Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Problem with AdjustTokenPrivileges call on Windows Vista

Posted on 2006-11-22
3
Medium Priority
?
1,412 Views
Last Modified: 2008-01-09
I have the following function that sets privileges using the calls

  if isNT then
  begin
    isAllPrevilegiesReceived := NTSetPrivilege('SeRestorePrivilege', True);
    isAllPrevilegiesReceived := isAllPrevilegiesReceived and  NTSetPrivilege('SeBackupPrivilege', True);
    isAllPrevilegiesReceived := isAllPrevilegiesReceived and  NTSetPrivilege('SeTakeOwnershipPrivilege', True);
    isAllPrevilegiesReceived := isAllPrevilegiesReceived and  NTSetPrivilege('SeShutdownPrivilege', True);
  end;

function NTSetPrivilege(sPrivilege: string; bEnabled: Boolean): Boolean;
var
  hToken: THandle;
  TokenPriv: TOKEN_PRIVILEGES;
  PrevTokenPriv: TOKEN_PRIVILEGES;
  ReturnLength: Cardinal;
begin
  Result := True;
  // Only for Windows NT/2000/XP and later.
  if not (Win32Platform = VER_PLATFORM_WIN32_NT) then Exit;

  // obtain the processes token
  if OpenProcessToken(GetCurrentProcess(),
    TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken) then
  begin
    try
      // Get the locally unique identifier (LUID) .
      if LookupPrivilegeValue(nil, PChar(sPrivilege),
        TokenPriv.Privileges[0].Luid) then
      begin
        TokenPriv.PrivilegeCount := 1; // one privilege to set

        case bEnabled of
          True: TokenPriv.Privileges[0].Attributes  := SE_PRIVILEGE_ENABLED;
          False: TokenPriv.Privileges[0].Attributes := 0;
        end;

        ReturnLength := 0; // replaces a var parameter
        PrevTokenPriv := TokenPriv;

        // enable or disable the privilege
        AdjustTokenPrivileges(hToken, False, TokenPriv, SizeOf(PrevTokenPriv), PrevTokenPriv, ReturnLength);
        Result := GetLastError = ERROR_SUCCESS;
        if not Result then
          //On Windows Vista the following error is raised:
          //exception message : Not all privileges or groups referenced are assigned to the caller.
          raise Exception.Create(SysErrorMessage(GetLastError));

      end;
    finally
      CloseHandle(hToken);
    end;
  end;
  // test the return value of AdjustTokenPrivileges.
  Result := GetLastError = ERROR_SUCCESS;
  if not Result then
    //raise Exception.Create(SysErrorMessage(GetLastError));
end;


It works perfectly fine on Windows XP, 2000 and 2003 but under Windows Vista it raises the error "exception message : Not all privileges or groups referenced are assigned to the caller."

Any idea of what might be causing this and how to fix it?

Thanks!
0
Comment
Question by:smartins
  • 2
3 Comments
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17998329

Sounds like the user account does not hold one of the privileges that you are trying to enable; do you know which privilege is causing the failure (and you to raise the exception)? My guess would be that its the SeTakeOwnershipPrivilege. As far as resolving this, double check the account that you are using and compare it with the Local sec policy. (run secpol.msc and look at "Take Ownership of files or other objects")


Russell
0
 

Author Comment

by:smartins
ID: 18002277
The previleges that cause the exception are SeRestorePrivilege, SeBackupPrivilege and SeTakeOwnershipPrivilege.

I tried commenting one by one and the only that does not raise and expection is the SeShutdownPrivilege.

I'm using the default account created by Vista, which might be on the limited side. But I assume most of the Vista systems would be using this type of account since it's the one created automatically on installation.
0
 
LVL 26

Accepted Solution

by:
Russell Libby earned 1000 total points
ID: 18003297
Yes, the default account for Vista is very limited. As to an answer to the question:

>> Any idea of what might be causing this and how to fix it?
- The user does not hold the privileges you are trying to enable. (you can't enable privileges that the user does not hold.)
- The user needs to have the prvileges added to their user account, or a group that they belong to.

This leaves you with a few options:

1. Recheck why you need the prviliges to start with. If you need them, the user is going to need to hold them.
2. If the user needs them, but not does hold them, then you will need to run as an admin on the box to add the privileges. Adding can be done manually, or programmatically (for source, see):

http://users.adelphia.net/~rllibby/downloads/privilege.zip

using the TAccountPrivileges class.

---

Russell





0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction The parallel port is a very commonly known port, it was widely used to connect a printer to the PC, if you look at the back of your computer, for those who don't have newer computers, there will be a port with 25 pins and a small print…
Have you ever had your Delphi form/application just hanging while waiting for data to load? This is the article to read if you want to learn some things about adding threads for data loading in the background. First, I'll setup a general applica…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Loops Section Overview
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question