mxjijo
asked on
Initialize Security attributes for CreateJobObject()
Hi All,
Unfortunately, I've never gotten a chance to pass a non-NULL value to a LPSECURITY_ATTRIBUTES before.
And now, when I tried I'm doomed. Well, let me explain what I'm trying to do.
I create a Job object with CreateJobObject(). Then I try to assign a process handle to it using AssignProcessToJobObject()
This is what I tried.
1) Called OpenProcess() on my target processID with following access rights.
PROCESS_CREATE_THREAD |
PROCESS_QUERY_INFORMATION |
PROCESS_VM_OPERATION |
PROCESS_SET_QUOTA |
PROCESS_TERMINATE |
PROCESS_VM_WRITE |
PROCESS_VM_READ,
Success !! I got the handle.
2) Called CreateJobObject(NULL, NULL).
Wow! I got a job handle with default rigths.
3) I called AssignProcessToJobObject()
Duh!! Error 5, Access Denied !!!
The error here could be because of the access rights of the Process object OR the Job Object.
I dont think the process object is the bad guy because I specify all the required flags to perform the Assign operation.
So, I believe my Job handle doesnot come with JOB_OBJECT_ASSIGN_PROCESS right, which I thought a part of default rights.
In brief, my question is : How to Initialize a SECURITY_ATTRIBUTES with JOB_OBJECT_ASSIGN_PROCESS rights, which I can pass to CreateJobObject(), or how to setup SECURITY_ATTRIBUTES structure in general for a given access right.
I tried searching Google for CreateJobObject JOB_OBJECT_ASSIGN_PROCESS and and all I'm finding is MSDN library entry for CreateJobObject in English and Japanese :)
I'd be glad if you could provide me with some code snippets.
Please dont give me MSDN links again..
Thanks
~ J
ASKER
Thanks _nn_ for responding, but it does not seem to be working for me.
My AssignProcessToJobObject()
I grab SE_DEBUG_NAME token privilage at the begning, so that I can open any process in the system. I dont know if thats what messing thigs up.
Back in my mind I still doubt the JobObject, does the default rights include JOB_OBJECT_ASSIGN_PROCESS ??
thanks
~ J
>> Back in my mind I still doubt the JobObject, does the default rights include JOB_OBJECT_ASSIGN_PROCESS ??
Since it works for me, I'd tend to believe it does. At least on my "normal" W2Kpro under administrator account.
>> I grab SE_DEBUG_NAME token privilage at the begning,
Well, it doesn't seem needed, unless...
>> so that I can open any process in the system.
What processes are you actually opening ? In my (successful) tests, I just started some notepads under the same session/account.
Since it works for me, I'd tend to believe it does. At least on my "normal" W2Kpro under administrator account.
>> I grab SE_DEBUG_NAME token privilage at the begning,
Well, it doesn't seem needed, unless...
>> so that I can open any process in the system.
What processes are you actually opening ? In my (successful) tests, I just started some notepads under the same session/account.
ASKER
>Since it works for me, I'd tend to believe it does. At least on my "normal" W2Kpro >under administrator account.
Interesting ... I have a Win2k Server. But I dont knowif that matters..
>> I grab SE_DEBUG_NAME token privilage at the begning,
>Well, it doesn't seem needed, unless...
I do need this, as I mentioned before I need to open *all* processes in the system (including PID 0 and 8). Unless I have this privilage, I cannot open any of those.
I am not loggin as "administrator" but I have admin privilages. May be I should try it on Win2k Prof as well, just to see if there is a diff.
~ J
Interesting ... I have a Win2k Server. But I dont knowif that matters..
>> I grab SE_DEBUG_NAME token privilage at the begning,
>Well, it doesn't seem needed, unless...
I do need this, as I mentioned before I need to open *all* processes in the system (including PID 0 and 8). Unless I have this privilage, I cannot open any of those.
I am not loggin as "administrator" but I have admin privilages. May be I should try it on Win2k Prof as well, just to see if there is a diff.
~ J
ASKER
Yes, It is Win2k Server!!!
Its works on Win2k Pro. !! (with te same user account)
:)
*sigh* Microsoft... >_<
Well, that doesn't solve the problem, but it sheds some light. Currently, I don't have a Win2Kserver to trash around, so I'm afraid, I won't be able to help further, at least in the very near future. I'll keep trying though.
Could it be that specifically on a W2Ksrv, some processes are already attached to some job object ? Or are you confident it's access-rights related ?
Well, that doesn't solve the problem, but it sheds some light. Currently, I don't have a Win2Kserver to trash around, so I'm afraid, I won't be able to help further, at least in the very near future. I'll keep trying though.
Could it be that specifically on a W2Ksrv, some processes are already attached to some job object ? Or are you confident it's access-rights related ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you _nn_. I appreciate. I'll try that !
>Could it be that specifically on a W2Ksrv, some processes are already attached to >some job object ? Or are you confident it's access-rights related ?
I have not digged into it yet. We can't rule out the possibility that a process could be a part of another job. But currently we do not have evidence for that. All I'm getting is a "Access Denied" Error. The only one point which sheds som elight here is that on Win2k Prof, I get the above error on *all* processes, no matter whether it is "notepad.exe" or "system". I don't think the newly created processes like notepad would immediately be a part of a job, which hold it exclusively.
>Could it be that specifically on a W2Ksrv, some processes are already attached to >some job object ? Or are you confident it's access-rights related ?
I have not digged into it yet. We can't rule out the possibility that a process could be a part of another job. But currently we do not have evidence for that. All I'm getting is a "Access Denied" Error. The only one point which sheds som elight here is that on Win2k Prof, I get the above error on *all* processes, no matter whether it is "notepad.exe" or "system". I don't think the newly created processes like notepad would immediately be a part of a job, which hold it exclusively.
ASKER
_nn_,
That code was definitly something I've been looking for - was very helpful.
But my problem still persists. If I specify any JOB_OBJECT_XXX privilages to that class, it fails (Both on Win2k server and prof). Anyway.. I think I got to ding more in to this.
But you have answered my original qn. So, you get points :)
thanks
~ J
1) Called OpenProcess() on my target processID with following access rights.
PROCESS_ALL_ACCESS
Success !! I got the handle.
2) Called CreateJobObject(NULL, NULL).
Wow! I got a job handle with default rigths.
3) I called AssignProcessToJobObject()
Yikes ! It works ! (well, at least, it returns TRUE)
Let's try to reduce the rights on the process handle :
1) Called OpenProcess() on my target processID with following access rights.
STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | PROCESS_SET_QUOTA | PROCESS_TERMINATE
Success !! I got the handle.
2) Called CreateJobObject(NULL, NULL).
Wow! I got a job handle with default rigths.
3) I called AssignProcessToJobObject()
Yikes ! It works again ! (returns TRUE)