User Account Control and Split Tokens.


 


QUICK QUESTION - I am a member of the local administrators group on a Windows Vista Machine. How can I check whether a process launched under my context is running under UAC or running elevated?


QUICK ANSWER -



  1. Launch the debugger in elevated mode.
  2. Attach to process and fix symbols.
  3. Dump the process token and check if the group sid S-1-5-32-544 (Builtin\Administrators) has 'deny' attributes.
  4. If yes, then the process is running under UAC. Else it is running elevated.


0:001> !token -n
Thread is not impersonating. Using process token...
TS Session ID: 0x2
User: S-1-5-21-397955417-626881126-188441444-3417686 (User: DOMAIN\mithuns)
Groups:
 00 S-1-5-21-397955417-626881126-188441444-513 (Group: DOMAIN\Domain Users)
    Attributes - Mandatory Default Enabled
 01 S-1-1-0 (Well Known Group: localhost\Everyone)
    Attributes - Mandatory Default Enabled
 02 S-1-5-21-2509036279-1584907351-1836241972-1001 (Alias: MITHUNS7\Debugger Users)
    Attributes - Mandatory Default Enabled
 03 S-1-5-32-544 (Alias: BUILTIN\Administrators)
    Attributes - DenyOnly
 04 S-1-5-32-545 (Alias: BUILTIN\Users)
    Attributes - Mandatory Default Enabled



:


:


:



QUICK QUESTION – When people talk about UAC, I often hear the term “split token”. What exactly is it?


QUICK ANSWER - When a process runs under UAC, some privileges are completely stripped out of the process token. Which also means that you cannot call AdjustTokenPrivileges() to enable them. See below -


 



Token for elevated process


Privs:
 00 0x000000005 SeIncreaseQuotaPrivilege          Attributes -
 01 0x000000008 SeSecurityPrivilege               Attributes -
 02 0x000000009 SeTakeOwnershipPrivilege          Attributes -
 03 0x00000000a SeLoadDriverPrivilege             Attributes -
 04 0x00000000b SeSystemProfilePrivilege          Attributes -
 05 0x00000000c SeSystemtimePrivilege             Attributes -
 06 0x00000000d SeProfileSingleProcessPrivilege   Attributes -
 07 0x00000000e SeIncreaseBasePriorityPrivilege   Attributes -
 08 0x00000000f SeCreatePagefilePrivilege         Attributes -
 09 0x000000011 SeBackupPrivilege                 Attributes -
 10 0x000000012 SeRestorePrivilege                Attributes -
 11 0x000000013 SeShutdownPrivilege               Attributes -
 12 0x000000014 SeDebugPrivilege                  Attributes -
 13 0x000000016 SeSystemEnvironmentPrivilege      Attributes -
 14 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default
 15 0x000000018 SeRemoteShutdownPrivilege         Attributes -
 16 0x000000019 SeUndockPrivilege                 Attributes -
 17 0x00000001c SeManageVolumePrivilege           Attributes -
 18 0x00000001d SeImpersonatePrivilege            Attributes - Enabled Default
 19 0x00000001e SeCreateGlobalPrivilege           Attributes - Enabled Default
 20 0x000000021 SeIncreaseWorkingSetPrivilege     Attributes -
 21 0x000000022 SeTimeZonePrivilege               Attributes -
 22 0x000000023 SeCreateSymbolicLinkPrivilege     Attributes -



"SPLIT" token for process under UAC


Privs:
 00 0x000000013 SeShutdownPrivilege               Attributes -
 01 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default
 02 0x000000019 SeUndockPrivilege                 Attributes -
 03 0x000000021 SeIncreaseWorkingSetPrivilege     Attributes -
 04 0x000000022 SeTimeZonePrivilege               Attributes -



All the highlighted privileges are missing in the UAC split token (Note that 'SeDebugPrivilege' is absent too. Hence the need to launch a debugger elevated).


Related Post - http://blogs.msdn.com/greggm/archive/2006/03/30/565303.aspx


 


 

Comments (1)

  1. Thottams says:

    Great posts Mithun. I enjoyed reading them and it is very informative as well.

Skip to main content