?
Solved

Windows Server 2012 OS Bug?  SeCreateGlobalPrivilege works for all accounts except Administrator!

Posted on 2013-02-07
3
Medium Priority
?
2,153 Views
Last Modified: 2013-02-14
Update:
Wrote a quick test utility to both query the status of the SeCreateGlobalPrivilege and test the CreateFileMapping(..."Global\\mapname" ...).
Results:
Before adding 'Everyone' to User Rights Assignment -'Create Global Objects'
     -non-admin account: Fails (as it should)
After adding 'Everyone' to - User Rights Assignment -'Create Global Objects'
     -non-admin account: Succeeds (as it should)
     -admin account 'Run As Admin' -> Succeeds
     -admin account, just double clicking: Fails!
     -admin account, Server 2008 R2, just double clicking: Succeeds

Should not the admin account processes have the 'everyone' privileges? Is there somewhere I can specify user rights for the administrator when he doesn't use 'Run as admin'?


Original Body:
Hi, I'm updating a Server 2003 dll (c++, visual studio 2005) to run under Windows 2012 (Visual studio 2012).  My call to 'CreateFileMapping' fails with GetLastError/FormatMessage returning 'Access Denied'.  

I can't find 'SeCreateGlobalPrivilege', not sure where to look in 2012.  Under 'Local Security Policy - Local Policies - User Rights Assignment - ' I have added 'everyone' to the 'Create Global Objects' policy, not sure if that is the same thing.

This is a stand alone server, not running active directory, in a small private network with no connection to the outside world, so I'm not concerned about any security risk associated with this privilege.  

Multiple TS clients access the same file, so it does need to be global.

Any help would be greatly appreciated!


      {// Attempt to create a new file map
            SECURITY_DESCRIPTOR SecurityDescriptor;
            if (!InitializeSecurityDescriptor(&SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION))
                  MessageBox(NULL,"2InitializeSecurityDescriptor failed",NULL,MB_OK);
            BOOL bDaclPresent=TRUE;
            PACL pDacl=NULL;
            BOOL bDaclDefaulted=FALSE;
            if (!SetSecurityDescriptorDacl(&SecurityDescriptor, bDaclPresent, pDacl, bDaclDefaulted))
                  MessageBox(NULL,"2SetSecurityDescriptorDacl failed",NULL,MB_OK);

            SECURITY_ATTRIBUTES SecurityAttributes;
            SecurityAttributes.nLength=sizeof(SECURITY_ATTRIBUTES);
            SecurityAttributes.lpSecurityDescriptor=&SecurityDescriptor;
            SecurityAttributes.bInheritHandle=TRUE;

            m_hMapping = CreateFileMapping(INVALID_HANDLE_VALUE,      // Indicates a memory file rather than a real disk file.
            &SecurityAttributes,          // Security attributes
            PAGE_READWRITE,// Data protection
            0,             // High 32-bits of size
            iSizeInBytes,      // Low 32-bits of size
            pszMapName);   // Map name of object
            if(m_hMapping)        
            {// Successfully Created New File
                  bExistFile=false;
            }
            else
            {
                  DWORD err = GetLastError();
                  char MsgBuf[8192];
                  FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, err, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), MsgBuf, (DWORD)(sizeof(MsgBuf)), NULL);
                  MessageBox( NULL, MsgBuf, "2CreateFileMapping failed", MB_OK | MB_ICONINFORMATION );
            }
      }
0
Comment
Question by:dcShaver
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 

Author Comment

by:dcShaver
ID: 38865817
Note: The CreateFileMapping call works if I change the Map Name prefix from "Global" to "Local", so it does appear to be a privilege issue.  (Unfortunately I need it to be Global.)
0
 
LVL 4

Accepted Solution

by:
jiangsheng earned 1500 total points
ID: 38870152
This is the expected behavior, the first entry in the  UAC filtered token  is deny buildin\administrators which has the highest priority. You can inspect the effect using Process Explorer (switch to the security tab of the process's property page).

You need to run the global object creating code under another process (e.g. an elevated process launched from your program or a windows service)
0
 

Author Closing Comment

by:dcShaver
ID: 38890414
Thank you for the explanation.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For a while now I'v been searching for a circular progress control, much like the one you get when first starting your Silverlight application. I found a couple that were written in WPF and there were a few written in Silverlight, but all appeared o…
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question