GetTokenInformation

P

plmanikandan

Hi,

I need to check the SE_TCB_NAME previlige for the current user using
GetTokenInformation api call.i used the api call and get the
privilege,but i am unable to go thru each previlege to check whether
SE_TCB_NAME is enabled or not.my code is below[C#}

using System;
using System.Drawing;
using System.Collections;
using System.ComponentModel;
using System.Windows.Forms;
using System.Data;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Text;

namespace gettoken
{
/// <summary>
/// Summary description for Form1.
/// </summary>
public class Form1 : System.Windows.Forms.Form
{
private System.Windows.Forms.Button button1;
/// <summary>
/// Required designer variable.
/// </summary>
private System.ComponentModel.Container components = null;
enum TOKEN_INFORMATION_CLASS
{
TokenUser = 1,
TokenGroups,
TokenPrivileges,
TokenOwner,
TokenPrimaryGroup,
TokenDefaultDacl,
TokenSource,
TokenType,
TokenImpersonationLevel,
TokenStatistics,
TokenRestrictedSids,
TokenSessionId,
TokenGroupsAndPrivileges,
TokenSessionReference,
TokenSandBoxInert,
TokenAuditPolicy,
TokenOrigin
}
[StructLayout(LayoutKind.Sequential)]
public struct LUID
{
public int LowPart;
public int HighPart;
}

[StructLayout(LayoutKind.Sequential)]
public struct TOKEN_PRIVILEGES
{
public LUID Luid;
public int Attributes;
public int PrivilegeCount;
}
struct LUID_AND_ATTRIBUTES
{
public LUID Luid;
public int Attributes;
}


[DllImport("kernel32.dll")]
static extern IntPtr LocalFree(IntPtr hMem);

[DllImport("advapi32.dll", SetLastError=true)]
static extern bool GetTokenInformation(
IntPtr TokenHandle,
TOKEN_INFORMATION_CLASS TokenInformationClass,
IntPtr TokenInformation,
int TokenInformationLength,
out int ReturnLength);


public Form1()
{
//
// Required for Windows Form Designer support
//
InitializeComponent();

//
// TODO: Add any constructor code after InitializeComponent call
//
}

/// <summary>
/// Clean up any resources being used.
/// </summary>
protected override void Dispose( bool disposing )
{
if( disposing )
{
if (components != null)
{
components.Dispose();
}
}
base.Dispose( disposing );
}

#region Windows Form Designer generated code
/// <summary>
/// Required method for Designer support - do not modify
/// the contents of this method with the code editor.
/// </summary>
private void InitializeComponent()
{
this.button1 = new System.Windows.Forms.Button();
this.SuspendLayout();
//
// button1
//
this.button1.Location = new System.Drawing.Point(48, 136);
this.button1.Name = "button1";
this.button1.Size = new System.Drawing.Size(200, 48);
this.button1.TabIndex = 0;
this.button1.Text = "button1";
this.button1.Click += new System.EventHandler(this.button1_Click);
//
// Form1
//
this.AutoScaleBaseSize = new System.Drawing.Size(5, 13);
this.ClientSize = new System.Drawing.Size(292, 273);
this.Controls.Add(this.button1);
this.Name = "Form1";
this.Text = "Form1";
this.ResumeLayout(false);

}
#endregion

/// <summary>
/// The main entry point for the application.
/// </summary>
[STAThread]
static void Main()
{
Application.Run(new Form1());
}

private void button1_Click(object sender, System.EventArgs e)
{
int TokenInfLength = 0 ;
bool Result ;

// first call gets lenght of TokenInformation
Result = GetTokenInformation( WindowsIdentity.GetCurrent().Token ,
TOKEN_INFORMATION_CLASS.TokenPrivileges , IntPtr.Zero , TokenInfLength
, out TokenInfLength );

IntPtr TokenInformation = Marshal.AllocHGlobal( TokenInfLength ) ;

Result = GetTokenInformation( WindowsIdentity.GetCurrent().Token ,
TOKEN_INFORMATION_CLASS.TokenPrivileges , TokenInformation ,
TokenInfLength , out TokenInfLength ) ;

if( Result )
{

TOKEN_PRIVILEGES
TokenPrivilege=(TOKEN_PRIVILEGES)Marshal.PtrToStructure(
TokenInformation , typeof( TOKEN_PRIVILEGES ));
LUID_AND_ATTRIBUTES
luid=(LUID_AND_ATTRIBUTES)Marshal.PtrToStructure(TokenInformation ,
typeof( LUID_AND_ATTRIBUTES ));
IntPtr pstr = IntPtr.Zero;

MessageBox.Show(TokenPrivilege.PrivilegeCount.ToString());

LocalFree(pstr);
}


}
}
}

Please help me to solve the problem of checking SE_TCB_NAME Privilege

Regards,
Mani
 
W

Willy Denoyette [MVP]

Hi,

I need to check the SE_TCB_NAME previlige for the current user using
GetTokenInformation api call.i used the api call and get the
privilege,but i am unable to go thru each previlege to check whether
SE_TCB_NAME is enabled or not.my code is below[C#}

Please help me to solve the problem of checking SE_TCB_NAME Privilege

Regards,
Mani
Click to expand...


I realy don't know why you need this, after all only "localsystem" should
have this TCB privilege. You don't grant this privilege to all of your users
don't you?

Anyway, you need to call LookupPrivilegeValue, followed by PrivilegeCheck.
Here is a sample...


[StructLayout(LayoutKind.Sequential)]

public struct _PRIVILEGE_SET
{
public uint PrivilegeCount;
public uint Control;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
public LUID_AND_ATTRIBUTES[] Privilege_1;
}

[StructLayout(LayoutKind.Sequential)]
public struct LUID_AND_ATTRIBUTES
{
public LUID Luid;
public uint Attributes;
}

[StructLayout(LayoutKind.Sequential)]
public struct LUID
{
public uint LowPart;
public uint HighPart;
}

class Tester
{

[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool PrivilegeCheck( IntPtr ClientToken, IntPtr
RequiredPrivileges, ref int pfResult);

[DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Auto)]
public extern static bool LookupPrivilegeValue(string lpSystemName, string
lpName, IntPtr pLuid);

static void Main()
{
int result = 0;
IntPtr hToken;
string privilege = "SeTcbPrivilege";
_PRIVILEGE_SET ps = new _PRIVILEGE_SET();

ps.PrivilegeCount = 1;
ps.Privilege_1 = new LUID_AND_ATTRIBUTES[1];
int privSize = Marshal.SizeOf(ps.Privilege_1[0]);
IntPtr ptr = IntPtr.Zero;
ptr = Marshal.AllocHGlobal(privSize * (int)ps.PrivilegeCount);

Marshal.StructureToPtr(ps.Privilege_1[0], ptr, false);
if (!LookupPrivilegeValue(null, privilege, ptr))
Console.WriteLine("<LookupPrivilegeValue> Win32 Error {0}",
Marshal.GetLastWin32Error());
ps.Privilege_1[0] =
(LUID_AND_ATTRIBUTES)Marshal.PtrToStructure(ptr,typeof(LUID_AND_ATTRIBUTES));

Marshal.FreeHGlobal(ptr); // Free alocated mem

IntPtr ptrPs = IntPtr.Zero;
ptrPs = Marshal.AllocHGlobal(64); // 64 byte buffer
Marshal.WriteInt32(ptrPs,(int)ps.PrivilegeCount);
Marshal.WriteInt32((IntPtr)((int)ptrPs + 4),(int)ps.Control); // Hard
coded offset!!!
Marshal.StructureToPtr(ps.Privilege_1[0],(IntPtr)((int) ptrPs + 8),
false);
WindowsIdentity.Impersonate(WindowsIdentity.GetCurrent().Token);
hToken = WindowsIdentity.GetCurrent().Token;
Console.WriteLine("Token used: " + hToken);
if(!PrivilegeCheck(hToken, ptrPs, ref result))
Console.WriteLine("<PrivilegeCheck> Win32 Error {0}",
Marshal.GetLastWin32Error());
Marshal.FreeHGlobal( ptrPs ); // Free allocated mem
Console.WriteLine("Privilege's set '{0}'", Convert.ToBoolean(result));
}
}

Willy.
 
P

plmanikandan

Hi,
Thanks for your example code to check SE_TCB_NAME previlige.when i run
the example code in windows XP[service pack 2],windows2000
professional[service pack 4].it is always giving false for SE_TCB_NAME
previlige.but in windows xp SE_TCB_NAME previlige is set to true
default.i am running this example as administrator user account.
i need to check username,password supplied by user matches with windows
username,password,for this i used logonuser api .Logonuser api won't
works in windows 2000 due to SE_TCB_NAME previlige,so for windows 2000
i used NetUserChangePassword.Now i need to check whether SE_TCB_NAME
previlige is enabled,if enabled means use logonuser api ,otherwise use
NetUserChangePassword.
Whether my approach is right or wrong.Please help me out to solve
problems.


Regards,
Mani
Hi,

I need to check the SE_TCB_NAME previlige for the current user using
GetTokenInformation api call.i used the api call and get the
privilege,but i am unable to go thru each previlege to check whether
SE_TCB_NAME is enabled or not.my code is below[C#}

Please help me to solve the problem of checking SE_TCB_NAME Privilege

Regards,
Mani
Click to expand...


I realy don't know why you need this, after all only "localsystem" should
have this TCB privilege. You don't grant this privilege to all of your users
don't you?

Anyway, you need to call LookupPrivilegeValue, followed by PrivilegeCheck.
Here is a sample...


[StructLayout(LayoutKind.Sequential)]

public struct _PRIVILEGE_SET
{
public uint PrivilegeCount;
public uint Control;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
public LUID_AND_ATTRIBUTES[] Privilege_1;
}

[StructLayout(LayoutKind.Sequential)]
public struct LUID_AND_ATTRIBUTES
{
public LUID Luid;
public uint Attributes;
}

[StructLayout(LayoutKind.Sequential)]
public struct LUID
{
public uint LowPart;
public uint HighPart;
}

class Tester
{

[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool PrivilegeCheck( IntPtr ClientToken, IntPtr
RequiredPrivileges, ref int pfResult);

[DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Auto)]
public extern static bool LookupPrivilegeValue(string lpSystemName, string
lpName, IntPtr pLuid);

static void Main()
{
int result = 0;
IntPtr hToken;
string privilege = "SeTcbPrivilege";
_PRIVILEGE_SET ps = new _PRIVILEGE_SET();

ps.PrivilegeCount = 1;
ps.Privilege_1 = new LUID_AND_ATTRIBUTES[1];
int privSize = Marshal.SizeOf(ps.Privilege_1[0]);
IntPtr ptr = IntPtr.Zero;
ptr = Marshal.AllocHGlobal(privSize * (int)ps.PrivilegeCount);

Marshal.StructureToPtr(ps.Privilege_1[0], ptr, false);
if (!LookupPrivilegeValue(null, privilege, ptr))
Console.WriteLine("<LookupPrivilegeValue> Win32 Error {0}",
Marshal.GetLastWin32Error());
ps.Privilege_1[0] =
(LUID_AND_ATTRIBUTES)Marshal.PtrToStructure(ptr,typeof(LUID_AND_ATTRIBUTES));

Marshal.FreeHGlobal(ptr); // Free alocated mem

IntPtr ptrPs = IntPtr.Zero;
ptrPs = Marshal.AllocHGlobal(64); // 64 byte buffer
Marshal.WriteInt32(ptrPs,(int)ps.PrivilegeCount);
Marshal.WriteInt32((IntPtr)((int)ptrPs + 4),(int)ps.Control); // Hard
coded offset!!!
Marshal.StructureToPtr(ps.Privilege_1[0],(IntPtr)((int) ptrPs + 8),
false);
WindowsIdentity.Impersonate(WindowsIdentity.GetCurrent().Token);
hToken = WindowsIdentity.GetCurrent().Token;
Console.WriteLine("Token used: " + hToken);
if(!PrivilegeCheck(hToken, ptrPs, ref result))
Console.WriteLine("<PrivilegeCheck> Win32 Error {0}",
Marshal.GetLastWin32Error());
Marshal.FreeHGlobal( ptrPs ); // Free allocated mem
Console.WriteLine("Privilege's set '{0}'", Convert.ToBoolean(result));
}
}

Willy.
Click to expand...
 
W

Willy Denoyette [MVP]

On XP and higher, you don't need TCB privileges to call LogonUser, only W2K
has this requirement, so only thing you need to do is check the OS version
and act accordingly.

[pseudo code]
If(OSVersion == W2K)
call NetUserChangePassword
else
call LogonUser
End If

Note that by default, only localsystem (SYSTEM) has TCB privileges (all OS).
That means that 'administrator' is included in the list of tcb privileged
users when it returns 'true' on XP.

Willy.

Hi,
Thanks for your example code to check SE_TCB_NAME previlige.when i run
the example code in windows XP[service pack 2],windows2000
professional[service pack 4].it is always giving false for SE_TCB_NAME
previlige.but in windows xp SE_TCB_NAME previlige is set to true
default.i am running this example as administrator user account.
i need to check username,password supplied by user matches with windows
username,password,for this i used logonuser api .Logonuser api won't
works in windows 2000 due to SE_TCB_NAME previlige,so for windows 2000
i used NetUserChangePassword.Now i need to check whether SE_TCB_NAME
previlige is enabled,if enabled means use logonuser api ,otherwise use
NetUserChangePassword.
Whether my approach is right or wrong.Please help me out to solve
problems.


Regards,
Mani
Hi,

I need to check the SE_TCB_NAME previlige for the current user using
GetTokenInformation api call.i used the api call and get the
privilege,but i am unable to go thru each previlege to check whether
SE_TCB_NAME is enabled or not.my code is below[C#}

Please help me to solve the problem of checking SE_TCB_NAME Privilege

Regards,
Mani
Click to expand...


I realy don't know why you need this, after all only "localsystem" should
have this TCB privilege. You don't grant this privilege to all of your
users
don't you?

Anyway, you need to call LookupPrivilegeValue, followed by
PrivilegeCheck.
Here is a sample...


[StructLayout(LayoutKind.Sequential)]

public struct _PRIVILEGE_SET
{
public uint PrivilegeCount;
public uint Control;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
public LUID_AND_ATTRIBUTES[] Privilege_1;
}

[StructLayout(LayoutKind.Sequential)]
public struct LUID_AND_ATTRIBUTES
{
public LUID Luid;
public uint Attributes;
}

[StructLayout(LayoutKind.Sequential)]
public struct LUID
{
public uint LowPart;
public uint HighPart;
}

class Tester
{

[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool PrivilegeCheck( IntPtr ClientToken, IntPtr
RequiredPrivileges, ref int pfResult);

[DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Auto)]
public extern static bool LookupPrivilegeValue(string lpSystemName,
string
lpName, IntPtr pLuid);

static void Main()
{
int result = 0;
IntPtr hToken;
string privilege = "SeTcbPrivilege";
_PRIVILEGE_SET ps = new _PRIVILEGE_SET();

ps.PrivilegeCount = 1;
ps.Privilege_1 = new LUID_AND_ATTRIBUTES[1];
int privSize = Marshal.SizeOf(ps.Privilege_1[0]);
IntPtr ptr = IntPtr.Zero;
ptr = Marshal.AllocHGlobal(privSize * (int)ps.PrivilegeCount);

Marshal.StructureToPtr(ps.Privilege_1[0], ptr, false);
if (!LookupPrivilegeValue(null, privilege, ptr))
Console.WriteLine("<LookupPrivilegeValue> Win32 Error {0}",
Marshal.GetLastWin32Error());
ps.Privilege_1[0] =
(LUID_AND_ATTRIBUTES)Marshal.PtrToStructure(ptr,typeof(LUID_AND_ATTRIBUTES));

Marshal.FreeHGlobal(ptr); // Free alocated mem

IntPtr ptrPs = IntPtr.Zero;
ptrPs = Marshal.AllocHGlobal(64); // 64 byte buffer
Marshal.WriteInt32(ptrPs,(int)ps.PrivilegeCount);
Marshal.WriteInt32((IntPtr)((int)ptrPs + 4),(int)ps.Control); // Hard
coded offset!!!
Marshal.StructureToPtr(ps.Privilege_1[0],(IntPtr)((int) ptrPs + 8),
false);
WindowsIdentity.Impersonate(WindowsIdentity.GetCurrent().Token);
hToken = WindowsIdentity.GetCurrent().Token;
Console.WriteLine("Token used: " + hToken);
if(!PrivilegeCheck(hToken, ptrPs, ref result))
Console.WriteLine("<PrivilegeCheck> Win32 Error {0}",
Marshal.GetLastWin32Error());
Marshal.FreeHGlobal( ptrPs ); // Free allocated mem
Console.WriteLine("Privilege's set '{0}'", Convert.ToBoolean(result));
}
}

Willy.
Click to expand...
Click to expand...
 
P

plmanikandan

Hi,
Thanks for your reply. i have already done the coding by finding the os
version as you mentioned like
f(OSVersion == W2K)
call NetUserChangePassword
else
call LogonUser
End If

I think if the SE_TCB_NAME privilege is enabled in windows 2000,then
why we have to use NetUserChangePassword ,for this reason only i
checked SE_TCB_NAME privilege.Is it correct or not.is SE_TCB_NAME
privilege is enabled default to windows2000 or not?.why it is always
returning true when i check SE_TCB_NAME privilege for windows
2000[service pack 4] under administrative account

Regards,
Mani
 
W

Willy Denoyette [MVP]

Hi,
Thanks for your reply. i have already done the coding by finding the os
version as you mentioned like
f(OSVersion == W2K)
call NetUserChangePassword
else
call LogonUser
End If

I think if the SE_TCB_NAME privilege is enabled in windows 2000,then
why we have to use NetUserChangePassword ,for this reason only i
checked SE_TCB_NAME privilege.Is it correct or not.is SE_TCB_NAME
privilege is enabled default to windows2000 or not?.why it is always
returning true when i check SE_TCB_NAME privilege for windows
2000[service pack 4] under administrative account

Regards,
Mani
Click to expand...

It's possible that 'Administrators' are also members of the TCB, but that's
not the issue. Point is that on W2K a caller needs to be a TCB member to be
able to call LogonUser, on other OS's most users can call LogonUser by
default.
So if you run on W2K you call NetUserChangePassword, or supplementary you
check for TCK privileges, like so:

If(OSVersion == W2K)
If TCB enabled
call LogonUser
Else
call NetUserChangePassword
End If
else
call LogonUser
End If


Willy.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

SetLocalTime/SetSystemTime P/Invoke call fails under Vista (even witha requireAdministrator manifest 2
It Won't Load My Assembly And It Won't Say Why 5
Network Availability detection 2
Problem with dllimport code included . 2
GUI Invoke stalls thread 6
Need a hand 2
Shutdown problem 3
Writing to TextBox from Seperate Clas Redux 4

Top