Thanks everyone…I got it working. If anyone is looking for some code
to do what I was attempting to do…here is what I used.
DWORD EnablePrivilege(TCHAR * privilegeStr)
{
HANDLE hToken; // process token
TOKEN_PRIVILEGES tp; // token provileges
TOKEN_PRIVILEGES oldtp; // old token privileges
DWORD dwSize = sizeof (TOKEN_PRIVILEGES);
LUID luid;
if (!OpenProcessToken (GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY, &hToken))
{
return GetLastError();
}
// if (!LookupPrivilegeValue(NULL, _T(“SeLoadDriverPrivilege”), &luid))
if (!LookupPrivilegeValue(NULL, privilegeStr, &luid))
{
DWORD dwRet = GetLastError();
CloseHandle (hToken);
return dwRet;
}
ZeroMemory (&tp, sizeof (tp));
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
// Adjust Token privileges
if (!AdjustTokenPrivileges (hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES),
&oldtp, &dwSize))
{
DWORD dwRet = GetLastError();
CloseHandle (hToken);
return dwRet;
}
CloseHandle (hToken);
return 0;
}
“Tony Mason” wrote in message news:xxxxx@ntfsd…
You are missing my point. Adding the privilege to the token is not the
same as enabling it:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secbp/s
ecurity/changing_privileges_in_a_token.asp
contains information about the distinction here. This link:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauth
z/security/adjusttokenprivileges.asp
contains information about how to adjust them.
Just because you ADD a privilege to an account/group (and hence it is
added to the token of the process when created) doesn’t meant it is
programmatically enabled. ESPECIALLY for services, any “non-essential”
privileges are disabled by default. Processes that need those privileges
may enable them, perform the privileged operation, and then disable
them.
You’ve administratively made the privilege available, but you still
aren’t programmatically enabling it. Solution: add code to your service
to enable the privilege.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gene Allen
Sent: Friday, August 19, 2005 6:58 PM
To: ntfsd redirect
Subject: Re:[ntfsd] FilterLoad in a Service?
Thanks Tony, I guess it’s time for my weekly problem.
When I run the service in “debug mode” (console) under my credentials it
works correctly, but when I use those credentials on the service it
fails.
My Credentials puts me in the Local Administrors group.
To answer your question, I’m setting the “Load and unload device
drivers” in
SecPol.msc
“Tony Mason” wrote in message news:xxxxx@ntfsd…
Are you sure that the privilege is enabled? Just because a privilege is
available doesn’t equate to enabled. There must be a Win32 way to
enable privileges (the FSD way is to call NtAdjustPrivilegesToken).
Regards
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gene Allen
Sent: Friday, August 19, 2005 6:41 PM
To: ntfsd redirect
Subject: [ntfsd] FilterLoad in a Service?
Does anyone know why I can’t do a FilterLoad in a Windows Service? I’ve
trying running the service under all sorts of
credentials…Administrator,
LocalMachine, a user in the administrator group.
And in every case I get:
8/19/2005 5:23:28 PM FilterLoad failed with HR = 0x80070522
which as far as I can tell is ERROR_PRIVILEGE_NOT_HELD
OK…that makes sense since the documentation says that I need to have
SeLoadDriverPrivilege to use FilterLoad. I checked and I do…in fact I
gave that privilege to Everyone, Guest and every other group I could
find on
the machine…Still got the same error.
I’m sure that it’s something simple and I’ve been just starting at it
for
too long but I can seem to figure it out.
code snippet:
void CService::ServiceMain(DWORD dwArgc, LPTSTR lpszArgv)
{
gTraceLog.OnStartup();
HRESULT hr = FilterLoad(_T(“BssAt”));
if (FAILED(hr))
{
gTraceLog.Write(_T(“FilterLoad failed with HR = 0x%lx”), hr);
}
.
.
.
Thanks everyone,
Gene
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com