Re: windows services question

I therefore don't follow your point
about why it's enabled by default in the system account but not for ordinary
administrators.

This is how everything sets configured upon the setup, so this is a
default. Certainly, Admins can change everything at some later point,
and add and/or enable any privilege you wish, so that even restricted
users may have SeDebug privilege in the token. However, I am just
speaking about defaults..

there's nothing special
about the "LocalSystem" account in this regard.


... apart from the fact that it is able to access SAM database,
"\\Device\\PhysicalMemory" on OS versions below W2K3 SP1, etc, etc, etc
by dafault, but Admins have no chance to do so. Again, Admins can grant
themselves access to these items (they can do it programmatically right
on the fly), but this is already not a default setting, is it???

If an Administrator turns it on however then the Task
Manager will respect it and kill whatever you want.

Sure. However, again, this is not a default


Basically, I am speaking solely about default configurations - it is
understandable that Admins are able to change everything the way they
like


Anton Bassov


Larry Smith wrote:
This is wrong....

Only LocalSystem and Admins have this privilege in their tokens, in the
first place. It is disabled for Admins by default, but enabled for
LocalSystem, because the system must be able to open any process for
any access....

No disputing that nor did I say otherwise. You can add this privilege to
anyone's account if you wish however though it's not something that anyone
would normally do obviously. Once a privilege does exist in your token
however, it's easily enabled on- the-fly and in fact, some WinAPI functions
quietly do this behind the scenes (enabling and then disabling it again if
the privilege is required for that function). IOW, there's nothing special
about the "LocalSystem" account in this regard. A program running as a
member of the Administrators group can easily enable SeDebugPrivilege if it
so chooses. The Task Manager chooses not to in order to protect people from
themselves including Administrators. I therefore don't follow your point
about why it's enabled by default in the system account but not for ordinary
administrators. It's not simply because the system account needs to open any
process for all access which of course it must do. That is, an ordinary
administrator can do this as well if it wants (by simply enabling the
privilege on-the-fly). The reason it's enabled by default for the system
account is presumably for efficiency. It needs this privilege regularly so
MSFT turned it on by default. That seems the most reasonable explanation
anyway (IMO) noting that not all privileges are on by default even for the
system account (which seems to back up my point).

system account is also an administrator BTW

This is wrong as well....

No it's not. The administrator's group is in the system account's token and
always has been. Check this out for yourself under the system account's SID
(S-1-5-18). You'll find group SID S-1-5-32-544 which is
BUILTIN\Administrators.

The trick is to enable it first

Exactly, but Task Manager does not do it - this is why you cannot
terminate a process
that runs under the LocalSystem account, via it...

As I basically said. If an Administrator turns it on however then the Task
Manager will respect it and kill whatever you want.

However, if some third-party app does it, there is nothing that OP can
do about it

Agreed, since you can't stop an administrator from doing anything they
really want without starting an (unwinnable) administrative war.

.

Relevant Pages

  • Re: windows services question
    ... Only LocalSystem and Admins have this privilege in their tokens, ... about the "LocalSystem" account in this regard. ... member of the Administrators group can easily enable SeDebugPrivilege if it ...
    (microsoft.public.win32.programmer.kernel)
  • Re: LogonUser call fails for NetworkService account on XP x64 insi
    ... and the the System account seems not to be able to correctly impersonate ... The NetWorkService account seems to be better supported by this than the ... stripped of some necessary privilege or the privilege ... Since this privilege is required for primary tokens however (according to ...
    (microsoft.public.platformsdk.security)
  • Re: Apple QuickTime needs privileges?
    ... by default this privilege is only given to administrators. ... > the administrator account, but accounts in the Power Users and Users ... > Event Source: Security ...
    (microsoft.public.win2000.security)
  • Re: Computer Management Security Problem
    ... The user right you mention is the right that by default gives administrators the ... right to take ownership of files and folders and on a domain controller that would ... I would create an test account that is just in the users group and ... user triggered an event 578 (privilege use) and the privilege "Se TakeOwnership ...
    (microsoft.public.win2000.security)
  • Re: Event ID: 1202
    ... No mapping between account names and security IDs was ... SeIncreaseBasePriorityPrivilege = Administrators ... "Meinolf Weber" wrote: ... A user account in one or more Group policy objects (GPOs) could not ...
    (microsoft.public.win2000.active_directory)