Читаем Windows® Internals, Sixth Edition, Part 1 полностью

Unlike account rights, privileges can be enabled and disabled. For a privilege check to succeed, the privilege must be in the specified token and it must be enabled. The idea behind this scheme is that privileges should be enabled only when their use is required so that a process cannot inadvertently perform a privileged security operation.

EXPERIMENT: Seeing a Privilege Get Enabled

By following these steps, you can see that the Date and Time Control Panel applet enables the SeTimeZonePrivilege privilege in response to you using its interface to change the time zone of the computer:

Run Process Explorer, and set the refresh rate to Paused.

Open the Date And Time item by right-clicking on the clock in the system tray region of the taskbar, and then select Adjust Date/Time. A new Rundll32 process will appear with a green highlight when you force a refresh with F5.

Hover the mouse over the Rundll32 process, and verify that the target contains the text “Time Date Control Panel Applet” as well as a path to Timedate.cpl. The presence of this argument tells Rundll32, which is a Control Panel DLL hosting process, to load the DLL that implements the user interface that enables you to change the time and date.

View the Security tab of the process Properties dialog box for your Rundll32 process. You should see that the SeTimeZonePrivilege privilege is disabled.

Now click the Change Time Zone button in the Control Panel item, close the process Properties dialog box, and then open it again. On the Security tab, you should now see that the SeTimeZonePrivilege privilege is enabled.

Table 6-9. Privileges

Privilege

User Right

Privilege Usage

SeAssignPrimaryTokenPrivilege

Replace a process-level token

Checked for by various components, such as NtSetInformationJob, that set a process’ token.

SeAuditPrivilege

Generate security audits

Required to generate events for the Security event log with the ReportEvent API.

SeBackupPrivilege

Back up files and directories

Causes NTFS to grant the following access to any file or directory, regardless of the security descriptor that’s present: READ_CONTROL, ACCESS_SYSTEM_SECURITY, FILE_GENERIC_READ, FILE_TRAVERSE

Note that when opening a file for backup, the caller must specify the FILE_FLAG_BACKUP_SEMANTICS flag.

Also allows corresponding access to registry keys when using RegSaveKey.

SeChangeNotifyPrivilege

Bypass traverse checking

Used by NTFS to avoid checking permissions on intermediate directories of a multilevel directory lookup. Also used by file systems when applications register for notification of changes to the file system structure.

SeCreateGlobalPrivilege

Create global objects

Required for a process to create section and symbolic link objects in the directories of the object manager namespace that are assigned to a different session than the caller.

SeCreatePagefilePrivilege

Create a pagefile

Checked for by NtCreatePagingFile, which is the function used to create a new paging file.

SeCreatePermanentPrivilege

Create permanent shared objects

Checked for by the object manager when creating a permanent object (one that doesn’t get deallocated when there are no more references to it).

SeCreateSymbolicLinkPrivilege

Create symbolic links

Checked for by NTFS when creating symbolic links on the file system with the CreateSymbolicLink API.

SeCreateTokenPrivilege

Create a token object

NtCreateToken, the function that creates a token object, checks for this privilege.

SeDebugPrivilege

Debug programs

If the caller has this privilege enabled, the process manager allows access to any process or thread using NtOpenProcess or NtOpenThread, regardless of the process’ or thread’s security descriptor (except for protected processes).

SeEnableDelegationPrivilege

Enable computer and user accounts to be trusted for delegation

Used by Active Directory services to delegate authenticated credentials.

SeImpersonatePrivilege

Impersonate a client after authentication

The process manager checks for this when a thread wants to use a token for impersonation and the token represents a different user than that of the thread’s process token.

SeIncreaseBasePriorityPrivilege

Increase scheduling priority

Checked for by the process manager and is required to raise the priority of a process.

SeIncreaseQuotaPrivilege

Adjust memory quotas for a process

Enforced when changing a process’ working set thresholds, a process’ paged and nonpaged pool quotas, and a process’ CPU rate quota.

SeIncreaseWorkingSetPrivilege