Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Exe lacks "query information" permission, can't get list of printers.

Posted on 2009-04-14
Medium Priority
Last Modified: 2013-11-29
One of my customers has a VB6 application that tells a Common Dialog box to show the list of printers.

It works without any difficulty -- except on one machine.  On that computer, a 64-bit Windows 2003 Server machine running Terminal Server, it displays an error message to the effect that the user does not have permission to get the information.

They have already done a great deal of work on this to isolate the cause.

Using sysinternals process explorer, they find that the instance of the executable lacks the "query information" special permission.  Using the tool, they can grant the permission to the user for that instance.  But the next time they launch the program, it lacks the permission again.

They can reproduce the issue on other Windows machines by using process explorer to remove the "query information" permission.

If you can answer the following question, you're better than 3 levels of Microsoft tech support:

Where is that permissions set? What in the OS determines that setting?

Question by:Daniel Wilson
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 3
LVL 41

Accepted Solution

graye earned 2000 total points
ID: 24141841
Is there anything strange about that server... particularly with regard to Media services or any Digital Right Management tasks?   Is that server running IE8?
The only reference in the MSDN for the PROCESS_QUERY_INFORMATION token is at http://msdn.microsoft.com/library/en-us/dllproc/base/process_security_and_access_rights.asp which seems to indicate that in Vista (which doesn't seem to be the case here) that token is not automatically propagated.
Do you have a programmer handy?   I think we could add a few lines of code to your application to alter the processes' securty token
LVL 41

Expert Comment

ID: 24141887
Also, run GPEDIT.MSC on the server, and drill down to Computer Configuration, Windows Sewttings, Security Settings, Local Policies, User Rights Assingments and tell us what's in "Replace a process level token"
LVL 32

Author Comment

by:Daniel Wilson
ID: 24141924
>>Do you have a programmer handy?   I think we could add a few lines of code to your application to alter the processes' securty token

Right here!  You've got VB6 code that can do this?

Logging onto that server now  to look @ GPEdit ...
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 32

Author Comment

by:Daniel Wilson
ID: 24142039
"Replace a process level token" has several system-created users:

And the server is running IE7.

We have another executable that runs the exact same code ... has same NTFS permissions ... and it's fine on that server.

More ideas?  Or some code to try?

LVL 32

Author Comment

by:Daniel Wilson
ID: 24142487
"When a user logs in, the system collects a set of data that uniquely identifies the user during the authentication process, and stores it in an access token. This access token describes the security context of all processes associated with the user. The security context of a process is the set of credentials given to the process or the user account that created the process."

Except that ... the same user is getting one set of access rights applied to one executable and a smaller set applied to another executable in the same session.

"To change a process's security descriptor, call the  SetSecurityInfo function."

So, can the process do this for itself?

I guess in psuedocode I'm wishing for something like the following.  Does this look at all right or feasible?

SecurityInfo si = GetSecurityInfo(MyHandle, other parameters)
SetSecurityInfo (MyHandle, si OR Query_Information_Value, other parameters)
But of course that's wrong as GetSecurityInfo doesn't return a SecurityInfo structure ... but a DWORD success/error value.

Open in new window

LVL 41

Assisted Solution

graye earned 2000 total points
ID: 24144372
There aren't that many examples of SetSecurityInfo which use a process handle as an argument (most of the examples will be  working with files).   Even fewer still using VB6...
LVL 32

Author Comment

by:Daniel Wilson
ID: 24161563
Thanks, one of those links was good.  And I think I'm really close.

However, GetSecurityInfo is returning an error code 6 ... which appears to mean "Invalid Handle".  The handle returned by GetProcessID() matches the PID that Task Manager shows.

Here's the code ... simplified just a little.

Suggestions?  thanks!

1000        Dim ea As EXPLICIT_ACCESS
1010        Dim pCurDacl As Long
1020        Dim pNewDacl As Long
1030        Dim MyHandle As Long
1040        Dim pSD As Long
1050        Dim lErrorCheck As Long
1070        On Error GoTo Err_Handler
                    'set up the explicit access, that is the specific right that will be granted
1080        With ea
1090            .grfAccessPermissions = lPermission
1100            .grfAccessMode = GRANT_ACCESS
1110            .grfInheritance = NO_INHERITANCE
1120            .TRUSTEE.TrusteeForm = TRUSTEE_IS_NAME
1130            .TRUSTEE.TrusteeType = TRUSTEE_IS_USER
1140            .TRUSTEE.ptstrName = "CURRENT_USER" & vbNullChar 'Perhaps this should actually have the current Windows user name ... not sure
1150        End With
                    'Get the handle to this process
1160        MyHandle = GetCurrentProcessId()
                    'Get the current DACL
1170        lErrorCheck = GetSecurityInfo(MyHandle, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, _
                        0, 0, pCurDacl, 0, pSD)
^^^^^^^^^^^^^^^^  lErrorCheck is coming back with 6, not 0 ^^^^^^^^^^^^^^^^^^

Open in new window

LVL 32

Author Comment

by:Daniel Wilson
ID: 24161787
OK, found the obvious error ... obvious if you know your Win API stuff.  A ProcessID is not a Handle.  Must use OpenProcess to return the Handle.


  __in  DWORD dwDesiredAccess,
  __in  BOOL bInheritHandle,
  __in  DWORD dwProcessId

dwProcessID is the easy parameter.  I got that with GetCurrentProcessID.
I don't think I need the handle inherited, so bInheritHandle will be false.

What access should I request in the first parameter?

LVL 32

Author Comment

by:Daniel Wilson
ID: 24162868
READ_CONTROL Or WRITE_DAC gets me past that error.

Now when I get to the SetSecurityInfo call, I'm getting error 1336, Invalid ACL.

Might have to do with the hard-coded "CURRENT USER" ... investigating ... but would still appreciate any pointers :-)

            'Get the handle to this process
1170        MyPID = GetCurrentProcessId()

Open in new window

LVL 32

Author Closing Comment

by:Daniel Wilson
ID: 31569896
Graye, you got me really close.  I'll be asking a follow-up and would welcome your participation in that.
Thanks for the help!
LVL 32

Author Comment

by:Daniel Wilson
ID: 24166698

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Configuring Remote Assistance for use with SCCM
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question