Troubleshooting "Access Denied" errors

Anyone who has used Windows has encountered the dreaded “Access Denied” error.  (AKA error code 5 or 0x5). This error typically implies you can’t do something like open or save a file.  The error implies that you have encountered some type of security issue. In the past, an “Access Denied” issue came down to 2 things…

1

The mysteries of WindowsPrincipal.IsInRole

WindowsPrincipal.IsInRole method is defined as the following in MSDN (http://msdn.microsoft.com/en-us/library/system.security.principal.windowsprincipal.isinrole(v=vs.110).aspx ) “Determines whether the current principal belongs to a specified Windows user group” A WindowsPrincipal is basically a Windows Token wrapped in a .NET class.  Windows Tokens are generated when a Windows user (Local or Domain) is authenticated by Windows.  The IsInRole() method is similar to the…

0

How to programmatically create a LogonService or Network Service token with LogonUser?

A lot of Developers have asked if it is possible to generate a token that represents the Local Service or Network Service account without stealing a token.  You can programmatically generate atoken using LogonUser().  Here is the code for doing this: LogonUser(L”LocalService”, L”NT AUTHORITY”, NULL, LOGON32_LOGON_SERVICE, LOGON32_PROVIDER_DEFAULT, &hToken) LogonUser(L”NetworkService”, L”NT AUTHORITY”, NULL, LOGON32_LOGON_SERVICE, LOGON32_PROVIDER_DEFAULT, &hToken)

0

How to launch a process interactively from a Windows Service?

Launching an interactive process from a service used to be straight forward.  You could either configure your service to be interactive or you could specify “Winsta0\\Default” as the desktop (in CreateProcess API) and as long as the launched process had the appropriate permissions to the desktop, the launched process would run interactively. These techniques stopped working with…

9

Dealing with Administrator and standard user’s context

With introduction of UAC, I often get two questions for Windows Vista and later. 1)      How to launch an application in the Administrative context from an application which is running in standard user’s context? 2)      How to launch application in standard user’s context from an application which is running in administrative context?   The first…


Web application gets Access Denied accessing a Named Pipe.

Recently, I was troubleshooting a problem for one of my customers. A named pipe created by a native C application was not accessible by web client. The actual product is a convention Windows application which does IPC through named pipes. Both server and client for this were Windows applications. They were trying to extend the…

0

Check membership of a group from user’s process access token

Question may be, I need to check If the user belong to a particular group or not? There are NetUser* APIs available in NetApi32.lib to list the groups a user belong to a group. You can actually check but then you will need to compare the string of the group you are interested to check…