Hi all,
I’m facing an issue and I cannot find any information about it on the Internet.
I think somebody here will be able to help me.
I’ve got a DLL that has to call the CM_Reenumerate_DevNode() API.
In the API documentation, it’s indicated that the caller must have SeLoadDriverPrivilege for the call to succeed.
So, I used ntrights.exe to set this privilege to my current user and I rebooted my PC so that it’s taken into account.
Then, I modified my DLL code to enable the privilege using the AdjustTokenPrivileges() API.
This API returns ERROR_NOT_ALL_ASSIGNED.
When I do the same thing with the SeLockMemoryPrivilege for example, it works without any problem.
What’s wrong with this SeLoadDriverPrivilege? Do you have an idea?
Thank you in advance.
Vincent
[quote]
So, I used ntrights.exe to set this privilege to my current user and I rebooted
my PC so that it’s taken into account.
[quote]
So, the first question is: Is NTRIGHTS.exe actually assigning the priv to you?
Isn’t NTRIGHTS an ancient and now unsupported utility? Wouldn’t you be better off adding the privs using GPEDIT or whatever the “real” process is?
Peter
OSR
@OSRDrivers
xxxxx@cea.fr wrote:
I’m facing an issue and I cannot find any information about it on the Internet.
I think somebody here will be able to help me.
I’ve got a DLL that has to call the CM_Reenumerate_DevNode() API.
In the API documentation, it’s indicated that the caller must have SeLoadDriverPrivilege for the call to succeed.
So, I used ntrights.exe to set this privilege to my current user and I rebooted my PC so that it’s taken into account.
Is your user an administrator? If you run your process elevated (“Run
As Administrator”), are you able to call CM_Reenumerate_DevNode?
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Thank you for your answers.
@Peter
I need a command line tool to add my privileges.
I know ntrights is an ancient tool, but it works well for SeLockMemoryPrivilege for example. Why should it be outdated for another privilege?
After using this tool, if I use gpedit to look at the user privileges, then the SeLoadDriverPrivilege is correctly assigned to my user.
@Tim
I don’t want my user to be part of the Administrators group.
What is weird is that since I added the privilege to my user, when I start the process using “Run As Administrator”, my user appears as a choice in the pop-up, even if it does not belong to the Administrators group.
To summarize :
- If I launch the process directly by double-clicking on the executable, then the AdjustTokenPrivileges() call fails.
- If I launch the process by using “Run As Administrator”, then the AdjustTokenPrivileges() call succeeds, whatever the login I choose (the real administrator, or my user). How can the process run elevated if my user is not part of the Administrators group?
Vincent
xxxxx@cea.fr wrote:
@Tim
I don’t want my user to be part of the Administrators group.
What is weird is that since I added the privilege to my user, when I start the process using “Run As Administrator”, my user appears as a choice in the pop-up, even if it does not belong to the Administrators group.
To summarize :
- If I launch the process directly by double-clicking on the executable, then the AdjustTokenPrivileges() call fails.
- If I launch the process by using “Run As Administrator”, then the AdjustTokenPrivileges() call succeeds, whatever the login I choose (the real administrator, or my user). How can the process run elevated if my user is not part of the Administrators group?
It’s possible I misunderstand this, but I think that’s just how it
works. When you login, there are two tokens created. One is the token
that includes all the privileges your account is allowed to use. The
other is a restricted token, which does not include the Administrator
group and disables certain potentially dangerous privileges. Processes
are launched with the restricted token, unless you do “Run As
Administrator”, which substitutes the original token.
Thus, although your account is allowed to use the SeLoadDriverPrivilege,
a process can only request that privilege if it is elevated. Begin part
of the administrators group is just a way of grouping a number of these
potentially dangerous privileges together.
You can, of course, request elevation automatically by embedding a
manifest in your executable.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Thank you Tim, that’s clear now, I need to elevate my process (not run it as administrator, this is a confusing entitled) to be able to access my privilege which is a specical privilege, more dangerous in fact than the SeLockMemoryPrivilege.
Is it possible to elevate a process using the command line?
I mean elevate not as an administrator but elevate as a user.
xxxxx@cea.fr wrote:
Is it possible to elevate a process using the command line?
I mean elevate not as an administrator but elevate as a user.
It’s actually the same thing. The effect of “run as administrator” is
usually as the name says, but what it’s doing is just enabling the
dangerous privileges you are allowed to use.
As I told you, you can embed a manifest in your executable that says you
need to be elevated. You can either do that with pragmas, or in your
resource file, or by using a linker switch,
/manifestuac:level=highestAvailable. Google “elevation manifest”.
There is no simple command line mechanism to start a non-manifested
process elevated. You can do it in VBScript, and if you do the Google
search, I’m sure you’ll find that.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Thank you Tim, Peter and all.
I always get an answer to my questions on this fantastic forum !