Trying to understand process privilege attributes

依然范特西╮ 提交于 2019-12-04 14:02:57

To take your questions in order:

  1. ENABLED_BY_DEFAULT means the privilege is one of those that is enabled when the process starts. If you have ENABLED but not ENABLED_BY_DEFAULT then the process has enabled the privilege explicitly. If you have ENABLED_BY_DEFAULT but not ENABLED then the process has disabled the privilege explicitly.

  2. According to the documentation, SE_PRIVILEGE_USED_FOR_ACCESS is set whenever the privilege is actually used. You might use this for troubleshooting, e.g., to detect that you are setting privileges that you are not actually using, or to determine experimentally which privileges a particular system call needs. (I've never checked whether this actually behaves as documented, though I have no reason to think otherwise.)

  3. If both SE_PRIVILEGE_ENABLED and SE_PRIVILEGE_REMOVED are set, you've found a bug in Windows. :-)

    If neither SE_PRIVILEGE_ENABLED nor SE_PRIVILEGE_REMOVED are set, then the privilege is present in the token, and has not been removed, but is not currently enabled. You can enable it (or remove it) with AdjustTokenPrivileges().

  4. If the attribute is zero, then the privilege is present in the token but is not currently enabled, has not been removed, was not enabled by default, and has never been used by the process.

What some of us may need to be told explicitly is that privileges have THREE possible states, not just two. As I began researching this stuff, I thought that a process would either have, or not have a privilege. But it turns out that even if the process has a privilege, it can be in a disabled state. In other words, disabled != doesn't have it.

The rest follows logically. If a privilege is not present in the process' access token, the process does not have that privilege. And vice versa, if the process does not have a privilege, the privilege will not be present in the token.

If the process has the privilege, the process can enable or disable it at will, right? Why is this useful? All right, I can guess that this allows you to call library functions without fully knowing what they do, and have them fail if they do more than you thought... Odd though.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!