[Solved] Process | GetTokenInformation() & AdjustTokenPrivileges()

[Flipeador]

hi all
I'm trying to get a list of all types of privileges and whether they are active or not.
these are the privileges:
[code=autohotkey file=Untitled.ahk]Privileges := "SeChangeNotifyPrivilege,SeCreateGlobalPrivilege,SeDebugPrivilege,"
. "SeShutdownPrivilege,SeSystemtimePrivilege,SeCreatePagefilePrivilege,SeImpersonatePrivilege,SeIncreaseQuotaPrivilege,"
. "SeTimeZonePrivilege,SeIncreaseBasePriorityPrivilege,SeManageVolumePrivilege,SeRemoteShutdownPrivilege,"
. "SeSecurityPrivilege,SeTakeOwnershipPrivilege,SeBackupPrivilege,SeProfileSingleProcessPrivilege,SeRestorePrivilege,"
. "SeSystemEnvironmentPrivilege,SeSystemProfilePrivilege"[/code]
and I want to get something like:
[code=text file=Untitled.txt]SeChangeNotifyPrivilege = ENABLED_BY_DEFAULT
SeCreateGlobalPrivilege = ENABLED
SeDebugPrivilege = DISABLED
SeShutdownPrivilege = ENABLED
and so on[/code]

process hacker

Code (This is the progress so far):

Code: Select all

/*
#define SE_PRIVILEGE_ENABLED_BY_DEFAULT (0x00000001L)
#define SE_PRIVILEGE_ENABLED            (0x00000002L)
#define SE_PRIVILEGE_REMOVED            (0X00000004L)
#define SE_PRIVILEGE_USED_FOR_ACCESS    (0x80000000L)

Privileges := "SeChangeNotifyPrivilege,SeCreateGlobalPrivilege,SeDebugPrivilege,"
		. "SeShutdownPrivilege,SeSystemtimePrivilege,SeCreatePagefilePrivilege,SeImpersonatePrivilege,SeIncreaseQuotaPrivilege,"
		. "SeTimeZonePrivilege,SeIncreaseBasePriorityPrivilege,SeManageVolumePrivilege,SeRemoteShutdownPrivilege,"
		. "SeSecurityPrivilege,SeTakeOwnershipPrivilege,SeBackupPrivilege,SeProfileSingleProcessPrivilege,SeRestorePrivilege,"
		. "SeSystemEnvironmentPrivilege,SeSystemProfilePrivilege"
*/

ProcessId := DllCall("Kernel32.dll\GetCurrentProcessId")
hProcess := DllCall("Kernel32.dll\OpenProcess", "UInt", 0x0400, "UInt", 0, "UInt", ProcessId)
DllCall("Advapi32.dll\OpenProcessToken", "Ptr", hProcess, "UInt", 0x00000008, "UIntP", hToken)

;GetTokenInformation: https://msdn.microsoft.com/en-us/library/windows/desktop/aa446671%28v=vs.85%29.aspx
;TokenInformationClass = TOKEN_INFORMATION_CLASS = TokenPrivileges = 3 --> TOKEN_PRIVILEGES 
DllCall("Advapi32.dll\GetTokenInformation", "Ptr", hToken, "UInt", 3, "Ptr", 0, "UInt", 0, "UIntP", ReturnLength)
TokenInformationLength := VarSetCapacity(TokenInformation, ReturnLength * 2, 0) / 2
DllCall("Advapi32.dll\GetTokenInformation", "Ptr", hToken, "UInt", 3, "Ptr", &TokenInformation, "UInt", TokenInformationLength, "UIntP", ReturnLength)

;TOKEN_PRIVILEGES (structure): https://msdn.microsoft.com/en-us/library/windows/desktop/aa379630%28v=vs.85%29.aspx
PrivilegeCount := NumGet(TokenInformation, 0, "UInt")
Privileges := NumGet(TokenInformation, 4, "Int64")
PrivilegeAttribute := NumGet(TokenInformation, 12, "UInt")

MsgBox % PrivilegeCount "`n" Privileges "`n" PrivilegeAttribute

-----------------------------------------------

currently I use this to change the privileges:

Code: Select all

MsgBox % "Enable SeBackupPrivilege: " ProcessSetPrivilege("explorer.exe", "SeBackupPrivilege", true)
;this disables all, I want only the specified.
MsgBox % "Disable SeBackupPrivilege: " ProcessSetPrivilege("explorer.exe", "SeBackupPrivilege", false)
ExitApp
ProcessSetPrivilege(ProcessName, Privileges, Set := true) {
	static AllPrivileges := "SeChangeNotifyPrivilege,SeCreateGlobalPrivilege,SeDebugPrivilege,"
		. "SeShutdownPrivilege,SeSystemtimePrivilege,SeCreatePagefilePrivilege,SeImpersonatePrivilege,SeIncreaseQuotaPrivilege,"
		. "SeTimeZonePrivilege,SeIncreaseBasePriorityPrivilege,SeManageVolumePrivilege,SeRemoteShutdownPrivilege,"
		. "SeSecurityPrivilege,SeTakeOwnershipPrivilege,SeBackupPrivilege,SeProfileSingleProcessPrivilege,SeRestorePrivilege,"
		. "SeSystemEnvironmentPrivilege,SeSystemProfilePrivilege"
	hProcess := DllCall("Kernel32.dll\OpenProcess", "UInt", 0x0400, "UInt", 0, "UInt", ProcessExist(ProcessName))
	DllCall("Advapi32.dll\OpenProcessToken", "Ptr", hProcess, "UInt", 0x0020|0x00000008, "UIntP", hToken)
	PrivilegesLuid := [], i := 0
	Loop, Parse, % (Privileges="All"?AllPrivileges:Privileges), `,
		DllCall("Advapi32.dll\LookupPrivilegeValueW", "Ptr", 0, "Str", A_LoopField, "Int64P", lpLuid)
		, PrivilegesLuid[A_Index] := lpLuid
	for k, v in PrivilegesLuid
		ti := "", VarSetCapacity(ti, 16, 0), NumPut(1, ti, 0, "UInt"), NumPut(v, ti, 4, "Int64"), NumPut(2, ti, 12, "UInt")
		, i := i+(DllCall("Advapi32.dll\AdjustTokenPrivileges", "Ptr", hToken, "Int", !Set, "Ptr", &ti, "UInt", 0, "Ptr", 0, "Ptr", 0)?1:0)
	DllCall("kernel32.dll\CloseHandle", "Ptr", hToken)
	DllCall("kernel32.dll\CloseHandle", "Ptr", hProcess)
	return i, ErrorLevel := PrivilegesLuid.MaxIndex()!=i
}
ProcessExist(i) {
	Process, Exist, % i
	return ErrorLevel
}

Besides, I think it can be done in a better way to enable/disable several privileges at once. instead of calling AdjustTokenPrivileges() for each privilege...

in short, my problem is I do not know how to work with Arrays in DllCall(). this is what says the TOKEN_PRIVILEGES structure (the part I do not understand how to do):
[quote]Specifies an Array of LUID_AND_ATTRIBUTES structures...[/quote]


thanks!

[Flipeador]

some progress. Could someone tell me if it works on 64-bit?
Update* 20160119, this works fine.

Code: Select all

;query
for k, v in p:=ProcessQueryPrivileges("chrome.exe")
	MsgBox % "#" k " ~ " p.MaxIndex() " ------------`nPrivilege: " v.Name "`nState: " v.State

;adjust
MsgBox % ProcessAdjustPrivileges("notepad.exe", [["SeShutdownPrivilege", "Enable"], ["SeUndockPrivilege", "Enable"]]) ;from array
MsgBox % ProcessAdjustPrivileges("notepad.exe", "SeTimeZonePrivilege,SeIncreaseWorkingSetPrivilege", "Enable") ;normal (disable all specified)
MsgBox % ProcessAdjustPrivileges("notepad.exe",,, true) ;disable all privileges (non default enabled)
ExitApp



ProcessAdjustPrivileges(ProcessName, Privileges := "", State := "Enable", DisableAllPrivileges := false) {
	static States := {Enable: 0x00000002, Disable: 0x00000000, Delete: 0x00000004}
	ProcessId := _getpid(ProcessName), Privileges := IsObject(Privileges)?Privileges:StrSplit(Privileges, ",", A_Space A_Tab)
	, hProcess := OpenProcess(ProcessId, 0x0400), hToken := OpenProcessToken(hProcess, 0x00000028), Offset := 0
	, VarSetCapacity(TOKEN_PRIVILEGES, 4 + (12*Privileges.MaxIndex()), 0), NumPut(Privileges.MaxIndex(), TOKEN_PRIVILEGES, 0, "UInt")
	for Index, Info in Privileges {
		NumPut(LookupPrivilegeValue(IsObject(Info)?Info[1]:Info), TOKEN_PRIVILEGES, Offset+4, "Int64")
		, NumPut(States[IsObject(Info)?Info[2]:State], TOKEN_PRIVILEGES, Offset+12, "UInt")
		Offset += 12
	} DllCall("Advapi32.dll\AdjustTokenPrivileges", "Ptr", hToken, "Int", !!DisableAllPrivileges, "Ptr", &TOKEN_PRIVILEGES, "UInt", 0, "Ptr", 0, "Ptr", 0)
	return !(r:=A_LastError), ErrorLevel := r, CloseHandle(hToken, hProcess) ;AdjustTokenPrivileges --> A_LastError --> ERROR_SUCCESS = 0
} ;https://msdn.microsoft.com/en-us/library/aa375202(VS.85).aspx | https://msdn.microsoft.com/en-us/library/aa379306(v=vs.85).aspx

ProcessQueryPrivileges(ProcessName) {
	static States := {0x00000002: "Enabled", 0x00000000: "Disabled", 0x00000001: "Default", 0x80000000: "Access", 0x00000003: "Default"}
	ProcessId := _getpid(ProcessName), hProcess := OpenProcess(ProcessId, 0x0400), hToken := OpenProcessToken(hProcess, 0x0008)
	, Ok := GetTokenInformation(hToken, 3, TOKEN_PRIVILEGES), List := [], Offset := 0
	Loop, % NumGet(TOKEN_PRIVILEGES, 0, "UInt") {
		PrivilegeInfo := {}
		, PrivilegeInfo.Name := LookupPrivilegeName(NumGet(TOKEN_PRIVILEGES, Offset+4, "Int64"))
		, PrivilegeInfo.State := States[NumGet(TOKEN_PRIVILEGES, Offset+12, "UInt")]
		, List.Push(PrivilegeInfo), Offset += 12
	} return List, CloseHandle(hToken, hProcess), ErrorLevel := !Ok
}

;-------------------------------------------------

OpenProcess(ProcessId, DesiredAccess := 0x001F0FFF, InheritHandle := false) { ;0x001F0FFF=ALL
	return DllCall("Kernel32.dll\OpenProcess", "UInt", DesiredAccess, "Int", !!InheritHandle, "UInt", ProcessId, "Ptr")
} OpenProcessToken(hProcess, DesiredAccess := 0xF01FF) { ;0xF01FF=ALL
	DllCall("Advapi32.dll\OpenProcessToken", "Ptr", hProcess, "UInt", DesiredAccess, "UIntP", hToken)
	return hToken
} CloseHandle(HANDLE*) {
	Error := ErrorLevel, Ok := 0
	Loop, % (HANDLE.MaxIndex())
		Ok += !!DllCall("Kernel32.dll\CloseHandle", "Ptr", HANDLE[A_Index], "UInt")
	return Ok=HANDLE.MaxIndex(), ErrorLevel := Error
} GetTokenInformation(hToken, TokenInformationClass, ByRef TOKEN_INFORMATION, ByRef ReturnLength := "") {
	DllCall("Advapi32.dll\GetTokenInformation", "Ptr", hToken, "UInt", TokenInformationClass, "Ptr", 0, "UInt", 0, "UIntP", ReturnLength)
	, VarSetCapacity(TOKEN_INFORMATION, ReturnLength * 2, 0)
	, Ok := DllCall("Advapi32.dll\GetTokenInformation", "Ptr", hToken, "UInt", TokenInformationClass
		, "Ptr", &TOKEN_INFORMATION, "UInt", ReturnLength, "UIntP", ReturnLength, "UInt")
	return Ok, ErrorLevel := !Ok
} LookupPrivilegeValue(PrivilegeName) {
	Ok := DllCall("Advapi32.dll\LookupPrivilegeValueW", "Ptr", 0, "Ptr", &PrivilegeName, "Int64P", PrivilegeValue, "UInt")
	return PrivilegeValue, ErrorLevel := !Ok
} LookupPrivilegeName(lpLuid) {
	VarSetCapacity(Luid, 8, 0), NumPut(lpLuid, Luid, 0, "Int64")
	, DllCall("Advapi32.dll\LookupPrivilegeNameW", "Ptr", 0, "Ptr", &Luid, "Ptr", 0, "UIntP", Size)
	, VarSetCapacity(OutputVar, (Size + 1) * 2)
	, DllCall("Advapi32.dll\LookupPrivilegeNameW", "Ptr", 0, "Ptr", &Luid, "Str", OutputVar, "UIntP", Size + 1)
	return OutputVar
} _getpid(p) {
	Process, Exist, %p%
	return ErrorLevel
}

[BNK3R Boy]

Looks nice.
But don't understand how i update to administrator rights of SetPoint.exe.
Would you help me?

[Flipeador]

Looks nice.
But don't understand how i update to administrator rights of SetPoint.exe.
Would you help me?

Hi
Sorry, I do not understand what you mean by update to administrator rights of SetPoint.exe
This script is to modify what you see in this image:

Spoiler

[BNK3R Boy]

I'm trying to give SetPoint.exe admin rights if it does not have these rights.
Instead of your example notepad.exe.
Hoped this is the solution.
Unfortunately, I can not see the picture.

I'm sorry if i'm wrong.

[Flipeador]

Unfortunately, I can not see the picture.

Sorry, I fixed it.

I'm trying to give SetPoint.exe admin rights if it does not have these rights.

You mean, as if you were right clicking "Run as administrator"?
I do not think this can be modified if the program is already running...
See https://stackoverflow.com/questions/641 ... t-run-time

[BNK3R Boy]

Ok, my fault.
But it can check admin rights of a process, to close and start with admin rights if not?

Close and start is not the problem. Only problem is check the rights.

ps.: The picture of your first posting is not loaded again.

[Flipeador]

But it can check admin rights of a process, to close and start with admin rights if not?

Sure, you can use this function to determine if a process has administrative rights.

Code: Select all

ProcessIsElevated(Process)
{
    Local ProcessId
    Process, Exist, % Process
    If (!(ProcessId:=ErrorLevel))
        Return "The process does not exist"

    Local hProcess := DllCall("Kernel32.dll\OpenProcess", "UInt", 0x400, "Int", false, "UInt", ProcessId, "Ptr")
    If (!hProcess)
        Return "OpenProcess Error"

    Local hToken
    If (!DllCall("Advapi32.dll\OpenProcessToken", "Ptr", hProcess, "UInt", 0x0008, "PtrP", hToken))
    {
        DllCall("Kernel32.dll\CloseHandle", "Ptr", hProcess)
        Return "OpenProcessToken Error"
    }

    ; GetTokenInformation = https://msdn.microsoft.com/en-us/library/windows/desktop/aa446671(v=vs.85).aspx
    ; TOKEN_INFORMATION_CLASS enumeration = https://msdn.microsoft.com/en-us/library/windows/desktop/aa379626(v=vs.85).aspx#TokenElevation
    ; TOKEN_ELEVATION structure = https://msdn.microsoft.com/en-us/library/windows/desktop/bb530717(v=vs.85).aspx
    Local TokenIsElevated, ReturnLength, R
    R := DllCall("Advapi32.dll\GetTokenInformation", "Ptr", hToken, "Int", 20, "UIntP", TokenIsElevated, "UInt", 4, "UIntP", ReturnLength)

    DllCall("Kernel32.dll\CloseHandle", "Ptr", hProcess)
    DllCall("Kernel32.dll\CloseHandle", "Ptr", hToken)

    Return R ? TokenIsElevated : "GetTokenInformation Error"
}

note: You must run the script as administrator.
Then, you must use Process Close to finish the process, wait for it to close and Run * RunAs to run it again, but as administrator.

The picture of your first posting is not loaded again

Weird, I'll try to upload it to another host.

---

Edit* It is safer to use WinClose in the main window to finish the process ... depending on the application. Even so, I do not see much sense in doing this, you can modify the properties of the executable so that it always runs as administrator...

[BNK3R Boy]

Oh thank you very much.
I'll try out right now.

Edit: It works great! <3 u