Documentation if isapp ....

  • This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.
Oct 18, 2008
Hello -- the doc for this expression notes that DEBUG privilege. might be requited ... is this a "take cmd" setting?
I'm pretty sure that SE_DEBUG_NAME can be enabled "on the fly" if you have a right to it. My SYSUTILS plugin does it in InitializePlugin() (code below). I am an (unelevated) administrator and it apparently succeeds. Even so, I cannot use ISAPP with a system process.

BOOL EnableDebugPriv( BOOL bAdd )
   HANDLE hToken = NULL;
   LUID SeDebugNameValue;
   BOOL rv = FALSE;

   if ( OpenProcessToken( GetCurrentProcess(),
       if ( LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &SeDebugNameValue ) )
           tp.PrivilegeCount = 1;
           tp.Privileges[0].Luid = SeDebugNameValue;
           tp.Privileges[0].Attributes = bAdd ? SE_PRIVILEGE_ENABLED : 0;
           rv = AdjustTokenPrivileges( hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL );
       CloseHandle( hToken );

   return rv;
And, in InitializePlugin(),
    if ( !EnableDebugPriv(TRUE) )
       Printf(L"SysUtils: DEBUG privilege is not available\r\n");
I guess I was wrong about that. Even though AdjustTokenPrivileges() succeeded (returned TRUE), TCError() shows:
TCC: (Sys) Not all privileges or groups referenced are assigned to the caller.
You have to be admin, and you have to be elevated. And you still can't query any of the system processes.
I think Rex means processes 0 and 4. Elevated, you can query any other process.

UAC makes for a sad state of affairs for privileges like SE_DEBUG_NAME and SE_SYSTEMTIME_NAME. While admins have those (and others) privileges, the "token" assigned to an admin logged in under UAC does not have them. Since they're not in the token, they cannot be assigned, even if you ask for them politely.

With SECPOL.MSC (Management Console Security Policy Snap-in) you can enable those privileges for anyone, including ordinary users. Having done so, ordinary users can debug and set the system time with no fuss at all. But admins still can't (without elevation) because of that crippled token given to them by UAC.