobObject() with the above 2 handles
    Yikes ! It works ! (well, at least, it returns TRUE)


Let's try to reduce the rights on the process handle :

1) Called OpenProcess() on my target processID with following access rights.
   STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | PROCESS_SET_QUOTA | PROCESS_TERMINATE

     Success !! I got the handle.

2) Called CreateJobObject(NULL, NULL).
    Wow! I got a  job handle with default rigths.

3) I called AssignProcessToJobObject() with the above 2 handles
    Yikes ! It works again ! (returns TRUE)

0
 
LVL 8

Author Comment

by:mxjijo
ID: 9634780

Thanks _nn_ for responding, but it does not seem to be working for me.
My AssignProcessToJobObject() still returns error. Let me give you a little more details.

I grab SE_DEBUG_NAME token privilage at the begning, so that I can open any process in the system. I dont know if thats what messing thigs up.

Back in my mind I still doubt the JobObject, does the default rights include JOB_OBJECT_ASSIGN_PROCESS ??

thanks
~ J
0
 
LVL 16

Expert Comment

by:_nn_
ID: 9635175
>> Back in my mind I still doubt the JobObject, does the default rights include JOB_OBJECT_ASSIGN_PROCESS ??

Since it works for me, I'd tend to believe it does. At least on my "normal" W2Kpro under administrator account.

>> I grab SE_DEBUG_NAME token privilage at the begning,

Well, it doesn't seem needed, unless...

>> so that I can open any process in the system.

What processes are you actually opening ? In my (successful) tests, I just started some notepads under the same session/account.
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 
LVL 8

Author Comment

by:mxjijo
ID: 9635801
>Since it works for me, I'd tend to believe it does. At least on my "normal" W2Kpro >under administrator account.
     Interesting ...  I have a Win2k Server. But I dont knowif that matters..


>> I grab SE_DEBUG_NAME token privilage at the begning,
>Well, it doesn't seem needed, unless...
     I do need this, as I mentioned before I need to open *all* processes in the system (including PID 0 and 8). Unless I have this privilage, I cannot open any of those.

     I am not loggin as "administrator" but I have admin privilages. May be I should try it on Win2k Prof as well, just to see if there is a diff.

~ J
0
 
LVL 8

Author Comment

by:mxjijo
ID: 9635874

Yes, It is Win2k Server!!!

Its works on Win2k Pro. !! (with te same user account)

:)
0
 
LVL 16

Expert Comment

by:_nn_
ID: 9636645
*sigh* Microsoft... >_<

Well, that doesn't solve the problem, but it sheds some light. Currently, I don't have a Win2Kserver to trash around, so I'm afraid, I won't be able to help further, at least in the very near future. I'll keep trying though.

Could it be that specifically on a W2Ksrv, some processes are already attached to some job object ? Or are you confident it's access-rights related ?
0
 
LVL 16

Accepted Solution

by:
_nn_ earned 125 total points
ID: 9637659
FWIW, browsing around I found this :
http://www.codeproject.com/system/secdesc.asp

It might come handy, so I figured I'd post the link.
0
 
LVL 8

Author Comment

by:mxjijo
ID: 9637686
Thank you _nn_. I appreciate. I'll try that !

>Could it be that specifically on a W2Ksrv, some processes are already attached to >some job object ? Or are you confident it's access-rights related ?

I have not digged into it yet. We can't rule out the possibility that a process could be a part of another job. But currently we do not have evidence for that. All I'm getting is a "Access Denied" Error. The only one point which sheds som elight here is that on Win2k Prof, I get the above error on *all* processes, no matter whether it is "notepad.exe" or "system". I don't think the newly created processes like notepad would immediately be a part of a job, which hold it exclusively.
0
 
LVL 8

Author Comment

by:mxjijo
ID: 9638081

_nn_,

That code was definitly something I've been looking for - was very helpful.
But my problem still persists. If I specify any JOB_OBJECT_XXX privilages to that class, it fails (Both on Win2k server and prof). Anyway.. I think I got to ding more in to this.

But you have answered my original qn. So, you get points :)

thanks
~ J
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

With most software applications trying to cater to multiple user needs nowadays, the focus is to make them as configurable as possible. For e.g., when creating Silverlight applications which will connect to WCF services, the service end point usuall…
Entering time in Microsoft Access can be difficult. An input mask often bothers users more than helping them and won't catch all typing errors. This article shows how to create a textbox for 24-hour time input with full validation politely catching …
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question