win32security: setting process privileges

Mark Tompkins mdtompkins at home.com
Wed Dec 6 18:20:46 CET 2000


Found it.

This may be of interest to others:

The advanced user rights are as follows:

To Act as Part of the Operating System

SE_TCB_NAME

Bypass Traverse Checking

SE_CHANGE_NOTIFY_NAME

Replace a Process Level Token

SE_ASSIGNPRIMARYTOKEN_NAME


Mark Tompkins wrote:

> Hi,
>
> I'm trying to set process privileges in a thread that needs to call
> win32security.LogonUser.
>
> I need to enable
>
> SE_TCB_NAME
> SE_CHANGE_NOTIFY_NAME
> SE_ASSIGNPRIMARYTOKEN_NAME
>
> When I attempt to assign these privileges to the current thread, only
> one assignment succeeds (SE_CHANGE_NOTIFY_NAME).  The MSDK win32 api
> docs INDICATE that SE_CHANGE_NOTIFY_NAME is assigned by default.  The
> following example is for SE_ASSIGNPRIMARYTOKEN_NAME.
>
> >>>import win32security
> >>>import ntsecuritycon
> >>>import win32con
> >>>import win32api
> >>>
> win32security.LookupPrivilegeValue(None,ntsecuritycon.SE_CHANGE_NOTIFY_NAME))
>
> 7
> >>>
> win32security.LookupPrivilegeValue(None,ntsecuritycon.SE_ASSIGNPRIMARYTOKEN_NAME)
>
> 23
> >>>
> win32security.LookupPrivilegeValue(None,ntsecuritycon.SE_ASSIGNPRIMARYTOKEN_NAME)
>
> 3
> >>> flags=ntsecuritycon.TOKEN_ADJUST_PRIVILEGES |
> ntsecuritycon.TOKEN_QUERY
> >>> flags
> 40
> >>>id=win32security.LookupPrivilegeValue(None,ntsecuritycon.SE_ASSIGNPRIMARYTOKEN_NAME)
>
> >>> id
> 3
> >>> nP=[(id,ntsecuritycon.SE_PRIVILEGE_ENABLED)]
> >>> nP
> [(3, 2)]
> >>>
> htoken=win32security.OpenProcessToken(win32api.GetCurrentProcess(),flags)
>
> >>> htoken
> 268
>
> >>> win32security.AdjustTokenPrivileges(htoken,0,nP)
> Traceback (innermost last):
>   File "<interactive input>", line 1, in ?
> api_error: (1300, 'MyAdjustTokenPrivileges', 'Not all privileges
> referenced are assigned to the caller.')
> >>>
>
> What privileges do I as a user need to be assigned, in order that the
> other two privileges are enabled for me, or are grantable by me to a
> process?  I am currently a member of the administrators group on the
> machine that I am coding on.
>
> thx
>
> Mark




More information about the Python-list mailing list