DescriptionPrivileges determine the type of system operations that a process can perform.
Process Privileges is a set of extension methods, written in C#, for System.Diagnostics.Process. It implements the functionality necessary to query, enable, disable or remove privileges on a process.
The following extension methods are offered:
- DisablePrivilege - Disables the specified privilege on a process.
- EnablePrivilege - Enables the specified privilege on a process.
- GetAccessTokenHandle - Gets an access token handle for a process.
- GetPrivilegeAttributes - Gets the attributes for a privilege on a process.
- GetPrivilegeState - Gets the state of a privilege.
- GetPrivileges - Gets the privileges and associated attributes from a process.
- RemovePrivilege - Removes the specified privilege from a process.
In addition, a privilege enabler class is offered that enables privileges on a process in a safe way, ensuring that they are returned to their original state when an operation that requires a privilege completes.
BackgroundFor more information on privileges, see:
Privileges
http://msdn.microsoft.com/en-us/library/aa379306.aspxPrivilege Constants
http://msdn.microsoft.com/en-us/library/bb530716.aspxGuidanceEnabling a privilege allows a process to perform system-level actions that it could not previously.
Before enabling a privilege, many potentially dangerous, thoroughly verify that functions or operations in your code actually require them.
It is not normally appropriate to hold privileges that you enable for the lifetime of a process. Use sparingly; enable when needed, disable when not.
Example 1: Safely Enabling a Privilege
using System;
using System.Diagnostics;
using ProcessPrivileges;
internal static class PrivilegeEnablerExample
{
public static void Main()
{
Process process = Process.GetCurrentProcess();
using (new PrivilegeEnabler(process, Privilege.TakeOwnership))
{
// Privilege is enabled within the using block.
Console.WriteLine(
"{0} => {1}",
Privilege.TakeOwnership,
process.GetPrivilegeState(Privilege.TakeOwnership));
}
// Privilege is disabled outside the using block.
Console.WriteLine(
"{0} => {1}",
Privilege.TakeOwnership,
process.GetPrivilegeState(Privilege.TakeOwnership));
}
}
TakeOwnership => Enabled
TakeOwnership => Disabled
Example 2: Using the Extension Methods
using System;
using System.Diagnostics;
using System.Linq;
using ProcessPrivileges;
internal static class ProcessPrivilegesExample
{
public static void Main()
{
// Get the current process.
Process process = Process.GetCurrentProcess();
// Get the privileges and associated attributes.
PrivilegeAndAttributesCollection privileges = process.GetPrivileges();
int maxPrivilegeLength = privileges.Max(privilege => privilege.Privilege.ToString().Length);
foreach (PrivilegeAndAttributes privilegeAndAttributes in privileges)
{
// The privilege.
Privilege privilege = privilegeAndAttributes.Privilege;
// The privilege state.
PrivilegeState privilegeState = privilegeAndAttributes.PrivilegeState;
// Write out the privilege and its state.
Console.WriteLine(
"{0}{1} => {2}",
privilege,
GetPadding(privilege.ToString().Length, maxPrivilegeLength),
privilegeState);
}
Console.WriteLine();
// Privileges can only be enabled on a process if they are disabled.
if (process.GetPrivilegeState(Privilege.TakeOwnership) == PrivilegeState.Disabled)
{
// Enable the TakeOwnership privilege on it.
AdjustPrivilegeResult result = process.EnablePrivilege(Privilege.TakeOwnership);
// Get the state of the TakeOwnership privilege.
PrivilegeState takeOwnershipState = process.GetPrivilegeState(Privilege.TakeOwnership);
// Write out the TakeOwnership privilege, its state and the result.
Console.WriteLine(
"{0}{1} => {2} ({3})",
Privilege.TakeOwnership,
GetPadding(Privilege.TakeOwnership.ToString().Length, maxPrivilegeLength),
takeOwnershipState,
result);
}
}
private static string GetPadding(int length, int maxLength)
{
int paddingLength = maxLength - length;
char[] padding = new char[paddingLength];
for (int i = 0; i < paddingLength; i++)
{
padding[i] = ' ';
}
return new string(padding);
}
}
ChangeNotify => Enabled
Security => Disabled
Backup => Disabled
Restore => Disabled
SystemTime => Disabled
Shutdown => Enabled
RemoteShutdown => Disabled
TakeOwnership => Disabled
Debug => Enabled
SystemEnvironment => Disabled
SystemProfile => Disabled
ProfileSingleProcess => Disabled
IncreaseBasePriority => Disabled
LoadDriver => Enabled
CreatePagefile => Disabled
IncreaseQuota => Enabled
Undock => Enabled
ManageVolume => Disabled
Impersonate => Enabled
CreateGlobal => Enabled
TakeOwnership => Enabled (PrivilegeModified)
Example 3: Reusing an Access Token Handle
using System;
using System.Diagnostics;
using ProcessPrivileges;
internal static class ReusingAccessTokenHandleExample
{
public static void Main()
{
// Access token handle reused within the using block.
using (AccessTokenHandle accessTokenHandle =
Process.GetCurrentProcess().GetAccessTokenHandle(
TokenAccessRights.AdjustPrivileges | TokenAccessRights.Query))
{
// Enable privileges using the same access token handle.
AdjustPrivilegeResult backupResult = accessTokenHandle.EnablePrivilege(Privilege.Backup);
AdjustPrivilegeResult restoreResult = accessTokenHandle.EnablePrivilege(Privilege.Restore);
Console.WriteLine(
"{0} => {1} ({2})",
Privilege.Backup,
accessTokenHandle.GetPrivilegeState(Privilege.Backup),
backupResult);
Console.WriteLine(
"{0} => {1} ({2})",
Privilege.Restore,
accessTokenHandle.GetPrivilegeState(Privilege.Restore),
restoreResult);
}
}
}
Backup => Enabled (PrivilegeModified)
Restore => Enabled (PrivilegeModified)
Privileges| Privilege | Constant | Enum | Description | Support Baseline |
|---|
| SeAssignPrimaryTokenPrivilege | SE_ASSIGNPRIMARYTOKEN_NAME | Privilege.AssignPrimaryToken | Replace a process-level token. | Windows 2000 |
| SeAuditPrivilege | SE_AUDIT_NAME | Privilege.Audit | Generate security audits. | Windows 2000 |
| SeBackupPrivilege | SE_BACKUP_NAME | Privilege.Backup | Back up files and directories. | Windows 2000 |
| SeChangeNotifyPrivilege | SE_CHANGE_NOTIFY_NAME | Privilege.ChangeNotify | Bypass traverse checking. | Windows 2000 |
| SeCreateGlobalPrivilege | SE_CREATE_GLOBAL_NAME | Privilege.CreateGlobal | Create global objects. | Windows 2000 SP4, Windows XP SP2 |
| SeCreatePagefilePrivilege | SE_CREATE_PAGEFILE_NAME | Privilege.CreatePageFile | Create a pagefile. | Windows 2000 |
| SeCreatePermanentPrivilege | SE_CREATE_PERMANENT_NAME | Privilege.CreatePermanent | Create permanent shared objects. | Windows 2000 |
| SeCreateSymbolicLinkPrivilege | SE_CREATE_SYMBOLIC_LINK_NAME | Privilege.CreateSymbolicLink | Create symbolic links. | Windows 2000 |
| SeCreateTokenPrivilege | SE_CREATE_TOKEN_NAME | Privilege.CreateToken | Create a token object. | Windows 2000 |
| SeDebugPrivilege | SE_DEBUG_NAME | Privilege.Debug | Debug programs. | Windows 2000 |
| SeEnableDelegationPrivilege | SE_ENABLE_DELEGATION_NAME | Privilege.EnableDelegation | Enable computer and user accounts to be trusted for delegation. | Windows 2000 |
| SeImpersonatePrivilege | SE_IMPERSONATE_NAME | Privilege.Impersonate | Impersonate a client after authentication. | Windows 2000 SP4, Windows XP SP2 |
| SeIncreaseBasePriorityPrivilege | SE_INC_BASE_PRIORITY_NAME | Privilege.IncreaseBasePriority | Increase scheduling priority. | Windows 2000 |
| SeIncreaseQuotaPrivilege | SE_INCREASE_QUOTA_NAME | Privilege.IncreaseQuota | Adjust memory quotas for a process. | Windows 2000 |
| SeIncreaseWorkingSetPrivilege | SE_INC_WORKING_SET_NAME | Privilege.IncreaseWorkingSet | Increase a process working set. | Windows 2000 |
| SeLoadDriverPrivilege | SE_LOAD_DRIVER_NAME | Privilege.LoadDriver | Load and unload device drivers. | Windows 2000 |
| SeLockMemoryPrivilege | SE_LOCK_MEMORY_NAME | Privilege.LockMemory | Lock pages in memory. | Windows 2000 |
| SeMachineAccountPrivilege | SE_MACHINE_ACCOUNT_NAME | Privilege.MachineAccount | Add workstations to domain. | Windows 2000 |
| SeManageVolumePrivilege | SE_MANAGE_VOLUME_NAME | Privilege.ManageVolume | Manage the files on a volume. | Windows 2000 |
| SeProfileSingleProcessPrivilege | SE_PROF_SINGLE_PROCESS_NAME | Privilege.ProfileSingleProcess | Profile single process. | Windows 2000 |
| SeRelabelPrivilege | SE_RELABEL_NAME | Privilege.Relabel | Modify an object label. | Windows 2000 |
| SeRemoteShutdownPrivilege | SE_REMOTE_SHUTDOWN_NAME | Privilege.RemoteShutdown | Force shutdown from a remote system. | Windows 2000 |
| SeRestorePrivilege | SE_RESTORE_NAME | Privilege.Restore | Restore files and directories. | Windows 2000 |
| SeSecurityPrivilege | SE_SECURITY_NAME | Privilege.Security | Manage auditing and security log. | Windows 2000 |
| SeShutdownPrivilege | SE_SHUTDOWN_NAME | Privilege.Shutdown | Shut down the system. | Windows 2000 |
| SeSyncAgentPrivilege | SE_SYNC_AGENT_NAME | Privilege.SyncAgent | Synchronize directory service data. | Windows 2000 |
| SeSystemEnvironmentPrivilege | SE_SYSTEM_ENVIRONMENT_NAME | Privilege.SystemEnvironment | Modify firmware environment values. | Windows 2000 |
| SeSystemProfilePrivilege | SE_SYSTEM_PROFILE_NAME | Privilege.SystemProfile | Profile system performance. | Windows 2000 |
| SeSystemtimePrivilege | SE_SYSTEMTIME_NAME | Privilege.SystemTime | Change the system time. | Windows 2000 |
| SeTakeOwnershipPrivilege | SE_TAKE_OWNERSHIP_NAME | Privilege.TakeOwnership | Take ownership of files or other objects. | Windows 2000 |
| SeTcbPrivilege | SE_TCB_NAME | Privilege.TrustedComputerBase | Act as part of the operating system. | Windows 2000 |
| SeTimeZonePrivilege | SE_TIME_ZONE_NAME | Privilege.TimeZone | Change the time zone. | Windows 2000 |
| SeTrustedCredManAccessPrivilege | SE_TRUSTED_CREDMAN_ACCESS_NAME | Privilege.TrustedCredentialManagerAccess | Access Credential Manager as a trusted caller. | Windows 2000 |
| SeUndockPrivilege | SE_UNDOCK_NAME | Privilege.Undock | Remove computer from docking station. | Windows 2000 |
| SeUnsolicitedInputPrivilege | SE_UNSOLICITED_INPUT_NAME | Privilege.UnsolicitedInput | Read unsolicited input from a terminal device. | Windows 2000 |
Related:
Process Token Privileges, AdjustTokenPrivileges, GetTokenInformation, LookupPrivilegeName, LookupPrivilegeValue, LUID, LUID_AND_ATTRIBUTES, TOKEN_PRIVILEGES