SetUserObjectSecurity gives error ERROR_NOT_ENOUGH_QUOTA

[user1976]

Hi everyone, I am using the CreateProcessAsUser function as specified in the
example "staring an interactive client process in C++" to create a new process.
I used the sample code given by microsoft at
http://support.microsoft.com/kb/165194/EN-US/
as guidance. However after creating new processes say about 50 times. I get the
error ERROR_NOT_ENOUGH_QUOTA by the function SetUserObjectSecurity in both
AddTheAceWindowStation and AddTheAceDesktop functions. The above link to the kb
mentions this error and refers to the following link
http://support.microsoft.com/kb/185292/EN-US/ which says that the aces should
be cleaned up for desktop and windowstation objects when the processes die.
It also says that if one cannot track when the process dies
If you cannot track when the process dies, there are several procedures that
you can use to remove any unnecessary ACEs. You can enumerate processes, read
the Logon Security Identifier (SID) or User SID from the process token, and
compare one of them to the ACEs stored in the DACL for the window station
and desktop objects.
In my case I cannot determine when the process dies. I am new to MFC and I need
some help. Can any one give me a code sample on how to achieve the above.
I am reallllyyy stuck here

Thanks a million in advance
Vijay

 

[Jochen Kalmbach]

Hi user1976,

However after creating new processes say about 50 times.
I get the error ERROR_NOT_ENOUGH_QUOTA by the function
SetUserObjectSecurity in both AddTheAceWindowStation and
AddTheAceDesktop functions. The above link to the kb mentions this
error and refers to the following link
http://support.microsoft.com/kb/185292/EN-US/ which says that the aces
should be cleaned up for desktop and windowstation objects when the
processes die.

The best option is to track the process and remove the ACE. This could be
easily done in an thread which only waits for the process-handle
(WaitForSingleObject).

The second best option is the last in the KB-article:
<quote>
If you are launching many processes, you might want to add an ACE based on
the processes logon type. For example, this could be either the Interactive
or Batch SID. You would not have to add any additional ACEs for processes
with the same logon type.
</quote>

If you cannot do this, you must do the enum-process-stuff (which also might
have some side-effects if a process adds a special ACE...).

This is not a small task to do...


You need to open the desired window-station and enum the ACEs here (this is
already described in the KB article you mentioned or here; you can enum
with GetACE...
http://msdn.microsoft.com/library/en-
us/secauthz/security/starting_an_interactive_client_process_in_c__.asp

Then you need to mark all entries which are still valid and used by
processes.
After enumeration the processes you could then remove all "unmarked"
entries and set the new ACL.

Here is an example of enumeration processes and displaying the SIDs:
http://win32.mvps.org/security/opt_gti.cpp

Sorry that I do not have a working example...

--
Greetings
Jochen

My blog about Win32 and .NET
http://blog.kalmbachnet.de/

 

[Jochen Kalmbach]

Hi user1976,

If you cannot track when the process dies, there are several
procedures that you can use to remove any unnecessary ACEs. You can
enumerate processes, read the Logon Security Identifier (SID) or User
SID from the process token, and compare one of them to the ACEs stored
in the DACL for the window station and desktop objects.

I just added to the very good example of Dumpacl at
http://win32.mvps.org/security/dumpacl.html
the ability to dump Winsta-ACLs:
Maybe Felix will update his site to relfect the changes...
In the meanwhile you can download it here:

http://blog.kalmbachnet.de/files/dumpacl.zip


To dump an ACL of an windows-station (winsta0) do the following:

dumpacl WINSTA:winsta0


--
Greetings
Jochen

My blog about Win32 and .NET
http://blog.kalmbachnet.de/

 

[Jochen Kalmbach]

Hi user1976,

If you cannot track when the process dies, there are several
procedures that you can use to remove any unnecessary ACEs. You can
enumerate processes, read the Logon Security Identifier (SID) or User
SID from the process token, and compare one of them to the ACEs stored
in the DACL for the window station and desktop objects.

I just added to the very good example of Dumpacl at
http://win32.mvps.org/security/dumpacl.html
the ability to dump Winsta-ACLs and dump process-ACLs:

Maybe Felix will update his site to reflect the changes...
In the meanwhile you can download it here:

http://blog.kalmbachnet.de/files/dumpacl.zip


To dump an ACL of an windows-station (winsta0) do the following:
dumpacl WINSTA:winsta0
To dump all ACLs of all winstas, do:
dumpacl WINSTA:


To dump an ACL of a given processId do the following:
dumpacl PID:3523
To dump all ACLs of all processes, do:
dumpacl PID:

Maybe it helps you with correcting the ACLs...

--
Greetings
Jochen

My blog about Win32 and .NET
http://blog.kalmbachnet.de/

 

[user1976]

<quote>
If you are launching many processes, you might want to add an ACE
based on
the processes logon type. For example, this could be either the
Interactive
or Batch SID. You would not have to add any additional ACEs for
processes
with the same logon type.
</quote>

Does this mean that even when I am launching the process in the
context of a different user, I don't need to add a new ACE if the
logon type is same?

 

[Jochen Kalmbach]

Hi user1976,

<quote>
If you are launching many processes, you might want to add an ACE
based on
the processes logon type. For example, this could be either the
Interactive
or Batch SID. You would not have to add any additional ACEs for
processes
with the same logon type.
</quote>

Does this mean that even when I am launching the process in the
context of a different user, I don't need to add a new ACE if the
logon type is same?

As far as I understand, you only need to add the Interactive- or Batch-SID,
and then it whould work the next time you start with the corresponding
logon typ. But I have not testet it...


--
Greetings
Jochen

My blog about Win32 and .NET
http://blog.kalmbachnet.de/

 

[user1976]

Hi user1976,


The best option is to track the process and remove the ACE. This could be
easily done in an thread which only waits for the process-handle
(WaitForSingleObject).

Jochen , thanks for all you help. I don't even know how to do this.
Say if I know when the process died, how do I delete the ACEs for
a given process id

 

[user1976]

Hi user1976,


As far as I understand, you only need to add the Interactive- or Batch-SID,
and then it whould work the next time you start with the corresponding
logon typ. But I have not testet it...

I tried to add only the first time by saving the state in a global
variable,
but this did not work. It gives the same error as if nothing was added
to
the ACE list in the first place. I read on another thread that you can
overcome this by saving the original list that comes from the actual
logon
and appending a new ace each time you create process. This way you
actually
overwrite the aces that are just added previously and thus the total
count would not increase. Do you know how to accomplish this

 

[Jochen Kalmbach]

Hi user1976,

Jochen , thanks for all you help. I don't even know how to do this.
Say if I know when the process died, how do I delete the ACEs for
a given process id

If you look at the examples, you see that they enumerate the original ACEs
and then add all these entried to a new ACL. You only need to remember the
original ACEs and the set the ACL to the old ACEs.

--
Greetings
Jochen

My blog about Win32 and .NET
http://blog.kalmbachnet.de/