I have a program which adjusts SeDebugPrivilege and then starts to iterate through system processes and calls OpenProcess for them (and does other stuff, but it\'s not important
It can only be done in the kernel. The best way to get the info you need would be to:
PsLookupProcessByProcessId()
KeStackAttachProcess()
ZwQueryInformationProcess() or whatever other functions you need to now call within the context of the attached process.
KeStackDetachProcess()
Or if you are just experimenting and not putting anything into production code, you can traverse the various semi-opaque structures (EPROCESS, PEB, VAD, etc) to get the information you need.
I was recently running into Access is Denied errors (error code 5 in my case), while running the Win32 OpenProcess API and then later while running CreateProcessAsUser. In my case, I was running on Windows 10, but I suspect it's similar, but since I got it working I thought I would share a couple things that helped me.
As I was using C# my Win32 method signature is as follows:
[DllImport("kernel32.dll")]
private static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle, uint dwProcessId);
One key factor that effected the success of accessing the existing process, which in my case was a winlogon.exe process, was to properly defined the right "desired access" value. In my case, I used a constant "MAXIMUM_ALLOWED" defined as:
private const uint MAXIMUM_ALLOWED = 0x2000000;
This call to the service looks like this:
IntPtr hProcess = OpenProcess(MAXIMUM_ALLOWED, false, targetWinlogonProcessId);
This established the right kind of access. I was also running my process (web service) as the LocalSystem account, which had pretty good privileges. It started off as:
Please note, I was able to run this command using the SYSTEM account, by downloading PsExec.exe and running PsExec.exe -i -s cmd.exe to launch a command prompt so I could query the privileges using that account. You can find a good list of permissions here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment
In my case, I wanted to add SeAssignPrimaryTokenPrivilege and SeIncreaseQuotaPrivilege, which I added via secpol.msc:
Your particular permissions required may depend on the account you're using, but I hope this helps!
Windows 8.1 introduces the concept of a system protected process. This is documented in the context of third-party anti-malware software, but it seems reasonable to suppose that it is also used to protect particularly critical system processes.
System protected processes are an extension of the Protected Process mechanism (Microsoft Word document) introduced in Windows Vista as a DRM measure.
You cannot obtain any of these access rights for a protected process, even with debug privilege:
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
PROCESS_CREATE_THREAD
PROCESS_DUP_HANDLE
PROCESS_QUERY_INFORMATION
PROCESS_SET_QUOTA
PROCESS_SET_INFORMATION
PROCESS_VM_OPERATION
PROCESS_VM_READ
PROCESS_VM_WRITE
You should still be able to open the process by requesting PROCESS_QUERY_LIMITED_INFORMATION
access. According to the documentation, SYNCHRONIZE
and PROCESS_TERMINATE
access are also permitted.