1

In my program, I would like to create a shared memory that could be accessed from any sessions (with global\ prefix). Also, it should work in standard user token.

So far, the AdjustTokenPrivileges() API is failing with Error 1300(Not all privileges or groups referenced are assigned to the caller).

So I just wonder about the possibility of having SeCreateGlobalPrivilege in standard user token.

Could you please help?

Improve this question
4
  • Did you check the group policies? There is one that defines who might create global objects.
    – Werner Henze
    Commented Mar 2, 2017 at 9:03
  • Yes. My user account has admin privilege and it is added against SeCreateGlobalPrivilege in policy. The highlight is that I am running app in default UAC without elevation. FYI.
    – TuneFanta
    Commented Mar 2, 2017 at 9:38
  • minimal reproducible example please and I'll consider testing it on my machine.
    – Werner Henze
    Commented Mar 2, 2017 at 13:20
  • 1
    As far as I know, there is no way to make UAC leave any of the administrator privileges in the restricted token. You only get the five privileges that are normally granted to all users. You haven't provided us with much context, but in most cases the proper solution for this class of problem is to move the parts of the application that require admin privilege into a system service.
    – Harry Johnston
    Commented Mar 2, 2017 at 23:09

1 Answer 1

Reset to default
5

At Microsoft Windows Security blog, it is mentioned that, the following privileges are only assigned to the elevated token.

  • SeIncreaseQuotaPrivilege
  • SeSecurityPrivilege
  • SeTakeOwnershipPrivilege
  • SeLoadDriverPrivilege
  • SeSystemProfilePrivilege
  • SeSystemtimePrivilege
  • SeProfileSingleProcessPrivilege
  • SeIncreaseBasePriorityPrivilege
  • SeCreatePagefilePrivilege
  • SeBackupPrivilege
  • SeRestorePrivilege
  • SeDebugPrivilege
  • SeSystemEnvironmentPrivilege
  • SeRemoteShutdownPrivilege
  • SeManageVolumePrivilege
  • SeImpersonatePrivilege
  • SeCreateGlobalPrivilege
  • SeIncreaseWorkingSetPrivilege
  • SeCreateSymbolicLinkPrivilege

So in standard token, there is no scope for using AdjustTokenPrivileges on any of the above privileges.

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.