Make sure you're not impersonating while calling OpenProcessToken.
Rene <root@[EMAIL PROTECTED]
> wrote:
> Hello,
>
> We have an process which acts as a watchdog for other process. If one of
> the process fails, the watchdog process will kill it and restart.
>
> The watchdog process runs as a ISAPI DLL (DLLHOST.EXE) on a Windows 2000
> Advanced Server machine, with all service packs and patches applied. At
> the end of this message you can see the source-code of the part which
> tries to kill the failing process. The watchdog process runs under a
> user which is part of the Administrators group.
>
> The first step is to open the ProcessToken, in order to set the needed
> privileges. See the code-fragment below.
>
> HANDLE hToken;
> LUID DebugValue;
> TOKEN_PRIVILEGES tkp;
>
>
>
> if (0 == OpenProcessToken(GetCurrentProcess(),
> TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
> DWORD error = GetLastError();
> cd.LogError("OpenProcessToken failed.");
> cd.LogWin32Error(error);
> return false;
> }
>
> The call too OpenProcessToken() fails with error 'Access Denied'. I
> think that the user under which the watchdog process runs does not have
> the needed rights to open the Process Token.
>
> The watchdog process run as an user member of group 'Administrators'. I
> also tried to run the watchdog process as user 'Administrator'. I am
> aware of the Local Security Policy. I am unsure if I need to change
> settings in the Local Security Policy, and if so, which settings.
>
> My questions are:
> Under which user should the watchdog process run in order to succeed the
> call OpenProcessToken()?
> If I need to change Local Security Policy, how can I map enums like
> 'TOKEN_ADJUST_PRIVILEGES' too settings in the Policy? Which settings
> should I change?
>
> Thanks in advance.
>
> The complete sourcecode is below this line.
>
> -------------------------------------------------
>
> HANDLE hToken;
> LUID DebugValue;
> TOKEN_PRIVILEGES tkp;
>
>
>
> if (0 == OpenProcessToken(GetCurrentProcess(),
> TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
> DWORD error = GetLastError();
> cd.LogError("OpenProcessToken failed.");
> cd.LogWin32Error(error);
> return false;
> }
>
> //
> // Enable the SE_DEBUG_NAME privilege
> //
> if (0 == LookupPrivilegeValue((LPWSTR) NULL,SE_DEBUG_NAME,
> &DebugValue)) {
> cd.LogError("LookupPrivilegeValue failed.");
> cd.LogWin32Error(GetLastError());
> ::CloseHandle(hToken);
> return false;
> }
>
> tkp.PrivilegeCount = 1;
> tkp.Privileges[0].Luid = DebugValue;
> tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
>
> AdjustTokenPrivileges(hToken, FALSE, &tkp,
> sizeof(TOKEN_PRIVILEGES),
> (PTOKEN_PRIVILEGES) NULL,
> (PDWORD) NULL);
>
> //
> // The return value of AdjustTokenPrivileges can't be tested
> //
> DWORD dwResult = GetLastError();
> if (dwResult != ERROR_SUCCESS) {
> cd.LogError("AdjustTokenPrivileges failed.");
> cd.LogWin32Error(dwResult);
> ::CloseHandle(hToken);
> return false;
> }
>
> HANDLE ps = OpenProcess( PROCESS_TERMINATE, FALSE, pid );
>
> int result = -1;
> if (TerminateProcess(ps, (unsigned)-1)) {
> result = 1;
> }
> else {
> result = -1;
> }
>
> tkp.PrivilegeCount = 1;
> tkp.Privileges[0].Luid = DebugValue;
>
> AdjustTokenPrivileges(hToken,
> FALSE,
> &tkp,
> sizeof(TOKEN_PRIVILEGES),
> (PTOKEN_PRIVILEGES) NULL,
> (PDWORD) NULL);
>
> //
> // The return value of AdjustTokenPrivileges can't be tested
> //
> if (dwResult != ERROR_SUCCESS) {
> cd.LogError("AdjustTokenPrivileges failed.");
> cd.LogWin32Error(dwResult);
> ::CloseHandle(hToken);
> ::CloseHandle(ps);
> return false;
> }
>
> ::CloseHandle(hToken);
> ::CloseHandle(ps);
|
