Solved

Problem with AdjustTokenPrivileges call on Windows Vista

Posted on 2006-11-22
3
1,380 Views
Last Modified: 2008-01-09
I have the following function that sets privileges using the calls

  if isNT then
  begin
    isAllPrevilegiesReceived := NTSetPrivilege('SeRestorePrivilege', True);
    isAllPrevilegiesReceived := isAllPrevilegiesReceived and  NTSetPrivilege('SeBackupPrivilege', True);
    isAllPrevilegiesReceived := isAllPrevilegiesReceived and  NTSetPrivilege('SeTakeOwnershipPrivilege', True);
    isAllPrevilegiesReceived := isAllPrevilegiesReceived and  NTSetPrivilege('SeShutdownPrivilege', True);
  end;

function NTSetPrivilege(sPrivilege: string; bEnabled: Boolean): Boolean;
var
  hToken: THandle;
  TokenPriv: TOKEN_PRIVILEGES;
  PrevTokenPriv: TOKEN_PRIVILEGES;
  ReturnLength: Cardinal;
begin
  Result := True;
  // Only for Windows NT/2000/XP and later.
  if not (Win32Platform = VER_PLATFORM_WIN32_NT) then Exit;

  // obtain the processes token
  if OpenProcessToken(GetCurrentProcess(),
    TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken) then
  begin
    try
      // Get the locally unique identifier (LUID) .
      if LookupPrivilegeValue(nil, PChar(sPrivilege),
        TokenPriv.Privileges[0].Luid) then
      begin
        TokenPriv.PrivilegeCount := 1; // one privilege to set

        case bEnabled of
          True: TokenPriv.Privileges[0].Attributes  := SE_PRIVILEGE_ENABLED;
          False: TokenPriv.Privileges[0].Attributes := 0;
        end;

        ReturnLength := 0; // replaces a var parameter
        PrevTokenPriv := TokenPriv;

        // enable or disable the privilege
        AdjustTokenPrivileges(hToken, False, TokenPriv, SizeOf(PrevTokenPriv), PrevTokenPriv, ReturnLength);
        Result := GetLastError = ERROR_SUCCESS;
        if not Result then
          //On Windows Vista the following error is raised:
          //exception message : Not all privileges or groups referenced are assigned to the caller.
          raise Exception.Create(SysErrorMessage(GetLastError));

      end;
    finally
      CloseHandle(hToken);
    end;
  end;
  // test the return value of AdjustTokenPrivileges.
  Result := GetLastError = ERROR_SUCCESS;
  if not Result then
    //raise Exception.Create(SysErrorMessage(GetLastError));
end;


It works perfectly fine on Windows XP, 2000 and 2003 but under Windows Vista it raises the error "exception message : Not all privileges or groups referenced are assigned to the caller."

Any idea of what might be causing this and how to fix it?

Thanks!
0
Comment
Question by:smartins
  • 2
3 Comments
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17998329

Sounds like the user account does not hold one of the privileges that you are trying to enable; do you know which privilege is causing the failure (and you to raise the exception)? My guess would be that its the SeTakeOwnershipPrivilege. As far as resolving this, double check the account that you are using and compare it with the Local sec policy. (run secpol.msc and look at "Take Ownership of files or other objects")


Russell
0
 

Author Comment

by:smartins
ID: 18002277
The previleges that cause the exception are SeRestorePrivilege, SeBackupPrivilege and SeTakeOwnershipPrivilege.

I tried commenting one by one and the only that does not raise and expection is the SeShutdownPrivilege.

I'm using the default account created by Vista, which might be on the limited side. But I assume most of the Vista systems would be using this type of account since it's the one created automatically on installation.
0
 
LVL 26

Accepted Solution

by:
Russell Libby earned 250 total points
ID: 18003297
Yes, the default account for Vista is very limited. As to an answer to the question:

>> Any idea of what might be causing this and how to fix it?
- The user does not hold the privileges you are trying to enable. (you can't enable privileges that the user does not hold.)
- The user needs to have the prvileges added to their user account, or a group that they belong to.

This leaves you with a few options:

1. Recheck why you need the prviliges to start with. If you need them, the user is going to need to hold them.
2. If the user needs them, but not does hold them, then you will need to run as an admin on the box to add the privileges. Adding can be done manually, or programmatically (for source, see):

http://users.adelphia.net/~rllibby/downloads/privilege.zip

using the TAccountPrivileges class.

---

Russell





0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A lot of questions regard threads in Delphi.   One of the more specific questions is how to show progress of the thread.   Updating a progressbar from inside a thread is a mistake. A solution to this would be to send a synchronized message to the…
Introduction Raise your hands if you were as upset with FireMonkey as I was when I discovered that there was no TListview.  I use TListView in almost all of my applications I've written, and I was not going to compromise by resorting to TStringGrid…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question