3

please advise for the error indicated in the code below, why this happens? I'm new to C++.

I had a look on StackO, and MSDN also (link for example) but they've not helpful to me as I can't figure out what I'm doing wrong.

HANDLE hToken;

if (!OpenProcessToken(GetCurrentProcess(), 
    TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) 
{
    return FALSE;
}

{
SetPrivilege(hToken,L"SeBackupPrivilege",1 );

BOOL SetPrivilege(
HANDLE hToken,          // access token handle
LPCTSTR lpszPrivilege,  // name of privilege to enable/disable
BOOL bEnablePrivilege   // to enable or disable privilege
) 
{
TOKEN_PRIVILEGES tp;
DWORD cb=sizeof(TOKEN_PRIVILEGES);
LUID luid;

if ( !LookupPrivilegeValue( 
        NULL,            // lookup privilege on local system
        lpszPrivilege,   // privilege to lookup 
        &luid ) )        // receives LUID of privilege
{
    printf("LookupPrivilegeValue error: %u\n", GetLastError() ); 
    return FALSE; 
}

tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
    tp.Privileges[0].Attributes = 0;

// Enable the privilege or disable all privileges.

   if ( !AdjustTokenPrivileges(
       hToken, 
       FALSE, 
       &tp, 
       cb, 
       NULL, 
       NULL) )
{ 
      printf("AdjustTokenPrivileges error: %u\n", GetLastError() ); 
      return FALSE; 
} 

if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) // This is True. Why??

{
      printf("The token does not have the specified privilege. \n");
      return FALSE;

    /*
    The token does not have one or more of the privileges specified in the NewState parameter. 
    The function may succeed with this error value even if no privileges were adjusted. 
    The PreviousState parameter indicates the privileges that were adjusted.
    */
} 

return TRUE;
}
unseen_rider
  • 324
  • 5
  • 23
  • cb parameter seems wrong to me. You are not passing a previous state buffer as argument, so buffer size is zero. – sergiol Mar 16 '18 at 09:59

2 Answers2

5

You can't grant yourself privileges that you don't already have. Some other process (with higher privileges) has to grant them to you.

Eric Brown
  • 13,774
  • 7
  • 30
  • 71
  • @NickProwse - What exactly are you trying to do that you need to grant backup privileges to some process? – Eric Brown Aug 03 '13 at 06:14
  • I'm needing to backup the registry, which I understand I need the process to have `SeBackupPrivilege` to do this. – unseen_rider Aug 03 '13 at 10:51
  • @NickProwse And is this process running elevated? – Eric Brown Aug 03 '13 at 17:09
  • No I don't think it is currently. Does it need to be? – unseen_rider Aug 03 '13 at 19:56
  • @NickProwse Typically, yes. Even when you're running as admin, processes have a reduced set of privileges; only when elevated do processes created by admin users have a full set of privileges. – Eric Brown Aug 03 '13 at 23:46
  • Privileges are not granted by other processes in a sense that another process could add them to your process. Privileges are added to the user account, and after login, the privileges are available in the token. gpedit.msc (GroupPolicyEditor) can modify the privileges e.g. – ChristianWimmer May 26 '14 at 10:55
2

A comment elsewhere on this page is not quite correct; you do not strictly need to be Elevated to acquire priviliges, as long as the prevailing User Account has the correct/corresponding User Rights Assignment abilities.

Specifically, an app can still use the default asInvoker manifest and indeed launch and then go on to make programmatic changes to "sensitive" settings, all without ever triggering the dreaded UAC prompt. But again, only for the designated user(s).

Run SecPol.msc and go to:

Security Settings \ Local Policies \ User Rights Assignment \ ...

enter image description here

Depending on exactly which Win32 APIs you subsequently attempt, the relevant privileges you need for "SeBackupPrivilege" are probably amongst the following:

Restore files and directories
Back up files and directories
Bypass traverse checking

Double-click on the text description of the User Rights Assignment policy you feel you should have, and click on Add User or Group... to add yourself (we'll have to assume that already you know how to find or select user(s) and group(s) in the byzantine security user interface)

                  ●       ●       ●

Related to "SeBackupPrivilege" is the "SeManageVolumePrivilege" privilege, which I happened to find more useful for my particular goals. This latter seems to require the "Perform volume maintenance tasks" ability to be added in the SecPol.msc utility shown here.

Glenn Slayden
  • 17,543
  • 3
  • 114
  • 108