Читаем Windows® Internals, Sixth Edition, Part 1 полностью

Increase a process working set

Required to call SetProcessWorkingSetSize to increase the minimum working set. This indirectly allows the process to lock up to the minimum working set of memory using VirtualLock.

SeLoadDriverPrivilege

Load and unload device drivers

Checked for by the NtLoadDriver and NtUnloadDriver driver functions.

SeLockMemoryPrivilege

Lock pages in memory

Checked for by NtLockVirtualMemory, the kernel implementation of VirtualLock.

SeMachineAccountPrivilege

Add workstations to the domain

Checked for by the Security Accounts Manager on a domain controller when creating a machine account in a domain.

SeManageVolumePrivilege

Perform volume maintenance tasks

Enforced by file system drivers during a volume open operation, which is required to perform disk checking and defragmenting activities.

SeProfileSingleProcessPrivilege

Profile single process

Checked by Superfetch and the prefetcher when requesting information for an individual process through the NtQuerySystemInformation API.

SeRelabelPrivilege

Modify an object label

Checked for by the SRM when raising the integrity level of an object owned by another user, or when attempting to raise the integrity level of an object higher than that of the caller’s token.

SeRemoteShutdownPrivilege

Force shutdown from a remote system

Winlogon checks that remote callers of the InitiateSystemShutdown function have this privilege.

SeRestorePrivilege

Restore files and directories

This privilege causes NTFS to grant the following access to any file or directory, regardless of the security descriptor that’s present:

WRITE_DAC

WRITE_OWNER

ACCESS_SYSTEM_SECURITY

FILE_GENERIC_WRITE

FILE_ADD_FILE

FILE_ADD_SUBDIRECTORY

DELETE

Note that when opening a file for restore, the caller must specify the FILE_FLAG_BACKUP_SEMANTICS flag.

Allows corresponding access to registry keys when using RegSaveKey.

SeSecurityPrivilege

Manage auditing and security log

Required to access the SACL of a security descriptor, and to read and clear the security event log.

SeShutdownPrivilege

Shut down the system

This privilege is checked for by NtShutdownSystem and NtRaiseHardError, which presents a system error dialog box on the interactive console.

SeSyncAgentPrivilege

Synchronize directory service data

Required to use the LDAP directory synchronization services. It allows the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties.

SeSystemEnvironmentPrivilege

Modify firmware environment variables

Required by NtSetSystemEnvironmentValue and NtQuerySystemEnvironmentValue to modify and read firmware environment variables using the hardware abstraction layer (HAL).

SeSystemProfilePrivilege

Profile system performance

Checked for by NtCreateProfile, the function used to perform profiling of the system. This is used by the Kernprof tool, for example.

SeSystemtimePrivilege

Change the system time

Required to change the time or date.

SeTakeOwnershipPrivilege

Take ownership of files and other objects

Required to take ownership of an object without being granted discretionary access.

SeTcbPrivilege

Act as part of the operating system

Checked for by the security reference monitor when the session ID is set in a token, by the Plug and Play manager for Plug and Play event creation and management, by BroadcastSystemMessageEx when called with BSM_ALLDESKTOPS, by LsaRegisterLogonProcess, and when specifying an application as a VDM with NtSetInformationProcess.

SeTimeZonePrivilege

Change the time zone

Required to change the time zone.

SeTrustedCredManAccessPrivilege

Access credential manager as a trusted caller

Checked by the credential manager to verify that it should trust the caller with credential information that can be queried in plain text. It is granted only to Winlogon by default.

SeUndockPrivilege

Remove computer from a docking station

Checked for by the user-mode Plug and Play manager when either a computer undock is initiated or a device eject request is made.

SeUnsolicitedInputPrivilege

Receive unsolicited data from a terminal device

This privilege isn’t currently used by Windows.

EXPERIMENT: The Bypass Traverse Checking Privilege