Click here to Skip to main content
15,741,531 members
Please Sign up or sign in to vote.
0.00/5 (No votes)

I have developed SNMP extension DLL to perform some operations like Shutdown,Restart,etc Remotely.It is working fine with XP.Now I am migrating the DLL for Windows 7.I have read the document "impact of session-0 isolation" from MSDN and followed the instructions for DLL migration.For example, I have followed the instructions in the link and coded the same for the shutdown operation. But "AdjustTokenPrivileges" always returning Error:1300 Not all privileges or groups referenced are assigned to the caller.

Is there any way to solve this error??????
Updated 12-Feb-20 6:39am

1 solution

From the MSDN[^]:
The AdjustTokenPrivileges function cannot add new privileges to the access token. It can only enable or disable the token's existing privileges. To determine the token's privileges, call the GetTokenInformation function.
As first step you may check the privileges as suggested by the MSDN.

The code must be executed with sufficient privileges. Users are usually allowed to shutdown and restart. But you are trying to do this remotely using SNMP. The MS SNMP agent is a service which is probably not allowed to shutdown the system (I don't know for sure, but it makes sense that a service is not allowed to shutdown without any user interaction).
Share this answer
EshwarTamil 21-Nov-12 5:45am    
Is it possible to add a shutdown privilege to SNMP service manually?
Jochen Arndt 21-Nov-12 6:04am    
I have only basic knowledge about such things. But you may add the privilege to the account that runs the service (usually 'system') or create a new account with that privilege and run the service using this account. I would prefer the second method because otherwise all running services would have that privilege.

You may also rethink the requirement of shutdown. I would not allow a service or some kind of remote access to shutdown my system.

I don't know what other functions are implemented by your DLL. If it is only for shutdown and restart, you may implement it in a different way (e.g. a normal application auto started for all users that listens on a socket and provides a dialog with a timer like the one shown when Windows updates requires a reboot).

EshwarTamil 21-Nov-12 6:14am    
SNMP Service is running under "Local System" account.Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects. Already it's having Shutdown Privilege.Then why it's throwing ERROR 1300??
Jochen Arndt 21-Nov-12 6:47am    
Please verify the privilege first using GetTokenInformation(). On my Windows 7 Pro system only the groups Administrators, Users, and Backup Operators are allowed to shutdown the system and the Local System user account is (of course) not member of these groups.
bitbo 5-Jan-18 2:30am    
I am running an SNMP Agent on WIN10 (patch level 12/2017) and wrote a function to list all token privileges using GetTokenInformation() within my extension DLL.
I always get:
INFO: Having privilege SeSecurityPrivilege 00000008 State:0x00000000)
INFO: Having privilege SeDebugPrivilege 00000014 State:0x00000003)
INFO: Having privilege SeChangeNotifyPrivilege 00000017 State:0x00000003)

In Windows 10 we have "Windows Service Hardening" (WSH) active.
I am able to add the SeLoadDriverPrivilege privilege using:

sc privs snmp SeChangeNotifyPrivilege/SeSecurityPrivilege/SeDebugPrivilege/SeLoadDriverPrivilege

I can verify this by:
sc qprivs snmp 1024

as also in Registry

But the strange thing is that GetTokenInformation() within my loaded extension DLL does not show this new privilege!?!?!

I looks to me like MS has hardcoded the privileges within SNMP Service
(at least when loading extension DLL´s)

Any ideas ?

Here the code to read out the current active privileges:
DWORD dwLen = 0;
GetTokenInformation(hToken, TokenPrivileges, NULL, 0, &dwLen);
if(dwLen > 0)
BYTE* pBuffer = new BYTE[dwLen];
if (pBuffer == NULL)
return FALSE;

if (GetTokenInformation(hToken, TokenPrivileges, pBuffer, dwLen, &retLength))
WriteAppLogFormat(L"INFO: GetTokenInformation returned Len=%d)", retLength);

for (DWORD i = 0; i < pPrivs->PrivilegeCount; i++)
WCHAR Name[100];
DWORD Size = 100;
LookupPrivilegeName(NULL, &pPrivs->Privileges[i].Luid, Name, &Size);
WriteAppLogFormat(L"INFO: Having privilege %s %08X State:0x%08X)", Name, pPrivs->Privileges[i].Luid.LowPart, pPrivs->Privileges[i].Attributes);
pPrivs->Privileges[i].Attributes |= SE_PRIVILEGE_ENABLED;
WriteAppLogFormat(L"ERROR: GetTokenInformation 2 failed. (0x%08X)", GetLastError());
WriteAppLogFormat(L"ERROR: GetTokenInformation 1 failed. (0x%08X)", GetLastError());

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900