Solved

Problem with AdjustTokenPrivileges call on Windows Vista

Posted on 2006-11-22
3
1,383 Views
Last Modified: 2008-01-09
I have the following function that sets privileges using the calls

  if isNT then
  begin
    isAllPrevilegiesReceived := NTSetPrivilege('SeRestorePrivilege', True);
    isAllPrevilegiesReceived := isAllPrevilegiesReceived and  NTSetPrivilege('SeBackupPrivilege', True);
    isAllPrevilegiesReceived := isAllPrevilegiesReceived and  NTSetPrivilege('SeTakeOwnershipPrivilege', True);
    isAllPrevilegiesReceived := isAllPrevilegiesReceived and  NTSetPrivilege('SeShutdownPrivilege', True);
  end;

function NTSetPrivilege(sPrivilege: string; bEnabled: Boolean): Boolean;
var
  hToken: THandle;
  TokenPriv: TOKEN_PRIVILEGES;
  PrevTokenPriv: TOKEN_PRIVILEGES;
  ReturnLength: Cardinal;
begin
  Result := True;
  // Only for Windows NT/2000/XP and later.
  if not (Win32Platform = VER_PLATFORM_WIN32_NT) then Exit;

  // obtain the processes token
  if OpenProcessToken(GetCurrentProcess(),
    TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken) then
  begin
    try
      // Get the locally unique identifier (LUID) .
      if LookupPrivilegeValue(nil, PChar(sPrivilege),
        TokenPriv.Privileges[0].Luid) then
      begin
        TokenPriv.PrivilegeCount := 1; // one privilege to set

        case bEnabled of
          True: TokenPriv.Privileges[0].Attributes  := SE_PRIVILEGE_ENABLED;
          False: TokenPriv.Privileges[0].Attributes := 0;
        end;

        ReturnLength := 0; // replaces a var parameter
        PrevTokenPriv := TokenPriv;

        // enable or disable the privilege
        AdjustTokenPrivileges(hToken, False, TokenPriv, SizeOf(PrevTokenPriv), PrevTokenPriv, ReturnLength);
        Result := GetLastError = ERROR_SUCCESS;
        if not Result then
          //On Windows Vista the following error is raised:
          //exception message : Not all privileges or groups referenced are assigned to the caller.
          raise Exception.Create(SysErrorMessage(GetLastError));

      end;
    finally
      CloseHandle(hToken);
    end;
  end;
  // test the return value of AdjustTokenPrivileges.
  Result := GetLastError = ERROR_SUCCESS;
  if not Result then
    //raise Exception.Create(SysErrorMessage(GetLastError));
end;


It works perfectly fine on Windows XP, 2000 and 2003 but under Windows Vista it raises the error "exception message : Not all privileges or groups referenced are assigned to the caller."

Any idea of what might be causing this and how to fix it?

Thanks!
0
Comment
Question by:smartins
  • 2
3 Comments
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17998329

Sounds like the user account does not hold one of the privileges that you are trying to enable; do you know which privilege is causing the failure (and you to raise the exception)? My guess would be that its the SeTakeOwnershipPrivilege. As far as resolving this, double check the account that you are using and compare it with the Local sec policy. (run secpol.msc and look at "Take Ownership of files or other objects")


Russell
0
 

Author Comment

by:smartins
ID: 18002277
The previleges that cause the exception are SeRestorePrivilege, SeBackupPrivilege and SeTakeOwnershipPrivilege.

I tried commenting one by one and the only that does not raise and expection is the SeShutdownPrivilege.

I'm using the default account created by Vista, which might be on the limited side. But I assume most of the Vista systems would be using this type of account since it's the one created automatically on installation.
0
 
LVL 26

Accepted Solution

by:
Russell Libby earned 250 total points
ID: 18003297
Yes, the default account for Vista is very limited. As to an answer to the question:

>> Any idea of what might be causing this and how to fix it?
- The user does not hold the privileges you are trying to enable. (you can't enable privileges that the user does not hold.)
- The user needs to have the prvileges added to their user account, or a group that they belong to.

This leaves you with a few options:

1. Recheck why you need the prviliges to start with. If you need them, the user is going to need to hold them.
2. If the user needs them, but not does hold them, then you will need to run as an admin on the box to add the privileges. Adding can be done manually, or programmatically (for source, see):

http://users.adelphia.net/~rllibby/downloads/privilege.zip

using the TAccountPrivileges class.

---

Russell





0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Objective: - This article will help user in how to convert their numeric value become words. How to use 1. You can copy this code in your Unit as function 2. than you can perform your function by type this code The Code   (CODE) The Im…
In my programming career I have only very rarely run into situations where operator overloading would be of any use in my work.  Normally those situations involved math with either overly large numbers (hundreds of thousands of digits or accuracy re…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question