Exe lacks "query information" permission, can't get list of printers.

Posted on 2009-04-14
Last Modified: 2013-11-29
One of my customers has a VB6 application that tells a Common Dialog box to show the list of printers.

It works without any difficulty -- except on one machine.  On that computer, a 64-bit Windows 2003 Server machine running Terminal Server, it displays an error message to the effect that the user does not have permission to get the information.

They have already done a great deal of work on this to isolate the cause.

Using sysinternals process explorer, they find that the instance of the executable lacks the "query information" special permission.  Using the tool, they can grant the permission to the user for that instance.  But the next time they launch the program, it lacks the permission again.

They can reproduce the issue on other Windows machines by using process explorer to remove the "query information" permission.

If you can answer the following question, you're better than 3 levels of Microsoft tech support:

Where is that permissions set? What in the OS determines that setting?

Question by:Daniel Wilson
  • 8
  • 3
LVL 41

Accepted Solution

graye earned 500 total points
ID: 24141841
Is there anything strange about that server... particularly with regard to Media services or any Digital Right Management tasks?   Is that server running IE8?
The only reference in the MSDN for the PROCESS_QUERY_INFORMATION token is at which seems to indicate that in Vista (which doesn't seem to be the case here) that token is not automatically propagated.
Do you have a programmer handy?   I think we could add a few lines of code to your application to alter the processes' securty token
LVL 41

Expert Comment

ID: 24141887
Also, run GPEDIT.MSC on the server, and drill down to Computer Configuration, Windows Sewttings, Security Settings, Local Policies, User Rights Assingments and tell us what's in "Replace a process level token"
LVL 32

Author Comment

by:Daniel Wilson
ID: 24141924
>>Do you have a programmer handy?   I think we could add a few lines of code to your application to alter the processes' securty token

Right here!  You've got VB6 code that can do this?

Logging onto that server now  to look @ GPEdit ...
LVL 32

Author Comment

by:Daniel Wilson
ID: 24142039
"Replace a process level token" has several system-created users:

And the server is running IE7.

We have another executable that runs the exact same code ... has same NTFS permissions ... and it's fine on that server.

More ideas?  Or some code to try?

LVL 32

Author Comment

by:Daniel Wilson
ID: 24142487
"When a user logs in, the system collects a set of data that uniquely identifies the user during the authentication process, and stores it in an access token. This access token describes the security context of all processes associated with the user. The security context of a process is the set of credentials given to the process or the user account that created the process."

Except that ... the same user is getting one set of access rights applied to one executable and a smaller set applied to another executable in the same session.

"To change a process's security descriptor, call the  SetSecurityInfo function."

So, can the process do this for itself?

I guess in psuedocode I'm wishing for something like the following.  Does this look at all right or feasible?

SecurityInfo si = GetSecurityInfo(MyHandle, other parameters)

SetSecurityInfo (MyHandle, si OR Query_Information_Value, other parameters)

But of course that's wrong as GetSecurityInfo doesn't return a SecurityInfo structure ... but a DWORD success/error value.

Open in new window

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

LVL 41

Assisted Solution

graye earned 500 total points
ID: 24144372
There aren't that many examples of SetSecurityInfo which use a process handle as an argument (most of the examples will be  working with files).   Even fewer still using VB6... 
LVL 32

Author Comment

by:Daniel Wilson
ID: 24161563
Thanks, one of those links was good.  And I think I'm really close.

However, GetSecurityInfo is returning an error code 6 ... which appears to mean "Invalid Handle".  The handle returned by GetProcessID() matches the PID that Task Manager shows.

Here's the code ... simplified just a little.

Suggestions?  thanks!

1000        Dim ea As EXPLICIT_ACCESS

1010        Dim pCurDacl As Long

1020        Dim pNewDacl As Long

1030        Dim MyHandle As Long

1040        Dim pSD As Long

1050        Dim lErrorCheck As Long


1070        On Error GoTo Err_Handler


                    'set up the explicit access, that is the specific right that will be granted

1080        With ea

1090            .grfAccessPermissions = lPermission

1100            .grfAccessMode = GRANT_ACCESS

1110            .grfInheritance = NO_INHERITANCE

1120            .TRUSTEE.TrusteeForm = TRUSTEE_IS_NAME

1130            .TRUSTEE.TrusteeType = TRUSTEE_IS_USER

1140            .TRUSTEE.ptstrName = "CURRENT_USER" & vbNullChar 'Perhaps this should actually have the current Windows user name ... not sure

1150        End With


                    'Get the handle to this process

1160        MyHandle = GetCurrentProcessId()


                    'Get the current DACL

1170        lErrorCheck = GetSecurityInfo(MyHandle, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, _

                        0, 0, pCurDacl, 0, pSD)

^^^^^^^^^^^^^^^^  lErrorCheck is coming back with 6, not 0 ^^^^^^^^^^^^^^^^^^

Open in new window

LVL 32

Author Comment

by:Daniel Wilson
ID: 24161787
OK, found the obvious error ... obvious if you know your Win API stuff.  A ProcessID is not a Handle.  Must use OpenProcess to return the Handle.

  __in  DWORD dwDesiredAccess,
  __in  BOOL bInheritHandle,
  __in  DWORD dwProcessId

dwProcessID is the easy parameter.  I got that with GetCurrentProcessID.
I don't think I need the handle inherited, so bInheritHandle will be false.

What access should I request in the first parameter?

LVL 32

Author Comment

by:Daniel Wilson
ID: 24162868
READ_CONTROL Or WRITE_DAC gets me past that error.

Now when I get to the SetSecurityInfo call, I'm getting error 1336, Invalid ACL.

Might have to do with the hard-coded "CURRENT USER" ... investigating ... but would still appreciate any pointers :-)

            'Get the handle to this process

1170        MyPID = GetCurrentProcessId()


Open in new window

LVL 32

Author Closing Comment

by:Daniel Wilson
ID: 31569896
Graye, you got me really close.  I'll be asking a follow-up and would welcome your participation in that.
Thanks for the help!
LVL 32

Author Comment

by:Daniel Wilson
ID: 24166698

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently Microsoft released a brand new function called CONCAT. It's supposed to replace its predecessor CONCATENATE. But how does it work? And what's new? In this article, we take a closer look at all of this - we even included an exercise file for…
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now