Solved

Problem with AdjustTokenPrivileges call on Windows Vista

Posted on 2006-11-22
3
1,373 Views
Last Modified: 2008-01-09
I have the following function that sets privileges using the calls

  if isNT then
  begin
    isAllPrevilegiesReceived := NTSetPrivilege('SeRestorePrivilege', True);
    isAllPrevilegiesReceived := isAllPrevilegiesReceived and  NTSetPrivilege('SeBackupPrivilege', True);
    isAllPrevilegiesReceived := isAllPrevilegiesReceived and  NTSetPrivilege('SeTakeOwnershipPrivilege', True);
    isAllPrevilegiesReceived := isAllPrevilegiesReceived and  NTSetPrivilege('SeShutdownPrivilege', True);
  end;

function NTSetPrivilege(sPrivilege: string; bEnabled: Boolean): Boolean;
var
  hToken: THandle;
  TokenPriv: TOKEN_PRIVILEGES;
  PrevTokenPriv: TOKEN_PRIVILEGES;
  ReturnLength: Cardinal;
begin
  Result := True;
  // Only for Windows NT/2000/XP and later.
  if not (Win32Platform = VER_PLATFORM_WIN32_NT) then Exit;

  // obtain the processes token
  if OpenProcessToken(GetCurrentProcess(),
    TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken) then
  begin
    try
      // Get the locally unique identifier (LUID) .
      if LookupPrivilegeValue(nil, PChar(sPrivilege),
        TokenPriv.Privileges[0].Luid) then
      begin
        TokenPriv.PrivilegeCount := 1; // one privilege to set

        case bEnabled of
          True: TokenPriv.Privileges[0].Attributes  := SE_PRIVILEGE_ENABLED;
          False: TokenPriv.Privileges[0].Attributes := 0;
        end;

        ReturnLength := 0; // replaces a var parameter
        PrevTokenPriv := TokenPriv;

        // enable or disable the privilege
        AdjustTokenPrivileges(hToken, False, TokenPriv, SizeOf(PrevTokenPriv), PrevTokenPriv, ReturnLength);
        Result := GetLastError = ERROR_SUCCESS;
        if not Result then
          //On Windows Vista the following error is raised:
          //exception message : Not all privileges or groups referenced are assigned to the caller.
          raise Exception.Create(SysErrorMessage(GetLastError));

      end;
    finally
      CloseHandle(hToken);
    end;
  end;
  // test the return value of AdjustTokenPrivileges.
  Result := GetLastError = ERROR_SUCCESS;
  if not Result then
    //raise Exception.Create(SysErrorMessage(GetLastError));
end;


It works perfectly fine on Windows XP, 2000 and 2003 but under Windows Vista it raises the error "exception message : Not all privileges or groups referenced are assigned to the caller."

Any idea of what might be causing this and how to fix it?

Thanks!
0
Comment
Question by:smartins
  • 2
3 Comments
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17998329

Sounds like the user account does not hold one of the privileges that you are trying to enable; do you know which privilege is causing the failure (and you to raise the exception)? My guess would be that its the SeTakeOwnershipPrivilege. As far as resolving this, double check the account that you are using and compare it with the Local sec policy. (run secpol.msc and look at "Take Ownership of files or other objects")


Russell
0
 

Author Comment

by:smartins
ID: 18002277
The previleges that cause the exception are SeRestorePrivilege, SeBackupPrivilege and SeTakeOwnershipPrivilege.

I tried commenting one by one and the only that does not raise and expection is the SeShutdownPrivilege.

I'm using the default account created by Vista, which might be on the limited side. But I assume most of the Vista systems would be using this type of account since it's the one created automatically on installation.
0
 
LVL 26

Accepted Solution

by:
Russell Libby earned 250 total points
ID: 18003297
Yes, the default account for Vista is very limited. As to an answer to the question:

>> Any idea of what might be causing this and how to fix it?
- The user does not hold the privileges you are trying to enable. (you can't enable privileges that the user does not hold.)
- The user needs to have the prvileges added to their user account, or a group that they belong to.

This leaves you with a few options:

1. Recheck why you need the prviliges to start with. If you need them, the user is going to need to hold them.
2. If the user needs them, but not does hold them, then you will need to run as an admin on the box to add the privileges. Adding can be done manually, or programmatically (for source, see):

http://users.adelphia.net/~rllibby/downloads/privilege.zip

using the TAccountPrivileges class.

---

Russell





0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an auto free TStringList The TStringList is a basic and frequently used object in Delphi. On many occasions, you may want to create a temporary list, process some items in the list and be done with the list. In such cases, you have to…
Hello everybody This Article will show you how to validate number with TEdit control, What's the TEdit control? TEdit is a standard Windows edit control on a form, it allows to user to write, read and copy/paste single line of text. Usua…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now