Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

OpenProcess() with PROCESS_SET_INFORMATION on protected processes

microsoft.public.windows.vista.security






Speedup My PC
Reply
  #1 (permalink)  
Old 06-22-2007
Daniel Albuschat
 

Posts: n/a
OpenProcess() with PROCESS_SET_INFORMATION on protected processes
Hi there,

with the help of the TaskManager, I can change the process-affinity of
the svchost.exe processes. I need to click "Processes of all users"
and confirm the UAC-dialog, first, then it "just works" the set
the affinity.

I tried to do the same from within an application, which I start
via "Run as Administrator":

I find the process with "svchost.exe"-names and OpenProcess() it with
PROCESS_SET_INFORMATION. Well, the permission is denied, although
I am admin.

I could imagine that this is by design: Even administrators should not
be able to mess with protected processes. But how/why is the TaskManager
able to do this, then? Does it communicate with a kernel-module which
does the job, perhaps?

Regards,
Daniel Albuschat
Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 06-22-2007
Jesper
 

Posts: n/a
RE: OpenProcess() with PROCESS_SET_INFORMATION on protected processes
What permissions do you request on the process handle?

---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Daniel Albuschat" wrote:

> Hi there,
>
> with the help of the TaskManager, I can change the process-affinity of
> the svchost.exe processes. I need to click "Processes of all users"
> and confirm the UAC-dialog, first, then it "just works" the set
> the affinity.
>
> I tried to do the same from within an application, which I start
> via "Run as Administrator":
>
> I find the process with "svchost.exe"-names and OpenProcess() it with
> PROCESS_SET_INFORMATION. Well, the permission is denied, although
> I am admin.
>
> I could imagine that this is by design: Even administrators should not
> be able to mess with protected processes. But how/why is the TaskManager
> able to do this, then? Does it communicate with a kernel-module which
> does the job, perhaps?
>
> Regards,
> Daniel Albuschat
>

Reply With Quote
  #3 (permalink)  
Old 06-23-2007
Daniel Albuschat
 

Posts: n/a
Re: OpenProcess() with PROCESS_SET_INFORMATION on protected processes
Jesper schrieb:
> What permissions do you request on the process handle?


The permissions are PROCESS_SET_INFORMATION.
That's what I need to call SetProcessAffinityMask()
http://msdn2.microsoft.com/en-us/library/ms686223.aspx

Regards,
Daniel

> "Daniel Albuschat" wrote:
>
>> Hi there,
>>
>> with the help of the TaskManager, I can change the process-affinity of
>> the svchost.exe processes. I need to click "Processes of all users"
>> and confirm the UAC-dialog, first, then it "just works" the set
>> the affinity.
>>
>> I tried to do the same from within an application, which I start
>> via "Run as Administrator":
>>
>> I find the process with "svchost.exe"-names and OpenProcess() it with
>> PROCESS_SET_INFORMATION. Well, the permission is denied, although
>> I am admin.
>>
>> I could imagine that this is by design: Even administrators should not
>> be able to mess with protected processes. But how/why is the TaskManager
>> able to do this, then? Does it communicate with a kernel-module which
>> does the job, perhaps?
>>
>> Regards,
>> Daniel Albuschat
>>

Reply With Quote
  #4 (permalink)  
Old 06-23-2007
Jesper
 

Posts: n/a
Re: OpenProcess() with PROCESS_SET_INFORMATION on protected proces
The only thing I can think of without seeing the code is that you are trying
to set the mask to an illegal one and the error message is somehow
misleading. Did you call GetProcessAffinityMask first to make sure you are
setting the process mask to a subset of that?

There is one other option and that is that you are not actually elevated
properly, but then you should get an access denied error on the call to
OpenProcess. You are sure that the error is returned from
SetProcessAffinityMask and not OpenProcess right?

There are some processes you can't change the affinity on, but I would
expect that you are trying this on a process you own.

---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Daniel Albuschat" wrote:

> Jesper schrieb:
> > What permissions do you request on the process handle?

>
> The permissions are PROCESS_SET_INFORMATION.
> That's what I need to call SetProcessAffinityMask()
> http://msdn2.microsoft.com/en-us/library/ms686223.aspx
>
> Regards,
> Daniel
>
> > "Daniel Albuschat" wrote:
> >
> >> Hi there,
> >>
> >> with the help of the TaskManager, I can change the process-affinity of
> >> the svchost.exe processes. I need to click "Processes of all users"
> >> and confirm the UAC-dialog, first, then it "just works" the set
> >> the affinity.
> >>
> >> I tried to do the same from within an application, which I start
> >> via "Run as Administrator":
> >>
> >> I find the process with "svchost.exe"-names and OpenProcess() it with
> >> PROCESS_SET_INFORMATION. Well, the permission is denied, although
> >> I am admin.
> >>
> >> I could imagine that this is by design: Even administrators should not
> >> be able to mess with protected processes. But how/why is the TaskManager
> >> able to do this, then? Does it communicate with a kernel-module which
> >> does the job, perhaps?
> >>
> >> Regards,
> >> Daniel Albuschat
> >>

>

Reply With Quote
  #5 (permalink)  
Old 06-23-2007
Daniel Albuschat
 

Posts: n/a
Re: OpenProcess() with PROCESS_SET_INFORMATION on protected proces
Jesper schrieb:
> The only thing I can think of without seeing the code is that you are trying
> to set the mask to an illegal one and the error message is somehow
> misleading. Did you call GetProcessAffinityMask first to make sure you are
> setting the process mask to a subset of that?
>
> There is one other option and that is that you are not actually elevated
> properly, but then you should get an access denied error on the call to
> OpenProcess. You are sure that the error is returned from
> SetProcessAffinityMask and not OpenProcess right?
>
> There are some processes you can't change the affinity on, but I would
> expect that you are trying this on a process you own.


No no, I obviously don't even get to the SetProcessAffinityMask() call,
because OpenProcess() failed, as I described in the original post.

And no, I don't call it on processes that I own, I call it on
svchost.exe processes. And the question is why I can set the process-
affinity with TaskManager, but not from within an elevated (Run as
Administrator) program. I would happily accept the fact that I can't
set the affinity of a protected process, but what I am struggling with
is why TaskManager can do it, but I can not.

You probably want to re-read my original post.

So here's the C++ code (compile it with UNICODE):

#include <Windows.h>
#include <Tlhelp32.h>
#include <Psapi.h>
#include <wstring>
using namespace std;

wstring SysErrorMessage(DWORD error);

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR
lpCmdLine, int nShowCmd) {
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 process;
process.dwSize = sizeof(PROCESSENTRY32);
if( Process32First(snapshot,&process) ) {
do {
if( wcscmp(process.szExeFile,L"svchost.exe") == 0 ) {
HANDLE proc =
OpenProcess(PROCESS_SET_INFORMATION,FALSE,process. th32ProcessID);
if( proc != 0 )
SetProcessAffinityMask(proc,1);
else {
MessageBox(0,(L"Could not open process:
\n"+SysErrorMessage(GetLastError())).c_str(),L"Err or",MB_OK);
}
CloseHandle(proc);
}
} while(Process32Next(snapshot, &process));
} else
MessageBox(0,SysErrorMessage(GetLastError()).c_str (),L"Error",MB_OK);
CloseHandle(snapshot);
}

wstring SysErrorMessage(DWORD error) {
TCHAR *buf = 0;
DWORD len = FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER|

FORMAT_MESSAGE_FROM_SYSTEM,0,error,LANG_USER_DEFAU LT,reinterpret_cast<TCHAR*>(&buf),0,0);
if( len == 0 )
return L"";
wstring result(buf);
return result;
}

Thanks for your answers so far,

Daniel
Reply With Quote
  #6 (permalink)  
Old 06-23-2007
Jesper
 

Posts: n/a
Re: OpenProcess() with PROCESS_SET_INFORMATION on protected proces
I obviously ought to re-read your original post. Had I done that I probably
would have noticed that the problem is the line in the documentation for
OpenProcess that you missed:
To open a handle to another another local process and obtain full access
rights, you must enable the SeDebugPrivilege privilege. For more information,
see Changing Privileges in a Token.

To open handles to processes you don't own you have to enable the debug
privilege. In other words, to solve the problem, add this code before you
start opening process handles:
TOKEN_PRIVILEGES tp;
LUID luid;

if ( !LookupPrivilegeValue(
NULL, // lookup privilege on local system
L"SeDebugPrivilege", // privilege to lookup
&luid ) ) // receives LUID of privilege
{
printf("LookupPrivilegeValue error: %u\n", GetLastError() );
return FALSE;
}

tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

// Enable the privilege or disable all privileges.
HANDLE currProc = GetCurrentProcess();
HANDLE procToken;
if(!OpenProcessToken(currProc,TOKEN_ADJUST_PRIVILE GES,&procToken))
{
_tprintf(L"\nOpenProcessToken failed with error
%s.",SysErrorMessage(GetLastError()));
return -1;
}

if ( !AdjustTokenPrivileges(
procToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL) )
{
_tprintf(L"\nAdjustTokenPrivileges error: %s\n",
SysErrorMessage(GetLastError()) );
return FALSE;
}

CloseHandle(procToken);
CloseHandle(currProc);


Yes, I know that's not the cleanest code I've ever written, but I hacked it
up quickly while the kids were pestering me to go play with them instead of
with the computer.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Daniel Albuschat" wrote:

> Jesper schrieb:
> > The only thing I can think of without seeing the code is that you are trying
> > to set the mask to an illegal one and the error message is somehow
> > misleading. Did you call GetProcessAffinityMask first to make sure you are
> > setting the process mask to a subset of that?
> >
> > There is one other option and that is that you are not actually elevated
> > properly, but then you should get an access denied error on the call to
> > OpenProcess. You are sure that the error is returned from
> > SetProcessAffinityMask and not OpenProcess right?
> >
> > There are some processes you can't change the affinity on, but I would
> > expect that you are trying this on a process you own.

>
> No no, I obviously don't even get to the SetProcessAffinityMask() call,
> because OpenProcess() failed, as I described in the original post.
>
> And no, I don't call it on processes that I own, I call it on
> svchost.exe processes. And the question is why I can set the process-
> affinity with TaskManager, but not from within an elevated (Run as
> Administrator) program. I would happily accept the fact that I can't
> set the affinity of a protected process, but what I am struggling with
> is why TaskManager can do it, but I can not.
>
> You probably want to re-read my original post.
>
> So here's the C++ code (compile it with UNICODE):
>
> #include <Windows.h>
> #include <Tlhelp32.h>
> #include <Psapi.h>
> #include <wstring>
> using namespace std;
>
> wstring SysErrorMessage(DWORD error);
>
> int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR
> lpCmdLine, int nShowCmd) {
> HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
> PROCESSENTRY32 process;
> process.dwSize = sizeof(PROCESSENTRY32);
> if( Process32First(snapshot,&process) ) {
> do {
> if( wcscmp(process.szExeFile,L"svchost.exe") == 0 ) {
> HANDLE proc =
> OpenProcess(PROCESS_SET_INFORMATION,FALSE,process. th32ProcessID);
> if( proc != 0 )
> SetProcessAffinityMask(proc,1);
> else {
> MessageBox(0,(L"Could not open process:
> \n"+SysErrorMessage(GetLastError())).c_str(),L"Err or",MB_OK);
> }
> CloseHandle(proc);
> }
> } while(Process32Next(snapshot, &process));
> } else
> MessageBox(0,SysErrorMessage(GetLastError()).c_str (),L"Error",MB_OK);
> CloseHandle(snapshot);
> }
>
> wstring SysErrorMessage(DWORD error) {
> TCHAR *buf = 0;
> DWORD len = FormatMessage(
> FORMAT_MESSAGE_ALLOCATE_BUFFER|
>
> FORMAT_MESSAGE_FROM_SYSTEM,0,error,LANG_USER_DEFAU LT,reinterpret_cast<TCHAR*>(&buf),0,0);
> if( len == 0 )
> return L"";
> wstring result(buf);
> return result;
> }
>
> Thanks for your answers so far,
>
> Daniel
>

Reply With Quote
  #7 (permalink)  
Old 06-24-2007
Daniel Albuschat
 

Posts: n/a
Re: OpenProcess() with PROCESS_SET_INFORMATION on protected proces
Jesper schrieb:
> I obviously ought to re-read your original post. Had I done that I probably
> would have noticed that the problem is the line in the documentation for
> OpenProcess that you missed:
> To open a handle to another another local process and obtain full access
> rights, you must enable the SeDebugPrivilege privilege. For more information,
> see Changing Privileges in a Token.


Wow, you're my saviour
Thank you very much, I indeed missed that part, or rather didn't realise
that it applied to my problem. My application now successfully sets all
the affinity-masks correctly.
I feel bad that you took the time and answered my post instead of
playing with your children. :-)

Thanks again,

Daniel Albuschat
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Vista Protected Processes Bypassed Steve General Technology News 0 04-07-2007 18:20
system processes =?Utf-8?B?Y3ZkdWhu?= microsoft.public.windows.vista.performance maintenance 0 03-17-2007 18:05
91 processes??!! =?Utf-8?B?RG9uYWxkIFNoZWx0b24=?= microsoft.public.windows.vista.general 16 03-01-2007 14:14
Processes =?Utf-8?B?V2l0em9kZQ==?= microsoft.public.windows.vista.performance maintenance 2 02-17-2007 21:36




All times are GMT +1. The time now is 23:28.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120