471,319 Members | 3,066 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,319 software developers and data experts.

GetTokenInformation

Hi,

I need to check the SE_TCB_NAME previlige for the current user using
GetTokenInformation api call.i used the api call and get the
privilege,but i am unable to go thru each previlege to check whether
SE_TCB_NAME is enabled or not.my code is below[C#}

using System;
using System.Drawing;
using System.Collections;
using System.ComponentModel;
using System.Windows.Forms;
using System.Data;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Text;

namespace gettoken
{
/// <summary>
/// Summary description for Form1.
/// </summary>
public class Form1 : System.Windows.Forms.Form
{
private System.Windows.Forms.Button button1;
/// <summary>
/// Required designer variable.
/// </summary>
private System.ComponentModel.Container components = null;
enum TOKEN_INFORMATION_CLASS
{
TokenUser = 1,
TokenGroups,
TokenPrivileges,
TokenOwner,
TokenPrimaryGroup,
TokenDefaultDacl,
TokenSource,
TokenType,
TokenImpersonationLevel,
TokenStatistics,
TokenRestrictedSids,
TokenSessionId,
TokenGroupsAndPrivileges,
TokenSessionReference,
TokenSandBoxInert,
TokenAuditPolicy,
TokenOrigin
}
[StructLayout(LayoutKind.Sequential)]
public struct LUID
{
public int LowPart;
public int HighPart;
}

[StructLayout(LayoutKind.Sequential)]
public struct TOKEN_PRIVILEGES
{
public LUID Luid;
public int Attributes;
public int PrivilegeCount;
}
struct LUID_AND_ATTRIBUTES
{
public LUID Luid;
public int Attributes;
}
[DllImport("kernel32.dll")]
static extern IntPtr LocalFree(IntPtr hMem);

[DllImport("advapi32.dll", SetLastError=true)]
static extern bool GetTokenInformation(
IntPtr TokenHandle,
TOKEN_INFORMATION_CLASS TokenInformationClass,
IntPtr TokenInformation,
int TokenInformationLength,
out int ReturnLength);
public Form1()
{
//
// Required for Windows Form Designer support
//
InitializeComponent();

//
// TODO: Add any constructor code after InitializeComponent call
//
}

/// <summary>
/// Clean up any resources being used.
/// </summary>
protected override void Dispose( bool disposing )
{
if( disposing )
{
if (components != null)
{
components.Dispose();
}
}
base.Dispose( disposing );
}

#region Windows Form Designer generated code
/// <summary>
/// Required method for Designer support - do not modify
/// the contents of this method with the code editor.
/// </summary>
private void InitializeComponent()
{
this.button1 = new System.Windows.Forms.Button();
this.SuspendLayout();
//
// button1
//
this.button1.Location = new System.Drawing.Point(48, 136);
this.button1.Name = "button1";
this.button1.Size = new System.Drawing.Size(200, 48);
this.button1.TabIndex = 0;
this.button1.Text = "button1";
this.button1.Click += new System.EventHandler(this.button1_Click);
//
// Form1
//
this.AutoScaleBaseSize = new System.Drawing.Size(5, 13);
this.ClientSize = new System.Drawing.Size(292, 273);
this.Controls.Add(this.button1);
this.Name = "Form1";
this.Text = "Form1";
this.ResumeLayout(false);

}
#endregion

/// <summary>
/// The main entry point for the application.
/// </summary>
[STAThread]
static void Main()
{
Application.Run(new Form1());
}

private void button1_Click(object sender, System.EventArgs e)
{
int TokenInfLength = 0 ;
bool Result ;

// first call gets lenght of TokenInformation
Result = GetTokenInformation( WindowsIdentity.GetCurrent().Token ,
TOKEN_INFORMATION_CLASS.TokenPrivileges , IntPtr.Zero , TokenInfLength
, out TokenInfLength );

IntPtr TokenInformation = Marshal.AllocHGlobal( TokenInfLength ) ;

Result = GetTokenInformation( WindowsIdentity.GetCurrent().Token ,
TOKEN_INFORMATION_CLASS.TokenPrivileges , TokenInformation ,
TokenInfLength , out TokenInfLength ) ;

if( Result )
{

TOKEN_PRIVILEGES
TokenPrivilege=(TOKEN_PRIVILEGES)Marshal.PtrToStru cture(
TokenInformation , typeof( TOKEN_PRIVILEGES ));
LUID_AND_ATTRIBUTES
luid=(LUID_AND_ATTRIBUTES)Marshal.PtrToStructure(T okenInformation ,
typeof( LUID_AND_ATTRIBUTES ));
IntPtr pstr = IntPtr.Zero;

MessageBox.Show(TokenPrivilege.PrivilegeCount.ToSt ring());

LocalFree(pstr);
}
}
}
}

Please help me to solve the problem of checking SE_TCB_NAME Privilege

Regards,
Mani

Jan 4 '06 #1
5 8368


<pl**********@gmail.com> wrote in message
news:11**********************@g49g2000cwa.googlegr oups.com...
Hi,

I need to check the SE_TCB_NAME previlige for the current user using
GetTokenInformation api call.i used the api call and get the
privilege,but i am unable to go thru each previlege to check whether
SE_TCB_NAME is enabled or not.my code is below[C#}

Please help me to solve the problem of checking SE_TCB_NAME Privilege

Regards,
Mani

I realy don't know why you need this, after all only "localsystem" should
have this TCB privilege. You don't grant this privilege to all of your users
don't you?

Anyway, you need to call LookupPrivilegeValue, followed by PrivilegeCheck.
Here is a sample...
[StructLayout(LayoutKind.Sequential)]

public struct _PRIVILEGE_SET
{
public uint PrivilegeCount;
public uint Control;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
public LUID_AND_ATTRIBUTES[] Privilege_1;
}

[StructLayout(LayoutKind.Sequential)]
public struct LUID_AND_ATTRIBUTES
{
public LUID Luid;
public uint Attributes;
}

[StructLayout(LayoutKind.Sequential)]
public struct LUID
{
public uint LowPart;
public uint HighPart;
}

class Tester
{

[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool PrivilegeCheck( IntPtr ClientToken, IntPtr
RequiredPrivileges, ref int pfResult);

[DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Auto)]
public extern static bool LookupPrivilegeValue(string lpSystemName, string
lpName, IntPtr pLuid);

static void Main()
{
int result = 0;
IntPtr hToken;
string privilege = "SeTcbPrivilege";
_PRIVILEGE_SET ps = new _PRIVILEGE_SET();

ps.PrivilegeCount = 1;
ps.Privilege_1 = new LUID_AND_ATTRIBUTES[1];
int privSize = Marshal.SizeOf(ps.Privilege_1[0]);
IntPtr ptr = IntPtr.Zero;
ptr = Marshal.AllocHGlobal(privSize * (int)ps.PrivilegeCount);

Marshal.StructureToPtr(ps.Privilege_1[0], ptr, false);
if (!LookupPrivilegeValue(null, privilege, ptr))
Console.WriteLine("<LookupPrivilegeValue> Win32 Error {0}",
Marshal.GetLastWin32Error());
ps.Privilege_1[0] =
(LUID_AND_ATTRIBUTES)Marshal.PtrToStructure(ptr,ty peof(LUID_AND_ATTRIBUTES));

Marshal.FreeHGlobal(ptr); // Free alocated mem

IntPtr ptrPs = IntPtr.Zero;
ptrPs = Marshal.AllocHGlobal(64); // 64 byte buffer
Marshal.WriteInt32(ptrPs,(int)ps.PrivilegeCount);
Marshal.WriteInt32((IntPtr)((int)ptrPs + 4),(int)ps.Control); // Hard
coded offset!!!
Marshal.StructureToPtr(ps.Privilege_1[0],(IntPtr)((int) ptrPs + 8),
false);
WindowsIdentity.Impersonate(WindowsIdentity.GetCur rent().Token);
hToken = WindowsIdentity.GetCurrent().Token;
Console.WriteLine("Token used: " + hToken);
if(!PrivilegeCheck(hToken, ptrPs, ref result))
Console.WriteLine("<PrivilegeCheck> Win32 Error {0}",
Marshal.GetLastWin32Error());
Marshal.FreeHGlobal( ptrPs ); // Free allocated mem
Console.WriteLine("Privilege's set '{0}'", Convert.ToBoolean(result));
}
}

Willy.
Jan 4 '06 #2
Hi,
Thanks for your example code to check SE_TCB_NAME previlige.when i run
the example code in windows XP[service pack 2],windows2000
professional[service pack 4].it is always giving false for SE_TCB_NAME
previlige.but in windows xp SE_TCB_NAME previlige is set to true
default.i am running this example as administrator user account.
i need to check username,password supplied by user matches with windows
username,password,for this i used logonuser api .Logonuser api won't
works in windows 2000 due to SE_TCB_NAME previlige,so for windows 2000
i used NetUserChangePassword.Now i need to check whether SE_TCB_NAME
previlige is enabled,if enabled means use logonuser api ,otherwise use
NetUserChangePassword.
Whether my approach is right or wrong.Please help me out to solve
problems.
Regards,
Mani

Willy Denoyette [MVP] wrote:
<pl**********@gmail.com> wrote in message
news:11**********************@g49g2000cwa.googlegr oups.com...
Hi,

I need to check the SE_TCB_NAME previlige for the current user using
GetTokenInformation api call.i used the api call and get the
privilege,but i am unable to go thru each previlege to check whether
SE_TCB_NAME is enabled or not.my code is below[C#}

Please help me to solve the problem of checking SE_TCB_NAME Privilege

Regards,
Mani

I realy don't know why you need this, after all only "localsystem" should
have this TCB privilege. You don't grant this privilege to all of your users
don't you?

Anyway, you need to call LookupPrivilegeValue, followed by PrivilegeCheck.
Here is a sample...
[StructLayout(LayoutKind.Sequential)]

public struct _PRIVILEGE_SET
{
public uint PrivilegeCount;
public uint Control;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
public LUID_AND_ATTRIBUTES[] Privilege_1;
}

[StructLayout(LayoutKind.Sequential)]
public struct LUID_AND_ATTRIBUTES
{
public LUID Luid;
public uint Attributes;
}

[StructLayout(LayoutKind.Sequential)]
public struct LUID
{
public uint LowPart;
public uint HighPart;
}

class Tester
{

[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool PrivilegeCheck( IntPtr ClientToken, IntPtr
RequiredPrivileges, ref int pfResult);

[DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Auto)]
public extern static bool LookupPrivilegeValue(string lpSystemName, string
lpName, IntPtr pLuid);

static void Main()
{
int result = 0;
IntPtr hToken;
string privilege = "SeTcbPrivilege";
_PRIVILEGE_SET ps = new _PRIVILEGE_SET();

ps.PrivilegeCount = 1;
ps.Privilege_1 = new LUID_AND_ATTRIBUTES[1];
int privSize = Marshal.SizeOf(ps.Privilege_1[0]);
IntPtr ptr = IntPtr.Zero;
ptr = Marshal.AllocHGlobal(privSize * (int)ps.PrivilegeCount);

Marshal.StructureToPtr(ps.Privilege_1[0], ptr, false);
if (!LookupPrivilegeValue(null, privilege, ptr))
Console.WriteLine("<LookupPrivilegeValue> Win32 Error {0}",
Marshal.GetLastWin32Error());
ps.Privilege_1[0] =
(LUID_AND_ATTRIBUTES)Marshal.PtrToStructure(ptr,ty peof(LUID_AND_ATTRIBUTES));

Marshal.FreeHGlobal(ptr); // Free alocated mem

IntPtr ptrPs = IntPtr.Zero;
ptrPs = Marshal.AllocHGlobal(64); // 64 byte buffer
Marshal.WriteInt32(ptrPs,(int)ps.PrivilegeCount);
Marshal.WriteInt32((IntPtr)((int)ptrPs + 4),(int)ps.Control); // Hard
coded offset!!!
Marshal.StructureToPtr(ps.Privilege_1[0],(IntPtr)((int) ptrPs + 8),
false);
WindowsIdentity.Impersonate(WindowsIdentity.GetCur rent().Token);
hToken = WindowsIdentity.GetCurrent().Token;
Console.WriteLine("Token used: " + hToken);
if(!PrivilegeCheck(hToken, ptrPs, ref result))
Console.WriteLine("<PrivilegeCheck> Win32 Error {0}",
Marshal.GetLastWin32Error());
Marshal.FreeHGlobal( ptrPs ); // Free allocated mem
Console.WriteLine("Privilege's set '{0}'", Convert.ToBoolean(result));
}
}

Willy.


Jan 5 '06 #3
On XP and higher, you don't need TCB privileges to call LogonUser, only W2K
has this requirement, so only thing you need to do is check the OS version
and act accordingly.

[pseudo code]
If(OSVersion == W2K)
call NetUserChangePassword
else
call LogonUser
End If

Note that by default, only localsystem (SYSTEM) has TCB privileges (all OS).
That means that 'administrator' is included in the list of tcb privileged
users when it returns 'true' on XP.

Willy.

<pl**********@gmail.com> wrote in message
news:11**********************@f14g2000cwb.googlegr oups.com...
Hi,
Thanks for your example code to check SE_TCB_NAME previlige.when i run
the example code in windows XP[service pack 2],windows2000
professional[service pack 4].it is always giving false for SE_TCB_NAME
previlige.but in windows xp SE_TCB_NAME previlige is set to true
default.i am running this example as administrator user account.
i need to check username,password supplied by user matches with windows
username,password,for this i used logonuser api .Logonuser api won't
works in windows 2000 due to SE_TCB_NAME previlige,so for windows 2000
i used NetUserChangePassword.Now i need to check whether SE_TCB_NAME
previlige is enabled,if enabled means use logonuser api ,otherwise use
NetUserChangePassword.
Whether my approach is right or wrong.Please help me out to solve
problems.
Regards,
Mani

Willy Denoyette [MVP] wrote:
<pl**********@gmail.com> wrote in message
news:11**********************@g49g2000cwa.googlegr oups.com...
> Hi,
>
> I need to check the SE_TCB_NAME previlige for the current user using
> GetTokenInformation api call.i used the api call and get the
> privilege,but i am unable to go thru each previlege to check whether
> SE_TCB_NAME is enabled or not.my code is below[C#}
>
> Please help me to solve the problem of checking SE_TCB_NAME Privilege
>
> Regards,
> Mani
>

I realy don't know why you need this, after all only "localsystem" should
have this TCB privilege. You don't grant this privilege to all of your
users
don't you?

Anyway, you need to call LookupPrivilegeValue, followed by
PrivilegeCheck.
Here is a sample...
[StructLayout(LayoutKind.Sequential)]

public struct _PRIVILEGE_SET
{
public uint PrivilegeCount;
public uint Control;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
public LUID_AND_ATTRIBUTES[] Privilege_1;
}

[StructLayout(LayoutKind.Sequential)]
public struct LUID_AND_ATTRIBUTES
{
public LUID Luid;
public uint Attributes;
}

[StructLayout(LayoutKind.Sequential)]
public struct LUID
{
public uint LowPart;
public uint HighPart;
}

class Tester
{

[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool PrivilegeCheck( IntPtr ClientToken, IntPtr
RequiredPrivileges, ref int pfResult);

[DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Auto)]
public extern static bool LookupPrivilegeValue(string lpSystemName,
string
lpName, IntPtr pLuid);

static void Main()
{
int result = 0;
IntPtr hToken;
string privilege = "SeTcbPrivilege";
_PRIVILEGE_SET ps = new _PRIVILEGE_SET();

ps.PrivilegeCount = 1;
ps.Privilege_1 = new LUID_AND_ATTRIBUTES[1];
int privSize = Marshal.SizeOf(ps.Privilege_1[0]);
IntPtr ptr = IntPtr.Zero;
ptr = Marshal.AllocHGlobal(privSize * (int)ps.PrivilegeCount);

Marshal.StructureToPtr(ps.Privilege_1[0], ptr, false);
if (!LookupPrivilegeValue(null, privilege, ptr))
Console.WriteLine("<LookupPrivilegeValue> Win32 Error {0}",
Marshal.GetLastWin32Error());
ps.Privilege_1[0] =
(LUID_AND_ATTRIBUTES)Marshal.PtrToStructure(ptr,ty peof(LUID_AND_ATTRIBUTES));

Marshal.FreeHGlobal(ptr); // Free alocated mem

IntPtr ptrPs = IntPtr.Zero;
ptrPs = Marshal.AllocHGlobal(64); // 64 byte buffer
Marshal.WriteInt32(ptrPs,(int)ps.PrivilegeCount);
Marshal.WriteInt32((IntPtr)((int)ptrPs + 4),(int)ps.Control); // Hard
coded offset!!!
Marshal.StructureToPtr(ps.Privilege_1[0],(IntPtr)((int) ptrPs + 8),
false);
WindowsIdentity.Impersonate(WindowsIdentity.GetCur rent().Token);
hToken = WindowsIdentity.GetCurrent().Token;
Console.WriteLine("Token used: " + hToken);
if(!PrivilegeCheck(hToken, ptrPs, ref result))
Console.WriteLine("<PrivilegeCheck> Win32 Error {0}",
Marshal.GetLastWin32Error());
Marshal.FreeHGlobal( ptrPs ); // Free allocated mem
Console.WriteLine("Privilege's set '{0}'", Convert.ToBoolean(result));
}
}

Willy.

Jan 5 '06 #4
Hi,
Thanks for your reply. i have already done the coding by finding the os
version as you mentioned like
f(OSVersion == W2K)
call NetUserChangePassword
else
call LogonUser
End If

I think if the SE_TCB_NAME privilege is enabled in windows 2000,then
why we have to use NetUserChangePassword ,for this reason only i
checked SE_TCB_NAME privilege.Is it correct or not.is SE_TCB_NAME
privilege is enabled default to windows2000 or not?.why it is always
returning true when i check SE_TCB_NAME privilege for windows
2000[service pack 4] under administrative account

Regards,
Mani

Jan 5 '06 #5

<pl**********@gmail.com> wrote in message
news:11**********************@g49g2000cwa.googlegr oups.com...
Hi,
Thanks for your reply. i have already done the coding by finding the os
version as you mentioned like
f(OSVersion == W2K)
call NetUserChangePassword
else
call LogonUser
End If

I think if the SE_TCB_NAME privilege is enabled in windows 2000,then
why we have to use NetUserChangePassword ,for this reason only i
checked SE_TCB_NAME privilege.Is it correct or not.is SE_TCB_NAME
privilege is enabled default to windows2000 or not?.why it is always
returning true when i check SE_TCB_NAME privilege for windows
2000[service pack 4] under administrative account

Regards,
Mani


It's possible that 'Administrators' are also members of the TCB, but that's
not the issue. Point is that on W2K a caller needs to be a TCB member to be
able to call LogonUser, on other OS's most users can call LogonUser by
default.
So if you run on W2K you call NetUserChangePassword, or supplementary you
check for TCK privileges, like so:

If(OSVersion == W2K)
If TCB enabled
call LogonUser
Else
call NetUserChangePassword
End If
else
call LogonUser
End If
Willy.
Jan 5 '06 #6

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

2 posts views Thread by Peter Schmiedeskamp | last post: by
5 posts views Thread by Prisy | last post: by
reply views Thread by jlofgren111 | last post: by
3 posts views Thread by =?Utf-8?B?Um9iS2lubmV5MQ==?= | last post: by
33 posts views Thread by JamesB | last post: by
reply views Thread by rosydwin | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.