AdjustTokenPrivileges Failed with Error 1300

Question

0.00/5 (No votes)

See more:

Hi,

I have developed SNMP extension DLL to perform some operations like Shutdown,Restart,etc Remotely.It is working fine with XP.Now I am migrating the DLL for Windows 7.I have read the document "impact of session-0 isolation" from MSDN and followed the instructions for DLL migration.For example, I have followed the instructions in the link http://msdn.microsoft.com/en-us/library/windows/desktop/aa376871(v=vs.85).aspx and coded the same for the shutdown operation. But "AdjustTokenPrivileges" always returning Error:1300 Not all privileges or groups referenced are assigned to the caller.

Is there any way to solve this error??????

Posted 20-Nov-12 0:28am

EshwarTamil

Updated 12-Feb-20 6:39am

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Jochen Arndt · Answer 1 · 2012-11-20T03:31:00

Solution 1

From the MSDN[^]:

Quote:
The AdjustTokenPrivileges function cannot add new privileges to the access token. It can only enable or disable the token's existing privileges. To determine the token's privileges, call the GetTokenInformation function.

As first step you may check the privileges as suggested by the MSDN.

The code must be executed with sufficient privileges. Users are usually allowed to shutdown and restart. But you are trying to do this remotely using SNMP. The MS SNMP agent is a service which is probably not allowed to shutdown the system (I don't know for sure, but it makes sense that a service is not allowed to shutdown without any user interaction).

Posted 20-Nov-12 3:31am

Jochen Arndt

Comments

EshwarTamil 21-Nov-12 5:45am

Is it possible to add a shutdown privilege to SNMP service manually?

Jochen Arndt 21-Nov-12 6:04am

I have only basic knowledge about such things. But you may add the privilege to the account that runs the service (usually 'system') or create a new account with that privilege and run the service using this account. I would prefer the second method because otherwise all running services would have that privilege.

You may also rethink the requirement of shutdown. I would not allow a service or some kind of remote access to shutdown my system.

I don't know what other functions are implemented by your DLL. If it is only for shutdown and restart, you may implement it in a different way (e.g. a normal application auto started for all users that listens on a socket and provides a dialog with a timer like the one shown when Windows updates requires a reboot).

EshwarTamil 21-Nov-12 6:14am

SNMP Service is running under "Local System" account.Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects. Already it's having Shutdown Privilege.Then why it's throwing ERROR 1300??

Jochen Arndt 21-Nov-12 6:47am

Please verify the privilege first using GetTokenInformation(). On my Windows 7 Pro system only the groups Administrators, Users, and Backup Operators are allowed to shutdown the system and the Local System user account is (of course) not member of these groups.

bitbo 5-Jan-18 2:30am

I am running an SNMP Agent on WIN10 (patch level 12/2017) and wrote a function to list all token privileges using GetTokenInformation() within my extension DLL.
I always get:
INFO: Having privilege SeSecurityPrivilege 00000008 State:0x00000000)
INFO: Having privilege SeDebugPrivilege 00000014 State:0x00000003)
INFO: Having privilege SeChangeNotifyPrivilege 00000017 State:0x00000003)

In Windows 10 we have "Windows Service Hardening" (WSH) active.
See: http://www.itprotoday.com/management-mobility/understanding-windows-service-hardening
I am able to add the SeLoadDriverPrivilege privilege using:

sc privs snmp SeChangeNotifyPrivilege/SeSecurityPrivilege/SeDebugPrivilege/SeLoadDriverPrivilege

I can verify this by:
sc qprivs snmp 1024

as also in Registry
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\RequiredPrivileges

But the strange thing is that GetTokenInformation() within my loaded extension DLL does not show this new privilege!?!?!

I looks to me like MS has hardcoded the privileges within SNMP Service
(at least when loading extension DLL´s)

Any ideas ?

Here the code to read out the current active privileges:
DWORD dwLen = 0;
TOKEN_PRIVILEGES tp = { 0 };
GetTokenInformation(hToken, TokenPrivileges, NULL, 0, &dwLen);
if(dwLen > 0)
{
BYTE* pBuffer = new BYTE[dwLen];
if (pBuffer == NULL)
{
return FALSE;
}

if (GetTokenInformation(hToken, TokenPrivileges, pBuffer, dwLen, &retLength))
{
WriteAppLogFormat(L"INFO: GetTokenInformation returned Len=%d)", retLength);

TOKEN_PRIVILEGES* pPrivs = (TOKEN_PRIVILEGES*)pBuffer;
for (DWORD i = 0; i < pPrivs->PrivilegeCount; i++)
{
WCHAR Name[100];
DWORD Size = 100;
LookupPrivilegeName(NULL, &pPrivs->Privileges[i].Luid, Name, &Size);
WriteAppLogFormat(L"INFO: Having privilege %s %08X State:0x%08X)", Name, pPrivs->Privileges[i].Luid.LowPart, pPrivs->Privileges[i].Attributes);
pPrivs->Privileges[i].Attributes |= SE_PRIVILEGE_ENABLED;
}
}
else
{
WriteAppLogFormat(L"ERROR: GetTokenInformation 2 failed. (0x%08X)", GetLastError());
}
}
else
{
WriteAppLogFormat(L"ERROR: GetTokenInformation 1 failed. (0x%08X)", GetLastError());
}
...

Jochen Arndt 5-Jan-18 6:01am

Sorry, I can't help you with this because I have not used such with Win 10 so far (and also not with WSH).