SE_LOAD_DRIVER_PRIVILEGE and SeSinglePrivilegeCheck

NTFSD
1

The problem is simple, I have a function that should tell me if the current
process/thread has the privilege to load a driver.

The function goes like this:

static BOOLEAN IsUserAdmin()

{

return
SeSinglePrivilegeCheck(RtlConvertLongToLuid(SE_LOAD_DRIVER_PRIVILEGE),
UserMode);

}

However no matter in what context I call this, it returns FALSE.

Is there a reason for that ? How should I fix it ?

With respect,

Gabriel Bercea

GaMiTech Software Development

Mobile contact: (+40)0740049634

eMail: xxxxx@gmail.com

2

Are you sure that the caller has enabled the privilege? For SeSinglePrivilegeCheck to indicate that the privilege was there, it must be both present and enabled in the token.

SeLoadDriverPrivilege is not usually enabled unless the caller has programmatically requested it.

It’s usually best to do access checks based on ACLs in a security descriptor.

You can also use SeTokenIsAdmin if you will only ever need to use builtin\administrators, but I recommend checking vs a real ACL in general as it’s more powerful.

  • S

From: Bercea Gabriel
Sent: Tuesday, March 24, 2009 19:20
To: Windows File Systems Devs Interest List
Subject: [ntfsd] SE_LOAD_DRIVER_PRIVILEGE and SeSinglePrivilegeCheck

The problem is simple, I have a function that should tell me if the current process/thread has the privilege to load a driver.
The function goes like this:

static BOOLEAN IsUserAdmin()
{
return SeSinglePrivilegeCheck(RtlConvertLongToLuid(SE_LOAD_DRIVER_PRIVILEGE), UserMode);
}

However no matter in what context I call this, it returns FALSE.
Is there a reason for that ? How should I fix it ?

With respect,
Gabriel Bercea

GaMiTech Software Development
Mobile contact: (+40)0740049634
eMail: xxxxx@gmail.com


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

3

You must enable the privilege in user mode by AdjustTokenPrivileges in order for it to appear.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
“Bercea Gabriel” wrote in message news:xxxxx@ntfsd…
The problem is simple, I have a function that should tell me if the current process/thread has the privilege to load a driver.

The function goes like this:

static BOOLEAN IsUserAdmin()

{

return SeSinglePrivilegeCheck(RtlConvertLongToLuid(SE_LOAD_DRIVER_PRIVILEGE), UserMode);

}

However no matter in what context I call this, it returns FALSE.

Is there a reason for that ? How should I fix it ?

With respect,

Gabriel Bercea

GaMiTech Software Development

Mobile contact: (+40)0740049634

eMail: xxxxx@gmail.com

4

Also:

please never ever use the DisableAllPrivileges feature of AdjustTokenPrivileges.

It disables some Win32-mandatory privileges, without which the Win32 code cannot work, namely the “Bypass Traverse Checking” privilege.

We once had a product which contained an API DLL to talk to the kernel part (CreateFile+DeviceIoControl, and AdjustTokenPrivileges around CreateFile), and a shell extension DLL which called the API DLL.

When AdjustTokenPrivileges in the API DLL (called by the shell ext DLL) was doing DisableAllPrivileges, this disabled the Bypass Traverse Checking privilege for Explorer.exe itself, which resulted in Explorer being not able to start any processes (while CMD.EXE was still able of this OK).

The reason is that the Win32 process init requires the open of the LPC port to connect to CSRSS, and this in turn requires Bypass Traverse Checking (at least in multi-desktop setups like XP’s Fast User Switching).


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

5

>

The reason is that the Win32 process init requires the open of the LPC
port to connect to CSRSS, and this in turn requires Bypass Traverse Checking
(at least in multi-desktop setups like XP’s Fast User Switching).

Hmmm interesting one :slight_smile: never thought of it actually.

Btw thank you and Skywing for the fast reply, that was actually the pbem,
not adjusting/enabling token in caller thread.

With respect,
Gabriel Bercea

GaMiTech Software Development
Mobile contact: (+40)0740049634
eMail: xxxxx@gmail.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Wednesday, March 25, 2009 12:50 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] SE_LOAD_DRIVER_PRIVILEGE and SeSinglePrivilegeCheck

Also:

please never ever use the DisableAllPrivileges feature of
AdjustTokenPrivileges.

It disables some Win32-mandatory privileges, without which the Win32
code cannot work, namely the “Bypass Traverse Checking” privilege.

We once had a product which contained an API DLL to talk to the kernel
part (CreateFile+DeviceIoControl, and AdjustTokenPrivileges around
CreateFile), and a shell extension DLL which called the API DLL.

When AdjustTokenPrivileges in the API DLL (called by the shell ext DLL)
was doing DisableAllPrivileges, this disabled the Bypass Traverse Checking
privilege for Explorer.exe itself, which resulted in Explorer being not able
to start any processes (while CMD.EXE was still able of this OK).

The reason is that the Win32 process init requires the open of the LPC
port to connect to CSRSS, and this in turn requires Bypass Traverse Checking
(at least in multi-desktop setups like XP’s Fast User Switching).


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer