I'm working on migrating a program written for Windows NT to Windows 10, but am running into some issues with how it attempts to elevate its privileges. During its initialization, it attempts to enable SeTcbPrivilege, SeAssignPrimaryTokenPrivilege, and SeCreateTokenPrivilege by calling AdjustTokenPrivileges:
void CBBCDlg::OnSetShutdownPrivilege()
{
HANDLE hToken;
HANDLE hProcess;
LPCTSTR lpszPrivilege;
char buffer[45];
CString strErrorCode;
lpszPrivilege = "SeTcbPrivilege";
hProcess = GetCurrentProcess();
if (hProcess && OpenProcessToken(hProcess, (TOKEN_ALL_ACCESS /*TOKEN_WRITE | TOKEN_QUERY_SOURCE*/), &hToken))
{
if (OnSetPrivilege(hToken, lpszPrivilege, TRUE))
{
// AfxMessageBox("SE_TCB_NAME set");
}
else
{
_itoa_s(GetLastError(), buffer, 10);
AfxMessageBox("Could not set SE_TCB_NAME : " + CString(buffer));
}
lpszPrivilege = "SeAssignPrimaryTokenPrivilege";
if (OnSetPrivilege(hToken, lpszPrivilege, TRUE))
{
// AfxMessageBox("AssignPrimaryToken set");
}
else
{
_itoa_s(GetLastError(), buffer, 10);
AfxMessageBox("Could not set AssignPrimaryToken : " + CString(buffer));
}
lpszPrivilege = "SeCreateTokenPrivilege";
if (OnSetPrivilege(hToken, lpszPrivilege, TRUE))
{
// AfxMessageBox("CreateToken set");
}
else
{
_itoa_s(GetLastError(), buffer, 10);
AfxMessageBox("Could not set CreateToken : " + CString(buffer));
}
OnSetPrivilege calls AdjustTokenPrivileges:
bool CBBCDlg::OnSetPrivilege(HANDLE hToken,
LPCSTR lpszPrivilege,
BOOL bEnablePrivilege)
{
TOKEN_PRIVILEGES tp;
LUID luid;
/*For debugging*/
DWORD length;
TOKEN_PRIVILEGES* ptkp=NULL;
GetTokenInformation(hToken,TokenPrivileges,ptkp,0,&length);
char name[256];
ptkp = (TOKEN_PRIVILEGES*) new char[length];
if(GetTokenInformation(hToken,TokenPrivileges,ptkp,length,&length)!=0)
{
for(int i=0;i < ptkp->PrivilegeCount;i++)
{
length=256;
LookupPrivilegeName(NULL,&(ptkp->Privileges[i].Luid),name,&length);
DWORD dwAttri = ptkp->Privileges[i].Attributes;
}
}
/**/
if (!LookupPrivilegeValue(NULL, lpszPrivilege, &luid))
{
return false;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if(bEnablePrivilege)
{
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
}
else
{
tp.Privileges[0].Attributes = 0;
}
bool res = AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL, (PDWORD) NULL);
DWORD lastError = GetLastError();
if (lastError != ERROR_SUCCESS)
{
return false;
}
return true;
}
The program is meant to be run on a local account, but requests privileges usually available only to administrator accounts. When running on the target Windows 10 machine, I found that these privileges were not enabled after AdjustTokenPrivileges was called, and that GetLastError after the call returned 1300, ERROR_NOT_ALL_ASSIGNED. From the Win32 documentation on AdjustTokenPrivileges, "The AdjustTokenPrivileges function cannot add new privileges to the access token. It can only enable or disable the token's existing privileges."
How then should I add a privilege to the access token? I have tried to assign SeTcbPrivilege, SeAssignPrimaryTokenPrivilege, and SeCreateTokenPrivilege to the local account via group policy editor (Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment), then run the software again, but I found that only SeAssignPrimaryTokenPrivilege could then be enabled. Furthermore, when I called GetTokenInformation, I found that the access token was assigned SeAssignPrimaryTokenPrivilege, but SeTcbPrivilege and SeCreateTokenPrivilege did not stick.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 67%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
