You must specify access permissions for any process (including system security processes and service processes) [openprocesstoken, lookupprivilegevalue, adjusttokenprivileges]

Getcurrentprocessid get the ID of the current process openprocesstoken get the process's token handle lookupprivilegevalue Query Process permission adjusttokenprivileges adjust the token permission

To perform OpenProcess operations on any process (including system security processes and service processes) with specific access permissions, you only need to grant the current process the sededebug permission. If a user is administrator or has been granted the corresponding permissions, the user can have this permission. However, even if we use the Administrator account to execute OpenProcess (process_all_access, false, dwprocessid) on a system security process, we still encounter an "access denial" error. Why? In the past, some access permissions of the process are not enabled by default. Therefore, the first thing we need to do is to enable these permissions. Some related API functions include openprocesstoken, lookupprivilegevalue, and adjusttokenprivileges. To modify the access token of a process, first obtain the handle of the Process access token, which can be obtained through openprocesstoken. The prototype of the function is as follows:

Bool openprocesstoken (
Handle processhandle,
DWORD desiredaccess,
Phandle tokenhandle
);
The first parameter is the process handle for modifying the access permission. The third parameter is the returned access token pointer. The second parameter specifies the operation type you want to perform, to modify the token, We need to specify the second parameter token_adjust_privileges (for other parameters, refer to platformsdk ). Through this function, we can get the access token handle of the current process (specify the first parameter of the function as getcurrentprocess ). Then we can call adjusttokenprivileges to modify the access token. The prototype of adjusttokenprivileges is as follows:
Bool adjusttokenprivileges (
Handle tokenhandle, // handle to token
Bool disableallprivileges, // disabling Option
Ptoken_privileges newstate, // privilege information
DWORD bufferlength, // size of Buffer
Ptoken_privileges previusstate, // Original State Buffer
Pdword returnlength // required buffer size
);
The first parameter is the access token handle. The second parameter determines whether to modify the permission or disable all permissions. The third parameter specifies the permission to be modified, is a pointer to the token_privileges structure, which contains an array. Each item in the Data Group specifies the permission type and the operation to be performed. The fourth parameter is the length of the structure previusstate, if previusstate is null, this parameter should be null. The fifth parameter is also a pointer to the token_privileges structure, which stores the information about the access permission before modification. It can be null; the last parameter is the size returned by the actual previusstate structure. Before using this function, let's look at the token_privileges structure. Its declaration is as follows:

Typedef struct _ token_privileges {
DWORD privilegecount;
Luid_and_attributes privileges [];
} Token_privileges, * ptoken_privileges;
Privilegecount refers to the number of elements in the array, followed by an array of the luid_and_attributes type. Let's take a look at the content of the Structure of luid_and_attributes. The declaration is as follows:

Typedef struct _ luid_and_attributes {
Luid;
DWORD attributes;
} Luid_and_attributes, * pluid_and_attributes

The second parameter specifies the operation type to be performed. There are three Optional options: se_privilege_enabled, se_privilege_enabled_by_default, and se_privilege_used_for_access. To enable a permission, specify attributes as se_privilege_enabled. The first parameter refers to the permission type and is a luid value. luid refers to locallyuniqueidentifier. I think you are familiar with guid, And the guid must be globally unique, as long as the luid is locally unique, it means that it is unique during each operation of the system. In addition, luid is a 64-bit value, which is the same as guid, how can we know the luid value corresponding to a permission? This requires another API function lookupprivilegevalue. Its prototype is as follows:

Bool lookupprivilegevalue (
Lptstr lpsystemname, // system name
Lptstr lpname, // privilege name
Pluid lpluid // locally Unique Identifier
);
The first parameter is the name of the system. If it is specified as null by the local system, the third parameter is the luid pointer, and the second parameter is the name of the permission, for example, "sedebugprivilege ". Some macros with permission names are also defined in winnt. H, such:

# Define se_backup_name text ("SeBackupPrivilege ")

# Define se_restore_name text ("serestoreprivilege ")

# Define se_shutdown_name text ("seshutdownprivilege ")

# Define se_debug_name text ("sedebugprivilege ")

By calling these three functions, we can use OpenProcess (process_all_access, false, dwprocessid) to obtain the handle of any process and specify all access permissions.

Note:

The openprocesstoken function enables an access token associated with a process. Its prototype is as follows:
Bool openprocesstoken (
Handle processhandle,
DWORD desiredaccess,
Phandle tokenhandle
);

As mentioned in msdn, for Windows XP Professional, if a computer is added to a working group and the "Force network logons using local accounts to authenticate as guest" restriction is activated, this function will fail.

In addition, if the token_all_access request is used during the call, the function may also fail. This is because token_all_access may contain token_adjust_sessionid (defined in winnt. h ). Token_adjust_sessionid is a new access mask, which is added in Windows 2000 and Windows XP. In Windows NT 4.0, this value is not in the access control list of the access token. Therefore, if an applicationProgramIs to use winnt in the new platform SDK. h. If token_all_access is specified when openprocesstoken () or openthreadtoken is called, the function fails to run in Windows NT 4.0 (error_access_denied is returned by getlasterror ).

You can request the access_system_security access right to a process object if you want to read or write the object's SACL. for more information, see access-control lists (ACLs) and SACL access right.