Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Monthly Seminars at OSR Headquarters

East Coast USA
Windows Internals and SW Drivers, Dulles (Sterling) VA, 13 November 2017

Kernel Debugging & Crash Analysis for Windows, Nashua (Amherst) NH, 4 December 2017

Writing WDF Drivers I: Core Concepts, Nashua (Amherst) NH, 8 January 2018

WDF Drivers II: Advanced Implementation Techniques, Nashua (Amherst) NH, 15 January 2018


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 6  
17 Mar 15 06:27
Igor B
xxxxxx@wp.pl
Join Date: 28 Aug 2014
Posts To This List: 8
Admin process in kernel mode

Hello, Is there any way that I can check if process is run by administrator in kernel mode? I can't include windows.h to use CheckTokenMembership function.
  Message 2 of 6  
17 Mar 15 06:56
Don Burn
xxxxxx@windrvr.com
Join Date: 23 Feb 2011
Posts To This List: 1352
Admin process in kernel mode

Look at SeSinglePrivilegeCheck Don Burn Windows Driver Consulting Website: http://www.windrvr.com -----Original Message----- From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@wp.pl Sent: Tuesday, March 17, 2015 6:27 AM To: Windows System Software Devs Interest List Subject: [ntdev] Admin process in kernel mode Hello, Is there any way that I can check if process is run by administrator in kernel mode? I can't include windows.h to use CheckTokenMembership function. --- NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
  Message 3 of 6  
17 Mar 15 08:05
Maxim S. Shatskih
xxxxxx@storagecraft.com
Join Date: 20 Feb 2003
Posts To This List: 10396
Admin process in kernel mode

Modern Windows have SeTokenIsAdmin <xxxxx@wp.pl> wrote in message news:208662@ntdev... > Hello, >=20 > Is there any way that I can check if process is run by administrator = in kernel mode? > I can't include windows.h to use CheckTokenMembership function.=20 >
  Message 4 of 6  
17 Mar 15 08:45
Igor B
xxxxxx@wp.pl
Join Date: 28 Aug 2014
Posts To This List: 8
Admin process in kernel mode

And if I want to use SeSinglePrivilegeCheck function is there any privilege to determine whether it's admin process or not? Or maybe I have to use e.g. SE_TAKE_OWNERSHIP_PRIVILEGE?
  Message 5 of 6  
17 Mar 15 09:14
Scott Noone
xxxxxx@osr.com
Join Date:
Posts To This List: 1335
List Moderator
Admin process in kernel mode

Individual privileges can be assigned to any user, there is no privilege that says "this is an admin". That's what the SIDs in the Token are for, they indicate the user and member groups of the process' creator. As Max noted, SeTokenIsAdmin tells you if the Token contains the SID for the local administrators group. You could also roll your own equivalent (or additional) functionality by calling SeQueryInformationToken. -scott OSR @OSRDrivers wrote in message news:208668@ntdev... And if I want to use SeSinglePrivilegeCheck function is there any privilege to determine whether it's admin process or not? Or maybe I have to use e.g. SE_TAKE_OWNERSHIP_PRIVILEGE?
  Message 6 of 6  
24 Mar 15 19:50
Alex Ionescu
xxxxxx@videotron.ca
Join Date: 23 Oct 2003
Posts To This List: 126
Admin process in kernel mode

Be very careful with SeTokenIsAdmin... until March 2015, the Windows 7 and down-level version of this function has a subtle security issue: it does not properly validate if the token is an impersonation token or not -- it is therefore the responsibility of the caller to check this before calling the function. 12 different vulnerable pieces of kernel code have already been fixed in the last 3-4 months to deal with this -- don't let your driver become part of the problem :) SeSinglePrivilegeCheck does not have this issue, but is obviously meant for different uses. -- Best regards, Alex Ionescu
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 03:09.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license