Trying to create a global file mapping object from a user-mode process fails

Question

I have a Windows app that runs without requiring elevation. I need to create a file mapping object for a memory array to be shared between all running instances of the app (note that some of those instances may run in different logon sessions.)

I call the CreateFileMapping API to create it, with a global name, i.e. Global\sharedname, using a security descriptor that gives all access to everyone but that API fails with error code 5, or ERROR_ACCESS_DENIED.

I then started reading the docs and found that my process is required the SeCreateGlobalPrivilege privilege. But then when I try to assign that privilege the AdjustTokenPrivileges returns error code ERROR_NOT_ALL_ASSIGNED, and I'm stuck....

So what's the trick here, how does that freakin' MS want us to do it???

PS. I can previously create a global named mutex (for synchronized access to the shared memory) with the same all access for everyone security descriptor and Global\sharedmutex name without a problem.

Answer 1

Only administrators, and services running in session 0, can gain the SeCreateGlobalPrivilege privilege needed to create file mappings in the Global namespace. Assuming you do not want to re-write your code into a service, you will have to spawn a separate elevated process to create the file mapping.