Hello,
Is there any way that I can check if process is run by administrator in kernel mode?
I can’t include windows.h to use CheckTokenMembership function.
Hello,
Is there any way that I can check if process is run by administrator in kernel mode?
I can’t include windows.h to use CheckTokenMembership function.
Look at SeSinglePrivilegeCheck
Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of brodewicz@wp.pl
Sent: Tuesday, March 17, 2015 6:27 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Admin process in kernel mode
Hello,
Is there any way that I can check if process is run by administrator in
kernel mode?
I can’t include windows.h to use CheckTokenMembership function.
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Modern Windows have SeTokenIsAdmin
wrote in message news:xxxxx@ntdev…
> Hello,
>
> Is there any way that I can check if process is run by administrator in kernel mode?
> I can’t include windows.h to use CheckTokenMembership function.
>
And if I want to use SeSinglePrivilegeCheck function is there any privilege to determine whether it’s admin process or not? Or maybe I have to use e.g. SE_TAKE_OWNERSHIP_PRIVILEGE?
Individual privileges can be assigned to any user, there is no privilege
that says “this is an admin”. That’s what the SIDs in the Token are for,
they indicate the user and member groups of the process’ creator. As Max
noted, SeTokenIsAdmin tells you if the Token contains the SID for the local
administrators group. You could also roll your own equivalent (or
additional) functionality by calling SeQueryInformationToken.
-scott
OSR
@OSRDrivers
wrote in message news:xxxxx@ntdev…
And if I want to use SeSinglePrivilegeCheck function is there any privilege
to determine whether it’s admin process or not? Or maybe I have to use e.g.
SE_TAKE_OWNERSHIP_PRIVILEGE?
Be very careful with SeTokenIsAdmin… until March 2015, the Windows 7 and down-level version of this function has a subtle security issue: it does not properly validate if the token is an impersonation token or not – it is therefore the responsibility of the caller to check this before calling the function. 12 different vulnerable pieces of kernel code have already been fixed in the last 3-4 months to deal with this – don’t let your driver become part of the problem
SeSinglePrivilegeCheck does not have this issue, but is obviously meant for different uses.
–
Best regards,
Alex Ionescu