Admin process in kernel mode

Hello,

Is there any way that I can check if process is run by administrator in kernel mode?
I can’t include windows.h to use CheckTokenMembership function.

Look at SeSinglePrivilegeCheck

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of brodewicz@wp.pl
Sent: Tuesday, March 17, 2015 6:27 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Admin process in kernel mode

Hello,

Is there any way that I can check if process is run by administrator in
kernel mode?
I can’t include windows.h to use CheckTokenMembership function.


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Modern Windows have SeTokenIsAdmin

wrote in message news:xxxxx@ntdev…
> Hello,
>
> Is there any way that I can check if process is run by administrator in kernel mode?
> I can’t include windows.h to use CheckTokenMembership function.
>

And if I want to use SeSinglePrivilegeCheck function is there any privilege to determine whether it’s admin process or not? Or maybe I have to use e.g. SE_TAKE_OWNERSHIP_PRIVILEGE?

Individual privileges can be assigned to any user, there is no privilege
that says “this is an admin”. That’s what the SIDs in the Token are for,
they indicate the user and member groups of the process’ creator. As Max
noted, SeTokenIsAdmin tells you if the Token contains the SID for the local
administrators group. You could also roll your own equivalent (or
additional) functionality by calling SeQueryInformationToken.

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@ntdev…

And if I want to use SeSinglePrivilegeCheck function is there any privilege
to determine whether it’s admin process or not? Or maybe I have to use e.g.
SE_TAKE_OWNERSHIP_PRIVILEGE?

Be very careful with SeTokenIsAdmin… until March 2015, the Windows 7 and down-level version of this function has a subtle security issue: it does not properly validate if the token is an impersonation token or not – it is therefore the responsibility of the caller to check this before calling the function. 12 different vulnerable pieces of kernel code have already been fixed in the last 3-4 months to deal with this – don’t let your driver become part of the problem :slight_smile:

SeSinglePrivilegeCheck does not have this issue, but is obviously meant for different uses.


Best regards,
Alex Ionescu