Re: how to obtain SecurityDescriptor of a logoned user on NT4 SP6a from a service running with LocalSystem account?

Allen wrote:
> Eugene Gershnik wrote:
>>> , then some GUI thread will be generated by my service,
>>
>> Which breaks windows security but we already discussed that in
>> another thread.
>
> Actually security is not a very big issue for my program, this
> service often starts a program with admin privilege.

You are missing the real issue. As soon as you pop-up UI in the interactive
window station you escape all windows security protection. Other GUI
applications running under non-privileged account can send you window
messages, crash you and execute code inside your process which runs under
most privileged account. This may not be an issue for *your* application but
it is usually an issue for the user of the computer it runs on.

>>> this GUI thread sometimes
>>> need to know the SecurityDescriptor
>>
>>
>> You mean SID, right?
>
> The SECURITY_DESCRIPTOR structure, which includes sidOwner, sidGroup,
> DACL, and SACL.

Users don't have security descriptors. Resources do.

>> Anyways if an API fails the most important piece of information is
>> the error code. What is it?
>
> There is no error code, let me attach a snapshot of the message box.

You said that OpenProcessToken fails, didn't you?

--
Eugene


.

Relevant Pages

  • Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues
    ... Seriously, the Windows security model is great and everything, ... Or how sandboxing inexplicably breaks ... for GUI hooks to use this mechanism, more so for GUI hooks developed by ...
    (Full-Disclosure)
  • Re: Security Problems Plague XP SP2 via Symantec/McAfee
    ... Why does the Windows Security Center say that the status of my Norton ... This tamper protection ...
    (microsoft.public.windowsxp.general)
  • Re: New SP-2 upgrade issues...
    ... I haven't the vaguest idea what the 'McAfee Security Center' ... choosing the Windows Firewall over a third-party one necessarily. ... > From what I can see, the Windows security center does 3 things--it ...
    (microsoft.public.windowsxp.general)
  • Re: Security Center not recognizing Virus Protection
    ... It is the responsibility of the antivirus program manufacturer to design ... their software to be recognized by the Windows Security Center. ... Get Windows XP Service Pack 2 with Advanced Security Technologies: ... | start-up and MS is not recognizing my Virus Protections software as being ...
    (microsoft.public.windowsxp.security_admin)