2

I'm working on enumerating instances of iexplore.exe across all users. I'm able to get a list of the matching processes on the machine, but to identify the user, I need to use OpenProcess. This works on my own instances, but even with Run as Administrator and EnableDebugPriv, I'm still getting the access denied message. Am I missing something? Is iexplore.exe somehow protected?

Here's what I'm using for the debug priv:

void EnableDebugPriv()
{
    HANDLE hToken;
    LUID luid;
    TOKEN_PRIVILEGES tkp;

    OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);

    if (!::LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
    {
        wprintf(_T("ERROR %u\n"),GetLastError());
        CloseHandle(hToken); 
        return;
    }

    tkp.PrivilegeCount = 1;
    tkp.Privileges[0].Luid = luid;
    tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

    if (!::AdjustTokenPrivileges(hToken, false, &tkp, sizeof(tkp), NULL, NULL))
    {
        wprintf(_T("ERROR %u\n"),GetLastError());
        CloseHandle(hToken); 
        return;
    }

    CloseHandle(hToken);
    wprintf(_T("Should have worked"));
}

No errors occur when I run this. The ACCESS DENIED error occurs when I run

hProcess = OpenProcess( PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_TERMINATE , FALSE, pe32.th32ProcessID );

For processes that don't belong to me. The "other" users are Standard and Guest accounts created on this machine in a normal way from Control Panel. Any ideas would be much appreciated. I'm stuck! Ultimately I want to offer the user the ability to shut down the app, but even with just PROCESS_QUERY_LIMITED_INFORMATION it fails. I still need to check if this is the problem with other applications besides IE.

Update I ultimately got this to work. The error was in OpenProcessToken instead. And I needed a different privilege than I asked for.

tofutim
  • 22,664
  • 20
  • 87
  • 148
  • Even if you managed to get this to work, what do you intend to do with the process handle? – Raymond Chen Jul 19 '12 at 00:48
  • Hi, I got this to work. I needed it to locate the user of the process. – tofutim Jul 19 '12 at 20:04
  • If all you want is to identify the user that owns the process, then you don't need to open the process at all. Use `WTSEnumerateProcesses`. It returns you all the processes, their names, and their owners - all at one shot. – Raymond Chen Jul 19 '12 at 21:33
  • Wow, I didn't even know that. That's fantastic. – tofutim Jul 19 '12 at 23:21
  • Wait, apparently WTSEnumerateProcesses is limited in XP. – tofutim Jul 19 '12 at 23:22
  • @tofutim What privilege did you ask for in OpenProcessInformation? – Adrian Ratnapala Feb 27 '13 at 14:13
  • @tofutim, well the real question in here is what was the incorrect privilege and what was the problem with "OpenProcessToken"? You see, StakOverflow is a place to share the information as well as asking for help. And I am asking for help now :| – Soroush Falahati Apr 25 '16 at 13:08

1 Answers1

0

On Windows Vista and later, IE runs in Protected Mode as a Low-Integrity process. According to MSDN, non-protected processes have restricted access to protected processes, including PROCESS_QUERY_INFORMATION and PROCESS_VM_READ rights.

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770