Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Development
  New Posts New Posts RSS Feed - Tip: Easy way to enable privileges
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Tip: Easy way to enable privileges

 Post Reply Post Reply
Author
Message
Matts_User_Name View Drop Down
Senior Member
Senior Member
Avatar

Joined: 10 August 2006
Location: USA
Status: Offline
Points: 692
Post Options Post Options   Thanks (1) Thanks(1)   Quote Matts_User_Name Quote  Post ReplyReply Direct Link To This Post Topic: Tip: Easy way to enable privileges
    Posted: 08 August 2008 at 8:22pm


To enable privileges, modifying a process's access token is good and all, but it can get messy especially if you need a quick fix to open system processes.

RtlAdjustPrivilege solves this problem and does a lot of the work for us.
From IDA I conclude it calls ZwOpenProcessToken or NtOpenThreadToken and even though I can't read asm I would assume it checks the value of the 3rd param in the call, and if anything other than 0 is specified then it enables the privileges. (Note: testing this function, it appears that the 2nd parameter is a boolean and not an modifier, meaning this function will not remove a privilege --> Only Enable/Disable it for the caller.
Next it appears to call ZwAdjustPrivilegesToken to toggle the privilege on or off


VB6 Example: (put in a standard Exe project with a form)
Private Declare Function RtlAdjustPrivilege Lib "ntdll" (ByVal Privilege As Long, ByVal bEnablePrivilege As Long, ByVal bCurrentThread As Long, ByRef OldState As Long) As Long

Private Sub Form_Load_Click()
    RtlAdjustPrivilege 20, 1, 0, 0
End Sub

This code enables SeDebugPrivilege in my process's access token in 1 line of simple code =] (2 if you count the API Declare)


RtlAdjustPrivilege Parameters:
1 = Value - Privilege
2 = Boolean - Enable(!0) or disable(0) (Note when testing this, 4 does not remove the specified privilege, so therefore this is a boolean, not a modifier)
3 = Boolean - Thread(!0) or Process(0) token (Threads only have tokens if they are impersonating a different thread/process, which means they copy their privileges temorarily)
4 = Return - Previous State [Out] (Enabled or disabled)


Here are the MSDN privilege constant list (although I would much rather prefer using the name)
http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx

The only problem about the names is that they must be converted. Well sometimes, to save time I don't want to bother with a Lookup API therefore the value can be very useful:



This page lists the Privilege names, value, user right, and windows version:
http://msdn.microsoft.com/en-us/library/cc234419.aspx


Here is a table I made also:

Name

Value

Info

SeAssignPrimaryTokenPrivilege

3

Replace a process token

SeAuditPrivilege

21

Generate audit entries

SeBackupPrivilege

17

Grant all file read access (ACL Bypass)

SeChangeNotifyPrivilege

23

Receive file/folder change notifications

SeCreateGlobalPrivilege

30

Create global objects

SeCreatePagefilePrivilege

15

Create pagefile

SeCreatePermanentPrivilege

16

Create permanent shared object

SeCreateSymbolicLinkPrivilege

33

Create symbolic links

SeCreateTokenPrivilege

2

Create a token

SeDebugPrivilege

20

Open any process (ACL Bypass)

SeEnableDelegationPrivilege

27

Trust users for delegation

SeImpersonatePrivilege

29

Enable thread impersonation

SeIncreaseBasePriorityPrivilege

14

Increase process priority

SeIncreaseQuotaPrivilege

5

Increase process memory quota

SeIncreaseWorkingSetPrivilege

30

Increase process WS

SeLoadDriverPrivilege

10

Load/Unload driver

SeLockMemoryPrivilege

4

Lock pages in memory

SeMachineAccountPrivilege

6

Create user account

SeManageVolumePrivilege

28

Manage files on a volume

SeProfileSingleProcessPrivilege

13

Gather process profiling info

SeRelabelPrivilege

32

Modify object label

SeRemoteShutdownPrivilege

24

Shutdown a remote computer

SeRestorePrivilege

18

Grant all file write access (ACL Bypass)

SeSecurityPrivilege

8

Manage auditying and security log

SeShutdownPrivilege

19

Initiate Shutdown

SeSyncAgentPrivilege

26

Use directory sync services

SeSystemEnvironmentPrivilege

22

Modify firmware environment values

SeSystemProfilePrivilege

11

Gather system profiling info

SeSystemtimePrivilege

12

Change time

SeTakeOwnershipPrivilege

9

Change object owner (ACL Bypass)

SeTcbPrivilege

7

Idetify as a trusted, protected subsystem

SeTimeZonePrivilege

34

Change time zone

SeTrustedCredManAccessPrivilege

31

Access the Credential Manager (trusted caller)

SeUndockPrivilege

25

Remove from docking station

SeUnsolicitedInputPrivilege

35 ???

Read unsolicited input (from terminal device)


Blue = Vista+
Purple = 2000 Only

2-25     = NT+
26-27     = 2000 Only
28         = XP+
29-30     = XP SP2+
31-35    = Vista+



Additional Privilege Information:
http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx



Edit: Sorry the forum format messed up my table =[.
It looks a lot better in word:



BTW, Feedback is welcome (Corrections, Comments, Questions are all good)


Edited by Matts_User_Name - 08 August 2008 at 8:45pm
Back to Top
Bruce9 View Drop Down
Groupie
Groupie


Joined: 30 May 2008
Status: Offline
Points: 47
Post Options Post Options   Thanks (0) Thanks(0)   Quote Bruce9 Quote  Post ReplyReply Direct Link To This Post Posted: 09 August 2008 at 2:48pm
It's used for years in React OS (based on XP souce code...)
http://www.reactos.org/generated/doxygen/d9/db7/lib_2rtl_2security_8c.html


Edited by Bruce9 - 09 August 2008 at 2:50pm
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.