Why does OpenProcess return access denied, even if I enable debug privilege?


Many customers ask something like this:

We want to get the creation time of a process, but our call to Open­Process fails with ERROR_ACCESS_DENIED.

struct KernelHandleDeleter
{
 void operator()(HANDLE *h)
 {
  if (h != nullptr) CloseHandle(h);
 }
};

bool GetCreationTimeOfProcess(DWORD pid, FILETIME *creationTime)
{
 std::unique_ptr<HANDLE, KernelHandleDeleter>
    process(OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid));
 if (!process) {
  // GetLastError() returns ERROR_ACCESS_DENIED
  return false;
 }
 FILETIME exitTime, kernelTime, userTime;
 return GetProcessTimes(process, creationTime,
                 &exitTime, &kernelTime, &userTime) != FALSE;
}

It works if the program is running as administrator, but not if the program is running as a standard user. We even enabled debug privilege, but that didn't help.

You don't have access because you don't have PROCESS_ALL_ACCESS permission on the process. PROCESS_ALL_ACCESS is a huge set of permissions, including WRITE_DAC (permission to change permissions), and if all you are doing is getting the process creation time, it's totally overkill. It's like getting power of attorney in order to be able to check their cell phone bill. All you need in order to check someone's cell phone bill is to be listed as an authorized person on their account. You don't need permission to make like-and-death decisions on their behalf.

Getting the creation time for a process requires PROCESS_QUERY_INFORMATION or PROCESS_QUERY_LIMITED_INFORMATION access. So just ask for the minimum required to accomplish what you need. then you are more likely to get it.

bool GetCreationTimeOfProcess(DWORD pid, FILETIME *creationTime)
{
 std::unique_ptr<HANDLE, KernelHandleDeleter>
    process(OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid));
 ...
}
Comments (21)
  1. Joshua says:

    Moderation is gonna be not so good for this blog. I know full well there’s interesting comments made and they’re not showing up yet.

    1. The rule is that your first comment is moderated. Once your first comment is approved, subsequent comments do not require approval.

      1. Vulpini says:

        Hm. I thought I saw an “awaiting moderation” message on the second comment I posted.

        Maybe it had something to do with the link in the comment? Test: https://www.google.com

        1. Vulpini says:

          Nope, that went through fine. Must be imagining things.

      2. Didn’t the old blog moderate all posts as well? I’m sure I always got an “awaiting moderation” message after posting.

    2. Antonio Rodríguez says:

      When I first read this article several hours ago (maybe one hour after its publication), there was no comment box, so it was impossible to comment. There must have been some problem with the new platform. Luckily, it seems to be solved now.

  2. Myria says:

    Oh lovely, protected processes. Did you guys know that in Vista, Microsoft rewrote how process creation worked, just for DRM reasons? This would be like Apple rewriting fork() and execve() to support iTunes DRM.

    1. If I remember correctly Microsoft wasn’t very happy about this “feature” or the work surrounding it. It was mostly content publication companies that were driving the requirement.

    2. Joshua says:

      I could say a lot technical about protected processes but it’s not a preferred topic here anymore so it’s better to just drop it. I wouldn’t be replying at all except I don’t remember you being here the last time it came up.

  3. — “make like-and-death decisions”
    I really hope this a typo, say, for an expression I am yet unaware of. (Or a typo for “life or death decision”.)

    1. Brian_EE says:

      Nah, you either like something or you kill it.

    2. A quick Google ngram search suggests that “life and death decision” is about as common overall as “life or death decision”. As far as I know they mean the same thing. (The latter was somewhat more common circa 1980, but the former has since overtaken it.)

      1. GregM says:

        Harry, it wasn’t about and vs or, it was about it being like instead of life.

        1. True. I wasn’t nitpicking on some marginal grammatical or discourse analytical point.

          Brian nailed it. Some typos might give themselves the impression that they are not typos at all.

        2. Ah. My mistake; I didn’t even notice the typo when you repeated it.

          1. GWO says:

            Whereas everyone knows the real phrase is “Cake-or-Death scenario”

  4. Hmmm. It’s true that requesting PROCESS_ALL_ACCESS is the wrong thing to do, but it’s still interesting that debug privilege doesn’t work. (Assuming for the sake of argument that this is actually true; I believe debug privilege causes UAC to generate a split token, and this is often overlooked.)

    My guess: WRITE_DAC and WRITE_OWNER require the corresponding privileges, SeRestorePrivilege and SeTakeOwnershipPrivilege, rather than SeDebugPrivilege. Even when dealing with a process.

  5. Medinoc says:

    So the Debug privilege doesn’t give ALL rights on processes? What rights does it give?

    1. I’ve just tried this out, and it turns out that debug privilege (even when running as a standard user) does in fact give you all access rights, including ACCESS_SYSTEM_SECURITY and the unused right bits. You can request 0xFFFFFFFF if you want. :-)

      My bet is that whoever originally asked this question didn’t realize that if you give a standard user debug privilege, you have to use “run as administrator” in order to actually get it.

      1. Medinoc says:

        Oh right, I remember this point being angrily mentioned within the last few months, that UAC’s restricted tokens arbitrarily remove all admin privileges instead of checking what privileges the user actually has.

        1. UAC handles this edge case a little clumsily, in that you have to put in your password to elevate even if UAC is not configured to require it and in that the UI doesn’t distinguish between having admin-equivalent privilege and actually being officially admin. (Presumably because you’re not supposed to do that in the first place.)

          But I think it’s doing the right thing. Do you really want every application, including your web browser, to be running with admin-equivalent privileges? (If so, you might just have to turn UAC off and put up with the fact that the Windows Store won’t work.)

Comments are closed.

Skip to main content