CreateProcessAsUser (error 1314)

From: Jordi Gou (jgou_at_ntr.es)
Date: 07/13/04


Date: Tue, 13 Jul 2004 19:00:44 +0200

I have a problem with CreateProcessAsUser. It always returns me the error
code 1314 ("A required privilege is not held by the client").
My application needs to change the privileges to administrator privileges of
the current process. So I use ImpersonateLoggedOnUser
(this part goes well). Besides, it has to launch several commands, so I have
to use CreateProcessAsUser (because I saw that ShellExecute
or WinExec don't inherit privileges).

To create the new process I duplicate the token that use to Impersonate
converting it to primary token. Furthermore, I put the
SE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME on token, because I
read that it needs, but nothing happens. The error is still here.

Does anyone can help me? What it's happening? How can I resolve it?

Here it's the code that I use:

if (!RevertToSelf()) return false;

// Get the current process token handle...
if( !OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY, &hToken ))
 return false;

if (!SetPrivilege(hToken, SE_TCB_NAME, true))
 return false;

if (LogonUser(szUsername, szDomain, szPassword, LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, &hAdminUser))
 bUserAuth = true;
else
 bUserAuth = false;

if (bUserAuth)
{
 if (!ImpersonateLoggedOnUser(hAdminUser))
  MessageBox(NULL, TEXT("Inpersonate Error"), TEXT(""), MB_OK);

 /////////////////////////////////////////////////
 if (DuplicateTokenEx(hAdminUser, MAXIMUM_ALLOWED, 0, SecurityImpersonation,
TokenPrimary, &hAdminPriv) == 0)
  MessageBox(NULL, TEXT("duplicate token Error"), TEXT(""), MB_OK);

 if (!SetPrivilege(hAdminPriv, SE_ASSIGNPRIMARYTOKEN_NAME, true))
 {
  MessageBox(NULL, TEXT("SetPrivilege Error"), TEXT(""), MB_OK);
  return false;
 }

 if (!SetPrivilege(hAdminPriv, SE_INCREASE_QUOTA_NAME, true))
 {
  MessageBox(NULL, TEXT("SetPrivilege Error"), TEXT(""), MB_OK);
  return false;
 }

 TCHAR szRes[MAXSTRINGLEN];
 STARTUPINFO si;
 PROCESS_INFORMATION pi;

 ZeroMemory( &si, sizeof(si) );
 si.cb = sizeof(si);
 ZeroMemory( &pi, sizeof(pi) );

 my_strcpy(szRes, TEXT("C:\\Archivos de programa\\Inquiero Installable
ISD\\prova.exe"));

 if (!CreateProcessAsUser(hAdminPriv, NULL, szRes, NULL, NULL, TRUE,
DETACHED_PROCESS|IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi))
 {
  TCHAR szError[MAXSTRINGLEN];
  wsprintf(szError, TEXT("%d"), GetLastError());
  MessageBox(NULL, szError, TEXT(""), MB_OK);
 }
}



Relevant Pages

  • Re: CreateProcessAsUser error "the client does not have the required priviledges"
    ... I understand what you are saying about granting privileges ... on original user but I don't know how to do this. ... use LogonUser again to call CreateProcessAsUser? ...
    (microsoft.public.platformsdk.security)
  • Re: SE_ASSIGNPRIMARYTOKEN_NAME
    ... Please note following lines from CreateProcessAsUser remark section: ... the process that calls the CreateProcessAsUser function must have the SE_ASSIGNPRIMARYTOKEN_NAME and ... SE_INCREASE_QUOTA_NAME privileges. ...
    (microsoft.public.platformsdk.security)
  • Re: SHFileOperation Problem
    ... What I've been struggling with is on how to give the required privileges ... And the process that calls the CreateProcessAsUser() must have the ... LogonUserEx function) the required access rights (Query, ...
    (microsoft.public.platformsdk.security)
  • Re: Redirecting sdtin, stdout, stderr from an already running process
    ... The issue at hand is that we wish to start a process under another user's credentials with redirected I/O, without displaying a new window for that process. ... this is accomplished by calling Process.Startwith a ProcessStartInfo structure whose property "CreateNoWindow" is set to true and whose "Redirect*" properties are set to appropriate values. ... In order to use CreateProcessAsUser() successfully, the caller must hold the SE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME privileges. ...
    (microsoft.public.dotnet.framework.interop)
  • Named Pipe Impersonation -> CreateProcessAsUser();
    ... of the named pipe. ... create a new process with these nice privileges. ... ConnectNamedPipe<-- yada yada wait for connection ... access, then call CreateProcessAsUser(); ...
    (Vuln-Dev)