QUICK QUESTION - I am a member of the local administrators group on a Windows Vista Machine. How can I check whether a process launched under my context is running under UAC or running elevated?
QUICK ANSWER -
0:001> !token -nThread is not impersonating. Using process token...TS Session ID: 0x2User: S-1-5-21-397955417-626881126-188441444-3417686 (User: DOMAIN\mithuns)Groups: 00 S-1-5-21-397955417-626881126-188441444-513 (Group: DOMAIN\Domain Users) Attributes - Mandatory Default Enabled 01 S-1-1-0 (Well Known Group: localhost\Everyone) Attributes - Mandatory Default Enabled 02 S-1-5-21-2509036279-1584907351-1836241972-1001 (Alias: MITHUNS7\Debugger Users) Attributes - Mandatory Default Enabled 03 S-1-5-32-544 (Alias: BUILTIN\Administrators) Attributes - DenyOnly 04 S-1-5-32-545 (Alias: BUILTIN\Users) Attributes - Mandatory Default Enabled : : :
0:001> !token -nThread is not impersonating. Using process token...TS Session ID: 0x2User: S-1-5-21-397955417-626881126-188441444-3417686 (User: DOMAIN\mithuns)Groups: 00 S-1-5-21-397955417-626881126-188441444-513 (Group: DOMAIN\Domain Users) Attributes - Mandatory Default Enabled 01 S-1-1-0 (Well Known Group: localhost\Everyone) Attributes - Mandatory Default Enabled 02 S-1-5-21-2509036279-1584907351-1836241972-1001 (Alias: MITHUNS7\Debugger Users) Attributes - Mandatory Default Enabled 03 S-1-5-32-544 (Alias: BUILTIN\Administrators) Attributes - DenyOnly 04 S-1-5-32-545 (Alias: BUILTIN\Users) Attributes - Mandatory Default Enabled
: : :
:
QUICK QUESTION – When people talk about UAC, I often hear the term “split token”. What exactly is it?
QUICK ANSWER - When a process runs under UAC, some privileges are completely stripped out of the process token. Which also means that you cannot call AdjustTokenPrivileges() to enable them. See below -
Token for elevated process Privs: 00 0x000000005 SeIncreaseQuotaPrivilege Attributes - 01 0x000000008 SeSecurityPrivilege Attributes - 02 0x000000009 SeTakeOwnershipPrivilege Attributes - 03 0x00000000a SeLoadDriverPrivilege Attributes - 04 0x00000000b SeSystemProfilePrivilege Attributes - 05 0x00000000c SeSystemtimePrivilege Attributes - 06 0x00000000d SeProfileSingleProcessPrivilege Attributes - 07 0x00000000e SeIncreaseBasePriorityPrivilege Attributes - 08 0x00000000f SeCreatePagefilePrivilege Attributes - 09 0x000000011 SeBackupPrivilege Attributes - 10 0x000000012 SeRestorePrivilege Attributes - 11 0x000000013 SeShutdownPrivilege Attributes - 12 0x000000014 SeDebugPrivilege Attributes - 13 0x000000016 SeSystemEnvironmentPrivilege Attributes - 14 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default 15 0x000000018 SeRemoteShutdownPrivilege Attributes - 16 0x000000019 SeUndockPrivilege Attributes - 17 0x00000001c SeManageVolumePrivilege Attributes - 18 0x00000001d SeImpersonatePrivilege Attributes - Enabled Default 19 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default 20 0x000000021 SeIncreaseWorkingSetPrivilege Attributes - 21 0x000000022 SeTimeZonePrivilege Attributes - 22 0x000000023 SeCreateSymbolicLinkPrivilege Attributes - "SPLIT" token for process under UAC Privs: 00 0x000000013 SeShutdownPrivilege Attributes - 01 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default 02 0x000000019 SeUndockPrivilege Attributes - 03 0x000000021 SeIncreaseWorkingSetPrivilege Attributes - 04 0x000000022 SeTimeZonePrivilege Attributes - All the highlighted privileges are missing in the UAC split token (Note that 'SeDebugPrivilege' is absent too. Hence the need to launch a debugger elevated).
Token for elevated process
Privs: 00 0x000000005 SeIncreaseQuotaPrivilege Attributes - 01 0x000000008 SeSecurityPrivilege Attributes - 02 0x000000009 SeTakeOwnershipPrivilege Attributes - 03 0x00000000a SeLoadDriverPrivilege Attributes - 04 0x00000000b SeSystemProfilePrivilege Attributes - 05 0x00000000c SeSystemtimePrivilege Attributes - 06 0x00000000d SeProfileSingleProcessPrivilege Attributes - 07 0x00000000e SeIncreaseBasePriorityPrivilege Attributes - 08 0x00000000f SeCreatePagefilePrivilege Attributes - 09 0x000000011 SeBackupPrivilege Attributes - 10 0x000000012 SeRestorePrivilege Attributes - 11 0x000000013 SeShutdownPrivilege Attributes - 12 0x000000014 SeDebugPrivilege Attributes - 13 0x000000016 SeSystemEnvironmentPrivilege Attributes - 14 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default 15 0x000000018 SeRemoteShutdownPrivilege Attributes - 16 0x000000019 SeUndockPrivilege Attributes - 17 0x00000001c SeManageVolumePrivilege Attributes - 18 0x00000001d SeImpersonatePrivilege Attributes - Enabled Default 19 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default 20 0x000000021 SeIncreaseWorkingSetPrivilege Attributes - 21 0x000000022 SeTimeZonePrivilege Attributes - 22 0x000000023 SeCreateSymbolicLinkPrivilege Attributes -
"SPLIT" token for process under UAC
Privs: 00 0x000000013 SeShutdownPrivilege Attributes - 01 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default 02 0x000000019 SeUndockPrivilege Attributes - 03 0x000000021 SeIncreaseWorkingSetPrivilege Attributes - 04 0x000000022 SeTimeZonePrivilege Attributes -
All the highlighted privileges are missing in the UAC split token (Note that 'SeDebugPrivilege' is absent too. Hence the need to launch a debugger elevated).
Related Post - http://blogs.msdn.com/greggm/archive/2006/03/30/565303.aspx