SETP?

vefatica · Dec 22, 2019

I'm seeing this.

Code:

v:\> echo %@pid[explorer.exe]
1940

v:\> setp 1940 tmp & setp 1940 temp
TCC: Not in environment "tmp"
TCC: Not in environment "temp"

Using my own, I see this.

Code:

v:\> u:\pset64.exe 1940 tmp & u:\pset64.exe 1940 temp
z:\
z:\

And, funny thing, I actually used TCC's SETP to set them.

Is there a way to debug this?

rconn · Dec 25, 2019

Not reproducible here:

Code:

[C:\Program Files\JPSoft\TCMD25]echo %@pid[explorer.exe]
16064
[C:\Program Files\JPSoft\TCMD25]setp 16064 tmp
TMP=C:\Users\RCONN_~1\AppData\Local\Temp
[C:\Program Files\JPSoft\TCMD25]setp 16064 temp
TEMP=C:\Users\RCONN_~1\AppData\Local\Temp

That's not a default error message. It can only mean that either TCC wasn't able to obtain debug privileges, or that the variables don't exist in the target app.

vefatica · Dec 25, 2019

rconn said:
Not reproducible here:

Code:

[C:\Program Files\JPSoft\TCMD25]echo %@pid[explorer.exe] 16064 [C:\Program Files\JPSoft\TCMD25]setp 16064 tmp TMP=C:\Users\RCONN_~1\AppData\Local\Temp [C:\Program Files\JPSoft\TCMD25]setp 16064 temp TEMP=C:\Users\RCONN_~1\AppData\Local\Temp

That's not a default error message. It can only mean that either TCC wasn't able to obtain debug privileges, or that the variables don't exist in the target app.

I didn't do much testing (wish I had). It was the same in a newly started TCC. I rebooted shortly after that for unrelated reasons and after the reboot I couldn't reproduce it.

vefatica · Dec 26, 2019

A note on SE_DEBUG_NAME.

Without even attempting to acquire SE_DEBUG_NAME,

1. I (an admin, unelevated) can open non-system processes for the VM read/write and CreateRemoteThread
2. I (an admin, elevated) can also open system processes as above

When I attempt to acquire SE_DEBUG_NAME,

1. as an admin, unelevated, AdjustTokenPrivileges succeeds and GetLastError() is 1300 (Not all privileges or groups referenced are assigned to the caller)
2. as an admin, elevated, AdjustTokenPrivileges succeeds and GetLastError() is 0

In any case, SE_DEBUG_NAME doesn't seem to matter.

vefatica · Dec 26, 2019

Well, I'm pretty lost now. As I said before, in my PSET64.EXE, not bothering with SE_DEBUG_NAME at all, running elevated, and targeting a system process, both of these work.

Code:

OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPid);
OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, dwPid);

In contrast, in a TCC plugin, TCC running elevated, PSTAT targeting a system process, if I don't acquire SE_DEBUG_NAME, this fails.

Code:

OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, PID);

Notes:

1. PSET64.EXE is like the internal SETP.
2. In the plugin, PSTAT gets this information:

Code:

v:\> pstat 3416
PID:            3416
Path:           C:\Windows\System32\w32tmsvc.exe
PPID:           832
Parent:         C:\Windows\System32\services.exe
Started:        2019-12-22 12:00:03
Running:        4:04:57:44
User CPU:       0.0156250 sec
Kernel CPU:     0.0312500 sec
Total CPU:      0.0468750 sec
% CPU:          0.0000%
Cycles:         1420250968
% Cycles:       0.0001%
Working Set:    5224 KB
Virtual Mem:    1176 KB
Threads:        3
Handles:        96
Modules:        24
Priority:       NORMAL
Owner:          SYSTEM
Command Line:   c:\windows\system32\w32tmsvc.exe

vefatica · Jan 14, 2020

Here it is again, right after the update-Tuesday restart.

Code:

v:\> setp 5444 tmp=z:\ & setp 5444 temp=z:\

v:\> setp 5444 tmp & setp 5444 temp
TCC: Not in environment "tmp"
TCC: Not in environment "temp"

v:\> echo %@pset[5444,tmp] & echo %@pset[5444,temp]
z:\
z:\

PID 5444 is Explorer and ProcessExplorer also says TMP and TEMP are set to z:\.

It's the same in other newly-started TCCs. Any ideas on how to debug this?

vefatica · Jan 14, 2020

I tried several user apps (below). SETP worked on all but Explorer and (oddly) the current instance of TCC.

Code:

v:\> setp %@pid[firefox.exe] tmp
TMP=z:\

v:\> setp %@pid[explorer.exe] tmp
TCC: Not in environment "tmp"

v:\> setp %_pid tmp
TCC: Not in environment "tmp"

v:\> echo %tmp
z:\

v:\> setp %@pid[conhost.exe] tmp
TMP=z:\

v:\> setp %@pid[powerpro.exe] tmp
TMP=z:\

v:\> setp 2576 tmp
TMP=z:\

v:\> setp 2364 tmp
TMP=z:\

v:\> setp 1808 tmp
TMP=C:\Users\vefatica\AppData\LocalLow\Mozilla\Temp-{861861a9-fa0b-4c4d-97e3-8a5ab186af61}

v:\> setp 3528 tmp
TMP=C:\Users\vefatica\AppData\LocalLow\Mozilla\Temp-{861861a9-fa0b-4c4d-97e3-8a5ab186af61}

Joe Caverly · Jan 15, 2020

Hey @vefatica here's what I get;

Code:

     _x64: 1
_admin: 1
_elevated: 1

TCC  25.00.26 x64   Windows 10 [Version 10.0.18362.535]
BuildNumber Caption CSDVersion OSArchitecture Version
18362        Microsoft Windows 10 Pro              64-bit          10.0.18362

e:\utils>setp %@pid[explorer.exe] tmp
TMP=C:\Users\JOECAV~1\AppData\Local\Temp

e:\utils>echo %@pid[explorer.exe]
9280

e:\utils>setp 9280 tmp
TCC: Not in environment "tmp"

e:\utils>setp 9280 tmp
TMP=C:\Users\JOECAV~1\AppData\Local\Temp

Joe

Search

Search

SETP?

vefatica

rconn

Administrator

vefatica

vefatica

vefatica

vefatica

vefatica

Joe Caverly

Similar threads