[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

getting access denied when trying OpenProcess

Posted on 2005-04-27
12
Medium Priority
?
2,554 Views
Last Modified: 2010-05-18
Hi All,

I have some code that I am using to hook into some debug messages generated by an application.
The application that I am debugging is running as a service under a domain user account  on a win2k server.

I was running into problems while trying to get a handle to processes running as services.  I am now updating the security tokens and granting SeDebugPrivilege privileges before getting the process handle.  
Now this works on my local machine for all local services that I have tried. But when I try to get a handle (via openprocess) to the application service on a server it fails with an access denied error.  

The accound that I am logged in as has admin rights to the server.

There must be a way to do this a debugView picks it up ok.

Below is the code that I am using up to openprocess.

The only thing that I can think of is that when I am calling LookupPrivilegeValue I am calling it on the localsystem.  The service is running under a domain account.  I have tried getting the service to run under my domain account but still no go.

#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include <iostream>

using namespace std;

int _tmain(int argc, _TCHAR* argv[])
{
DEBUG_EVENT DebugEv;                   // debugging event information
DWORD dwContinueStatus = DBG_CONTINUE;
DWORD processID;
HANDLE processHandle;
char convertedBuffer[500];
TOKEN_PRIVILEGES tkp;
LUID luid;

cout << "what is the process ID:" << endl;
cin >> processID;

HANDLE tokenHandle;
if ( ! OpenProcessToken( GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &tokenHandle ) )
      {
            ErrorExit("OpenProcessToken");
            exit(1);
      } else {
            cout << "OpenProcessToken ok" << endl;
      }

if ( !LookupPrivilegeValue(
            NULL,            // lookup privilege on local system
        "SeDebugPrivilege",   // privilege to lookup - debug priv in this case  SeDebugPrivilege
        &luid ) )        // receives LUID of privilege
{
    ErrorExit("LookupPrivilegeValue");
      exit(1);
} else
{
cout << "LookupPrivilegeValue ok" << endl;
}


//set the parameters of the token_privileges object
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = luid;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;  //set this to 0 to disable

//adjust the token
if ( !AdjustTokenPrivileges(
       tokenHandle,
       FALSE,
       &tkp,
       sizeof(TOKEN_PRIVILEGES),
       (PTOKEN_PRIVILEGES) NULL,
       (PDWORD) NULL) )
{
    ErrorExit("AdjustTokenPrivileges");
} else
{
cout << "AdjustTokenPrivileges ok " << endl;
}

processHandle = OpenProcess(PROCESS_VM_READ,TRUE, processID);

if (processHandle == NULL)
{
ErrorExit("OpenProcess");
exit(1);
}


}//main
0
Comment
Question by:Karls
  • 6
  • 4
11 Comments
 

Author Comment

by:Karls
ID: 13891326
Have increased points and will be prepared to increase more.  This is really starting to annoy me :/
0
 
LVL 86

Expert Comment

by:jkr
ID: 13891824
Stupid Q: Have you tried to run the above under a domain admin accout (you mentioned your domain acct., but...)?
0
 

Author Comment

by:Karls
ID: 13891879
Unfortunately I have.  
I have since noticed that it is the DebugActiveProcess call that is now failing with an access denied error.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 86

Expert Comment

by:jkr
ID: 13891906
Hmm, any chance you're interested in woorkarounds? (have to admit that I am at my wit's end :o)

If this is merely a problem about being able to debug the service, you could set it to run as a local acount, but that would of course defeat the purpose if you need the domain credentials so the service cn run properly...
0
 

Author Comment

by:Karls
ID: 13891950
yeah, unfortunately the service needs to run under the domain account.  I tried setting the service to run under the domain account that I am actually logged in as but still no go.  

A work around would be fine.  The problem being that I need the debug message that are generated by the application becuase I need to do some logic processing.

In order to get debug privileges, what needs the SeDebugPrivilege?  is it the user account running the debug program or does the account running the service need SeDebugPrivilege or do both?


Karl
0
 
LVL 86

Expert Comment

by:jkr
ID: 13891968
>>A work around would be fine

Have you thought of impersonating the domain account in a separate thread and have the main service code run 'locally'? If you can afford that overhead (of course for testing purposes only), that might be one way to go.
0
 

Author Comment

by:Karls
ID: 13923064
Jkr,

I'm not quite sure what you mean by this.  how do you impersonate the domain account.  
I am unable to run the service using local permissions because it accesss the network.

Karl
0
 
LVL 86

Expert Comment

by:jkr
ID: 13923088
You'd call 'LogonUser()'/'ImpersonateLoggedOnUser()'.
0
 
LVL 86

Accepted Solution

by:
jkr earned 2000 total points
ID: 13923099
Ooope:

HANDLE hToken;


   if  (   !LogonUser  (   ( char*) pszUsername,
                           NULL,
                           ( char*) pszPwd,
                           LOGON32_LOGON_INTERACTIVE,
                           LOGON32_PROVIDER_DEFAULT,
                           &hToken
                       )
       )
       {
           ReportError   (   "LogonUser() failed, reason == %d\n",
                           GetLastError    ()
                       );

           return  (   GetLastError    ());
       }


    if  (   !ImpersonateLoggedOnUser    (   hToken)
        )
        {
            ReportError   (   "ImpersonateLoggedOnUser() failed,
                            GetLastError    ()
                        );

            return  (   GetLastError    ());
        }
0
 
LVL 86

Expert Comment

by:jkr
ID: 13923131
BTW, just in case you have doubts here about the accessability of the domain - the logon authentication is done by LSASS, not your service, so that won't be an issue.
0
 
LVL 14

Expert Comment

by:wayside
ID: 15714346
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:

Accept: jkr

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

wayside
EE Cleanup Volunteer
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: SunnyDark
This article's goal is to present you with an easy to use XML wrapper for C++ and also present some interesting techniques that you might use with MS C++. The reason I built this class is to ease the pain of using XML files with C++, since there is…
This article will show you some of the more useful Standard Template Library (STL) algorithms through the use of working examples.  You will learn about how these algorithms fit into the STL architecture, how they work with STL containers, and why t…
The viewer will learn how to use the return statement in functions in C++. The video will also teach the user how to pass data to a function and have the function return data back for further processing.
The viewer will learn additional member functions of the vector class. Specifically, the capacity and swap member functions will be introduced.
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question