Solved

Problem with AdjustTokenPrivileges call on Windows Vista

Posted on 2006-11-22
3
1,368 Views
Last Modified: 2008-01-09
I have the following function that sets privileges using the calls

  if isNT then
  begin
    isAllPrevilegiesReceived := NTSetPrivilege('SeRestorePrivilege', True);
    isAllPrevilegiesReceived := isAllPrevilegiesReceived and  NTSetPrivilege('SeBackupPrivilege', True);
    isAllPrevilegiesReceived := isAllPrevilegiesReceived and  NTSetPrivilege('SeTakeOwnershipPrivilege', True);
    isAllPrevilegiesReceived := isAllPrevilegiesReceived and  NTSetPrivilege('SeShutdownPrivilege', True);
  end;

function NTSetPrivilege(sPrivilege: string; bEnabled: Boolean): Boolean;
var
  hToken: THandle;
  TokenPriv: TOKEN_PRIVILEGES;
  PrevTokenPriv: TOKEN_PRIVILEGES;
  ReturnLength: Cardinal;
begin
  Result := True;
  // Only for Windows NT/2000/XP and later.
  if not (Win32Platform = VER_PLATFORM_WIN32_NT) then Exit;

  // obtain the processes token
  if OpenProcessToken(GetCurrentProcess(),
    TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken) then
  begin
    try
      // Get the locally unique identifier (LUID) .
      if LookupPrivilegeValue(nil, PChar(sPrivilege),
        TokenPriv.Privileges[0].Luid) then
      begin
        TokenPriv.PrivilegeCount := 1; // one privilege to set

        case bEnabled of
          True: TokenPriv.Privileges[0].Attributes  := SE_PRIVILEGE_ENABLED;
          False: TokenPriv.Privileges[0].Attributes := 0;
        end;

        ReturnLength := 0; // replaces a var parameter
        PrevTokenPriv := TokenPriv;

        // enable or disable the privilege
        AdjustTokenPrivileges(hToken, False, TokenPriv, SizeOf(PrevTokenPriv), PrevTokenPriv, ReturnLength);
        Result := GetLastError = ERROR_SUCCESS;
        if not Result then
          //On Windows Vista the following error is raised:
          //exception message : Not all privileges or groups referenced are assigned to the caller.
          raise Exception.Create(SysErrorMessage(GetLastError));

      end;
    finally
      CloseHandle(hToken);
    end;
  end;
  // test the return value of AdjustTokenPrivileges.
  Result := GetLastError = ERROR_SUCCESS;
  if not Result then
    //raise Exception.Create(SysErrorMessage(GetLastError));
end;


It works perfectly fine on Windows XP, 2000 and 2003 but under Windows Vista it raises the error "exception message : Not all privileges or groups referenced are assigned to the caller."

Any idea of what might be causing this and how to fix it?

Thanks!
0
Comment
Question by:smartins
  • 2
3 Comments
 
LVL 26

Expert Comment

by:Russell Libby
Comment Utility

Sounds like the user account does not hold one of the privileges that you are trying to enable; do you know which privilege is causing the failure (and you to raise the exception)? My guess would be that its the SeTakeOwnershipPrivilege. As far as resolving this, double check the account that you are using and compare it with the Local sec policy. (run secpol.msc and look at "Take Ownership of files or other objects")


Russell
0
 

Author Comment

by:smartins
Comment Utility
The previleges that cause the exception are SeRestorePrivilege, SeBackupPrivilege and SeTakeOwnershipPrivilege.

I tried commenting one by one and the only that does not raise and expection is the SeShutdownPrivilege.

I'm using the default account created by Vista, which might be on the limited side. But I assume most of the Vista systems would be using this type of account since it's the one created automatically on installation.
0
 
LVL 26

Accepted Solution

by:
Russell Libby earned 250 total points
Comment Utility
Yes, the default account for Vista is very limited. As to an answer to the question:

>> Any idea of what might be causing this and how to fix it?
- The user does not hold the privileges you are trying to enable. (you can't enable privileges that the user does not hold.)
- The user needs to have the prvileges added to their user account, or a group that they belong to.

This leaves you with a few options:

1. Recheck why you need the prviliges to start with. If you need them, the user is going to need to hold them.
2. If the user needs them, but not does hold them, then you will need to run as an admin on the box to add the privileges. Adding can be done manually, or programmatically (for source, see):

http://users.adelphia.net/~rllibby/downloads/privilege.zip

using the TAccountPrivileges class.

---

Russell





0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Introduction I have seen many questions in this Delphi topic area where queries in threads are needed or suggested. I know bumped into a similar need. This article will address some of the concepts when dealing with a multithreaded delphi database…
In my programming career I have only very rarely run into situations where operator overloading would be of any use in my work.  Normally those situations involved math with either overly large numbers (hundreds of thousands of digits or accuracy re…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now