OpenProcessToken fails with ERROR_ACCESS_DENIED from a local system service

Question

Let me explain my situation first. The issue I describe below comes from an end-user's machine, and all I have to work with is just a copy of the Windows Event Log. I cannot access the machine itself to run any debugging tests.

Now the issue. I have a service application that I create as such:

SC_HANDLE hScService = CreateService(hScManager, 
    L"MyServiceID", 
    L"My Service Name",
    SERVICE_ALL_ACCESS, 
    SERVICE_WIN32_OWN_PROCESS, 
    SERVICE_AUTO_START, 
    SERVICE_ERROR_NORMAL,
    SrvcPath,
    NULL, NULL, NULL, NULL, _T(""));

The service process later has its SE_DEBUG_NAME privilege set using the AdjustTokenPrivileges API.

Later on I have a method that enumerates running processes and later gets processes LUIDs, using a code as such:

//'pProcIDs' = list of process IDs obtained from EnumProcesses()

for(UINT i = 0; i < nNumProc; i++)
{
    DWORD dwProcID = pProcIDs[i];

    //Skip obvious system processes
    if(dwProcID != 0 &&
        dwProcID != 4)
    {
        HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwProcID);
        if(hProcess)
        {
            HANDLE hTokenHandle;
            if(::OpenProcessToken(hProcess, TOKEN_QUERY, &hTokenHandle))
            {
                TOKEN_STATISTICS ts;
                DWORD dwcbSz = 0;
                if(::GetTokenInformation(hTokenHandle, TokenStatistics, &ts, sizeof(ts), &dwcbSz))
                {
                    //And so on...
                }
                else
                {
                    //Handle error here
                }

                ::CloseHandle(hTokenHandle);
            }
            else
            {
                //***Here's where I get my error in question***
            }

            ::CloseHandle(hProcess);
        }
        else
        {
            //Handle error here
        }
    }
}

When I run the code above on my own development computers, it runs just fine. Note that those computers run "stock" copies of the OS without any AVP or other third-party software installed.

The event log copy I received from a customer running Windows 7 Professional machine (that is a member of an Active Directory domain) has 3 processes that return ERROR_ACCESS_DENIED when I call OpenProcessToken on them from the code above. Their PIDs are just regular values, such as 1824, 2760, 5024 (that obviously change after a reboot.)

Does anyone have any idea why it happens? Do I need to set additional privileges for my service?

PS. From the event log I can tell that the workstation in question has some Symantec Antivirus product installed, judging by this line:

New virus definition file loaded. Version: 140217066.

Answer 1

Symantec antivirus software (as well as that of many other security software vendors) may attempt to prevent tampering with their processes by un-authorized actors. Acquiring the process token for one of their processes just might qualify.

That said, you can quickly verify that the PIDs in question are in fact part of the Symantec package by examining the path to executable images that back the processes. If they are part of the Symantec AV software package, you'll need to look in to configuring it to trust your application, or disable it while you run this code (not recommended), or simply ignore errors of this type.