Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Admin process in kernel mode

Igor_BIgor_B Member Posts: 8
Hello,

Is there any way that I can check if process is run by administrator in kernel mode?
I can't include windows.h to use CheckTokenMembership function.

Comments

  • Don_BurnDon_Burn Member - All Emails Posts: 1,715
    Look at SeSinglePrivilegeCheck


    Don Burn
    Windows Driver Consulting
    Website: http://www.windrvr.com




    -----Original Message-----
    From: [email protected]
    [mailto:[email protected]] On Behalf Of [email protected]
    Sent: Tuesday, March 17, 2015 6:27 AM
    To: Windows System Software Devs Interest List
    Subject: [ntdev] Admin process in kernel mode

    Hello,

    Is there any way that I can check if process is run by administrator in
    kernel mode?
    I can't include windows.h to use CheckTokenMembership function.

    ---
    NTDEV is sponsored by OSR

    Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

    OSR is HIRING!! See http://www.osr.com/careers

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at
    http://www.osronline.com/page.cfm?name=ListServer
  • Maxim_S._ShatskihMaxim_S._Shatskih Member Posts: 10,396
    Modern Windows have SeTokenIsAdmin

    <[email protected]> wrote in message news:[email protected]
    > Hello,
    >
    > Is there any way that I can check if process is run by administrator in kernel mode?
    > I can't include windows.h to use CheckTokenMembership function.
    >
  • Igor_BIgor_B Member Posts: 8
    And if I want to use SeSinglePrivilegeCheck function is there any privilege to determine whether it's admin process or not? Or maybe I have to use e.g. SE_TAKE_OWNERSHIP_PRIVILEGE?
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,362
    Individual privileges can be assigned to any user, there is no privilege
    that says "this is an admin". That's what the SIDs in the Token are for,
    they indicate the user and member groups of the process' creator. As Max
    noted, SeTokenIsAdmin tells you if the Token contains the SID for the local
    administrators group. You could also roll your own equivalent (or
    additional) functionality by calling SeQueryInformationToken.

    -scott
    OSR
    @OSRDrivers

    wrote in message news:[email protected]

    And if I want to use SeSinglePrivilegeCheck function is there any privilege
    to determine whether it's admin process or not? Or maybe I have to use e.g.
    SE_TAKE_OWNERSHIP_PRIVILEGE?

    -scott
    OSR

  • Alex_Ionescu-2Alex_Ionescu-2 Member Posts: 138
    Be very careful with SeTokenIsAdmin... until March 2015, the Windows 7 and down-level version of this function has a subtle security issue: it does not properly validate if the token is an impersonation token or not -- it is therefore the responsibility of the caller to check this before calling the function. 12 different vulnerable pieces of kernel code have already been fixed in the last 3-4 months to deal with this -- don't let your driver become part of the problem :)

    SeSinglePrivilegeCheck does not have this issue, but is obviously meant for different uses.

    --
    Best regards,
    Alex Ionescu
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE