Initialize Security attributes for CreateJobObject()


Hi All,
       Unfortunately, I've never gotten a chance to  pass a non-NULL value to a LPSECURITY_ATTRIBUTES before.
And now, when I tried I'm doomed. Well, let me explain what I'm trying to do.

       I create a Job object with CreateJobObject(). Then I try to assign a process handle to it using AssignProcessToJobObject().

This is  what I tried.
1) Called OpenProcess() on my target processID with following access rights.
   PROCESS_CREATE_THREAD |
   PROCESS_QUERY_INFORMATION |
   PROCESS_VM_OPERATION |
   PROCESS_SET_QUOTA |
   PROCESS_TERMINATE |
   PROCESS_VM_WRITE |
   PROCESS_VM_READ,

     Success !! I got the handle.

2) Called CreateJobObject(NULL, NULL).
    Wow! I got a  job handle with default rigths.

3) I called AssignProcessToJobObject() with the above 2 handles
    Duh!! Error 5, Access Denied !!!

    The error here could be because of the access rights of the Process object OR the Job Object.
I dont think the process object is the bad guy because I specify all the required flags to perform the Assign operation.
So, I believe my Job handle doesnot come with JOB_OBJECT_ASSIGN_PROCESS right, which I thought a part of default rights.
   
    In brief, my question is : How to Initialize a SECURITY_ATTRIBUTES with JOB_OBJECT_ASSIGN_PROCESS rights, which I can pass to CreateJobObject(), or how to setup SECURITY_ATTRIBUTES structure in general for a given access right.

    I tried searching Google for CreateJobObject JOB_OBJECT_ASSIGN_PROCESS and and all I'm finding is MSDN library entry for CreateJobObject in English and Japanese :)

    I'd be glad if you could provide me with some code snippets.
    Please dont give me MSDN links again..  

Thanks
~ J
LVL 8
mxjijoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

_nn_Commented:
Experiments :

1) Called OpenProcess() on my target processID with following access rights.
   PROCESS_ALL_ACCESS

     Success !! I got the handle.

2) Called CreateJobObject(NULL, NULL).
    Wow! I got a  job handle with default rigths.

3) I called AssignProcessToJobObject() with the above 2 handles
    Yikes ! It works ! (well, at least, it returns TRUE)


Let's try to reduce the rights on the process handle :

1) Called OpenProcess() on my target processID with following access rights.
   STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | PROCESS_SET_QUOTA | PROCESS_TERMINATE

     Success !! I got the handle.

2) Called CreateJobObject(NULL, NULL).
    Wow! I got a  job handle with default rigths.

3) I called AssignProcessToJobObject() with the above 2 handles
    Yikes ! It works again ! (returns TRUE)

0
mxjijoAuthor Commented:

Thanks _nn_ for responding, but it does not seem to be working for me.
My AssignProcessToJobObject() still returns error. Let me give you a little more details.

I grab SE_DEBUG_NAME token privilage at the begning, so that I can open any process in the system. I dont know if thats what messing thigs up.

Back in my mind I still doubt the JobObject, does the default rights include JOB_OBJECT_ASSIGN_PROCESS ??

thanks
~ J
0
_nn_Commented:
>> Back in my mind I still doubt the JobObject, does the default rights include JOB_OBJECT_ASSIGN_PROCESS ??

Since it works for me, I'd tend to believe it does. At least on my "normal" W2Kpro under administrator account.

>> I grab SE_DEBUG_NAME token privilage at the begning,

Well, it doesn't seem needed, unless...

>> so that I can open any process in the system.

What processes are you actually opening ? In my (successful) tests, I just started some notepads under the same session/account.
0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

mxjijoAuthor Commented:
>Since it works for me, I'd tend to believe it does. At least on my "normal" W2Kpro >under administrator account.
     Interesting ...  I have a Win2k Server. But I dont knowif that matters..


>> I grab SE_DEBUG_NAME token privilage at the begning,
>Well, it doesn't seem needed, unless...
     I do need this, as I mentioned before I need to open *all* processes in the system (including PID 0 and 8). Unless I have this privilage, I cannot open any of those.

     I am not loggin as "administrator" but I have admin privilages. May be I should try it on Win2k Prof as well, just to see if there is a diff.

~ J
0
mxjijoAuthor Commented:

Yes, It is Win2k Server!!!

Its works on Win2k Pro. !! (with te same user account)

:)
0
_nn_Commented:
*sigh* Microsoft... >_<

Well, that doesn't solve the problem, but it sheds some light. Currently, I don't have a Win2Kserver to trash around, so I'm afraid, I won't be able to help further, at least in the very near future. I'll keep trying though.

Could it be that specifically on a W2Ksrv, some processes are already attached to some job object ? Or are you confident it's access-rights related ?
0
_nn_Commented:
FWIW, browsing around I found this :
http://www.codeproject.com/system/secdesc.asp

It might come handy, so I figured I'd post the link.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mxjijoAuthor Commented:
Thank you _nn_. I appreciate. I'll try that !

>Could it be that specifically on a W2Ksrv, some processes are already attached to >some job object ? Or are you confident it's access-rights related ?

I have not digged into it yet. We can't rule out the possibility that a process could be a part of another job. But currently we do not have evidence for that. All I'm getting is a "Access Denied" Error. The only one point which sheds som elight here is that on Win2k Prof, I get the above error on *all* processes, no matter whether it is "notepad.exe" or "system". I don't think the newly created processes like notepad would immediately be a part of a job, which hold it exclusively.
0
mxjijoAuthor Commented:

_nn_,

That code was definitly something I've been looking for - was very helpful.
But my problem still persists. If I specify any JOB_OBJECT_XXX privilages to that class, it fails (Both on Win2k server and prof). Anyway.. I think I got to ding more in to this.

But you have answered my original qn. So, you get points :)

thanks
~ J
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Development

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.