AdjustTokenPrivileges error ERROR_NOT_ALL_ASSIGNED

StackOverflow https://stackoverflow.com/questions/18022053

Question

please advise for the error indicated in the code below, why this happens? I'm new to C++.

I had a look on StackO, and MSDN also (link for example) but they've not helpful to me as I can't figure out what I'm doing wrong.

HANDLE hToken;

if (!OpenProcessToken(GetCurrentProcess(), 
    TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) 
{
    return FALSE;
}

{
SetPrivilege(hToken,L"SeBackupPrivilege",1 );

BOOL SetPrivilege(
HANDLE hToken,          // access token handle
LPCTSTR lpszPrivilege,  // name of privilege to enable/disable
BOOL bEnablePrivilege   // to enable or disable privilege
) 
{
TOKEN_PRIVILEGES tp;
DWORD cb=sizeof(TOKEN_PRIVILEGES);
LUID luid;

if ( !LookupPrivilegeValue( 
        NULL,            // lookup privilege on local system
        lpszPrivilege,   // privilege to lookup 
        &luid ) )        // receives LUID of privilege
{
    printf("LookupPrivilegeValue error: %u\n", GetLastError() ); 
    return FALSE; 
}

tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
    tp.Privileges[0].Attributes = 0;

// Enable the privilege or disable all privileges.

   if ( !AdjustTokenPrivileges(
       hToken, 
       FALSE, 
       &tp, 
       cb, 
       NULL, 
       NULL) )
{ 
      printf("AdjustTokenPrivileges error: %u\n", GetLastError() ); 
      return FALSE; 
} 

if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) // This is True. Why??

{
      printf("The token does not have the specified privilege. \n");
      return FALSE;

    /*
    The token does not have one or more of the privileges specified in the NewState parameter. 
    The function may succeed with this error value even if no privileges were adjusted. 
    The PreviousState parameter indicates the privileges that were adjusted.
    */
} 

return TRUE;
}
Was it helpful?

Solution

You can't grant yourself privileges that you don't already have. Some other process (with higher privileges) has to grant them to you.

OTHER TIPS

A comment elsewhere on this page is not quite correct; you do not strictly need to be Elevated to acquire priviliges, as long as the prevailing User Account has the correct/corresponding User Rights Assignment abilities.

Specifically, an app can still use the default asInvoker manifest and indeed launch and then go on to make programmatic changes to "sensitive" settings, all without ever triggering the dreaded UAC prompt. But again, only for the designated user(s).

Run SecPol.msc and go to:

Security Settings \ Local Policies \ User Rights Assignment \ ...

enter image description here

Depending on exactly which Win32 APIs you subsequently attempt, the relevant privileges you need for "SeBackupPrivilege" are probably amongst the following:

Restore files and directories
Back up files and directories
Bypass traverse checking

Double-click on the text description of the User Rights Assignment policy you feel you should have, and click on Add User or Group... to add yourself (we'll have to assume that already you know how to find or select user(s) and group(s) in the byzantine security user interface)

                  ●       ●       ●

Related to "SeBackupPrivilege" is the "SeManageVolumePrivilege" privilege, which I happened to find more useful for my particular goals. This latter seems to require the "Perform volume maintenance tasks" ability to be added in the SecPol.msc utility shown here.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top