Config Mgr API privileges?

I’ve been using CM_Request_Device_EjectW() on Windows 2000, to initiate
the PnP removal of a device, in a command-line utility for some time now.
When I run the utility and it works, I’m logged in as a domain account
user in the local Administrators group.

When I dropped the same code into a service running as LOCALSYSTEM, it
started to fail, returning 0x33, CR_ACCESS_DENIED. I changed the service
to run logged into the same account I use; however, the API still returns
the same error.

I’ve queried and displayed the token privileges in all three scenarios,
and it seems that any remotely related privilege that is assigned or
enabled when running from the command-line is in the same state in at
least one of the service configurations.

The API docs in MSDN Library of Jan 2000 don’t indicate that any
particular privilege is required.

Does anyone know if a certain privilege is required, and whether it needs
to be enabled, to call this API? And if not, what might be going on?
Is it possible that it wants an interactive login, or maybe it’s trying
to access the window station or something strange like that?

Many thanks.


Dave Cox
Hewlett-Packard Co.
HPSO/SSMO (Santa Barbara)
https://ecardfile.com/id/Dave+Cox

CM_Request_Device_EjectW() checks to see whether the caller is an
interactive process, and is running on the local console session (not a
remote winstation).

Try setting SE_LOAD_DRIVER privilege and let us know the results.

-Eliyas

-----Original Message-----
From: COX,DAVID (HP-Roseville,ex1) [mailto:david_cox2@hp.com]
Sent: Thursday, June 01, 2000 5:31 PM
To: NT Developers Interest List
Subject: [ntdev] Config Mgr API privileges?

I’ve been using CM_Request_Device_EjectW() on Windows 2000, to initiate
the PnP removal of a device, in a command-line utility for some time now.
When I run the utility and it works, I’m logged in as a domain account
user in the local Administrators group.

When I dropped the same code into a service running as LOCALSYSTEM, it
started to fail, returning 0x33, CR_ACCESS_DENIED. I changed the service
to run logged into the same account I use; however, the API still returns
the same error.

I’ve queried and displayed the token privileges in all three scenarios,
and it seems that any remotely related privilege that is assigned or
enabled when running from the command-line is in the same state in at
least one of the service configurations.

The API docs in MSDN Library of Jan 2000 don’t indicate that any
particular privilege is required.

Does anyone know if a certain privilege is required, and whether it needs
to be enabled, to call this API? And if not, what might be going on?
Is it possible that it wants an interactive login, or maybe it’s trying
to access the window station or something strange like that?

Many thanks.


Dave Cox
Hewlett-Packard Co.
HPSO/SSMO (Santa Barbara)
https://ecardfile.com/id/Dave+Cox


You are currently subscribed to ntdev as: xxxxx@microsoft.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)

Sorry I took so long to get back on this. A crash and/or my debugging
attempts damaged the OS on my Win2000 machine to the point it wouldn’t
boot, and my attempts to repair it just made it worse. I had to wipe
the disk and reinstall.

Can you define “interactive process,” and tell me precisely how it checks
for this? Do you mean the API must be called from a thread or process
whose token was created via LogonUser() with LOGON32_LOGON_INTERACTIVE as
the logon type? Or are we talking about window stations and desktops?

I need the functionality of CM_Request_Device_Eject() from within a
service, which is inherently not interactive by the first definition.
(Yes, I check the “interact with desktop” box when I try this under the
System account.) Why would the API impose such a limitation? (Does
CM_Request_Device_Eject_Ex() do so as well?) And why isn’t it documented?

In my three test scenarios (command-line app running as user, service
running as System, and service running as user), the SE_LOAD_DRIVER
privilege is already granted, as is SE_UNDOCK. Further,
CM_Request_Device_Eject() enables these two privileges if they are not
enabled. So I was doubtful there was any point trying your suggestion.
But I did, and to no avail.

So now what are my options? If I have to use LogonUser() to get an
interactive token, then my service needs the user account password,
which is going to be a problem.


Dave Cox
Hewlett-Packard Co.
HPSO/SSMO (Santa Barbara)
https://ecardfile.com/id/Dave+Cox

-----Original Message-----
From: Eliyas Yakub [mailto:xxxxx@microsoft.com]
Sent: Friday, June 02, 2000 12:35 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Config Mgr API privileges?

CM_Request_Device_EjectW() checks to see whether the caller is an
interactive process, and is running on the local console session (not a
remote winstation).

Try setting SE_LOAD_DRIVER privilege and let us know the results.

-Eliyas

-----Original Message-----
From: COX,DAVID (HP-Roseville,ex1) [mailto:david_cox2@hp.com]
Sent: Thursday, June 01, 2000 5:31 PM
To: NT Developers Interest List
Subject: [ntdev] Config Mgr API privileges?

I’ve been using CM_Request_Device_EjectW() on Windows 2000, to initiate
the PnP removal of a device, in a command-line utility for some time now.
When I run the utility and it works, I’m logged in as a domain account
user in the local Administrators group.

When I dropped the same code into a service running as LOCALSYSTEM, it
started to fail, returning 0x33, CR_ACCESS_DENIED. I changed the service
to run logged into the same account I use; however, the API still returns
the same error.

I’ve queried and displayed the token privileges in all three scenarios,
and it seems that any remotely related privilege that is assigned or
enabled when running from the command-line is in the same state in at
least one of the service configurations.

The API docs in MSDN Library of Jan 2000 don’t indicate that any
particular privilege is required.

Does anyone know if a certain privilege is required, and whether it needs
to be enabled, to call this API? And if not, what might be going on?
Is it possible that it wants an interactive login, or maybe it’s trying
to access the window station or something strange like that?

Many thanks.


Dave Cox
Hewlett-Packard Co.
HPSO/SSMO (Santa Barbara)
https://ecardfile.com/id/Dave+Cox


You are currently subscribed to ntdev as: xxxxx@microsoft.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)


You are currently subscribed to ntdev as: david_cox2@hp.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)

It turns out, the short answer is “use CM_Query_And_Remove_SubTreeW()
instead.” This function is in cfgmgr32.h and is exported by setupapi.lib,
but for some reason doesn’t warrant its own page in the DDK. It does
the same thing as CM_Request_Device_EjectW(), minus the check for
interactive
logon. I determined this by watching CM_Request_Device_EjectW() first check
for S-1-5-4 (interactive users) in the the thread impersonation token, and
then simply pass all its parameters to CM_Query_And_Remove_SubTreeW().


Dave Cox
Hewlett-Packard Co.
HPSO/SSMO (Santa Barbara)
https://ecardfile.com/id/Dave+Cox

-----Original Message-----
From: COX,DAVID (HP-Roseville,ex1) [mailto:david_cox2@hp.com]
Sent: Thursday, June 01, 2000 5:31 PM
To: NT Developers Interest List
Subject: [ntdev] Config Mgr API privileges?

I’ve been using CM_Request_Device_EjectW() on Windows 2000, to initiate
the PnP removal of a device, in a command-line utility for some time now.
When I run the utility and it works, I’m logged in as a domain account
user in the local Administrators group.

When I dropped the same code into a service running as LOCALSYSTEM, it
started to fail, returning 0x33, CR_ACCESS_DENIED. I changed the service
to run logged into the same account I use; however, the API still returns
the same error.

I’ve queried and displayed the token privileges in all three scenarios,
and it seems that any remotely related privilege that is assigned or
enabled when running from the command-line is in the same state in at
least one of the service configurations.

The API docs in MSDN Library of Jan 2000 don’t indicate that any
particular privilege is required.

Does anyone know if a certain privilege is required, and whether it needs
to be enabled, to call this API? And if not, what might be going on?
Is it possible that it wants an interactive login, or maybe it’s trying
to access the window station or something strange like that?

Many thanks.


Dave Cox
Hewlett-Packard Co.
HPSO/SSMO (Santa Barbara)
https://ecardfile.com/id/Dave+Cox


You are currently subscribed to ntdev as: david_cox2@hp.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)