Re: windows services question
- From: "Larry Smith" <no_spam@xxxxxxxxxxx>
- Date: Tue, 19 Dec 2006 08:53:23 -0500
This is wrong....
Only LocalSystem and Admins have this privilege in their tokens, in the
first place. It is disabled for Admins by default, but enabled for
LocalSystem, because the system must be able to open any process for
any access....
No disputing that nor did I say otherwise. You can add this privilege to
anyone's account if you wish however though it's not something that anyone
would normally do obviously. Once a privilege does exist in your token
however, it's easily enabled on- the-fly and in fact, some WinAPI functions
quietly do this behind the scenes (enabling and then disabling it again if
the privilege is required for that function). IOW, there's nothing special
about the "LocalSystem" account in this regard. A program running as a
member of the Administrators group can easily enable SeDebugPrivilege if it
so chooses. The Task Manager chooses not to in order to protect people from
themselves including Administrators. I therefore don't follow your point
about why it's enabled by default in the system account but not for ordinary
administrators. It's not simply because the system account needs to open any
process for all access which of course it must do. That is, an ordinary
administrator can do this as well if it wants (by simply enabling the
privilege on-the-fly). The reason it's enabled by default for the system
account is presumably for efficiency. It needs this privilege regularly so
MSFT turned it on by default. That seems the most reasonable explanation
anyway (IMO) noting that not all privileges are on by default even for the
system account (which seems to back up my point).
system account is also an administrator BTW
This is wrong as well....
No it's not. The administrator's group is in the system account's token and
always has been. Check this out for yourself under the system account's SID
(S-1-5-18). You'll find group SID S-1-5-32-544 which is
BUILTIN\Administrators.
The trick is to enable it first
Exactly, but Task Manager does not do it - this is why you cannot
terminate a process
that runs under the LocalSystem account, via it...
As I basically said. If an Administrator turns it on however then the Task
Manager will respect it and kill whatever you want.
However, if some third-party app does it, there is nothing that OP can
do about it
Agreed, since you can't stop an administrator from doing anything they
really want without starting an (unwinnable) administrative war.
.
- Follow-Ups:
- Re: windows services question
- From: anton bassov
- Re: windows services question
- References:
- Re: windows services question
- From: anton bassov
- Re: windows services question
- From: Larry Smith
- Re: windows services question
- From: anton bassov
- Re: windows services question
- Prev by Date: Re: overlapped IO problem
- Next by Date: Re: windows services question
- Previous by thread: Re: windows services question
- Next by thread: Re: windows services question
- Index(es):
Relevant Pages
|
