Windows Service in C++: AdjustTokenPrivileges, Accessing UFEI in service
up vote
-1
down vote
favorite
I implemented a console application which can access the UFEI by using the API AdjustTokenPrivilages
and GetFirmwareEnvironmentVariable
. This app works from a command line opened as administrator.
EDIT: adding portion of the code which is working for console app. Same APIs are used in service too.
//function to update privilages
int privilageUpdate ()
{
TOKEN_PRIVILEGES tp;
HANDLE hToken;
LUID luid;
DWORD err;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES,
&hToken)) {
err = GetLastError();
return (-1 * err);
}
if (!LookupPrivilegeValue(NULL, SE_SYSTEM_ENVIRONMENT_NAME, &luid)) {
err = GetLastError();
return (-1*err);
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE/*TRUE*/, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
if (GetLastError() != ERROR_SUCCESS) {
err = GetLastError();
return (-1*err);
}
return ERROR_SUCCESS;
}
INT readUFEI () {
//Reading
INT32 data;
INT success = GetFirmwareEnvironmentVariable(L"VAR"
, L"{xxyyzzaa-xxyy-xxyy-aabb-bbccddeeffgg}"
, &data
, sizeof(data));
if (0 == success) {
err = GetLastError();
return (-1 * err)
}
return data;
}
I am working on a C++ service (since, I've to make use of the C++ API & .dlls and other Windows APIs which are available as C++ APIs) which needs to access the UFEI. The service runs but the API AdjustTokenPrivilages
is failing with 1300 ERROR_NOT_ALL_ASSIGNED
, GetFirmwareEnvironmentVariable
is failing with error code 1314 ERROR_PRIVILEGE_NOT_HELD
(A required privilege is not held by the client).
I am currently logged in with username xyz
and I have admin access rights.
As I understand the services are run differently from the users.
I've tried the following but did not work
- running with command line with
sc start servicename
in administrator mode - running the
services
app as admin and then right clicking to start service.
So my question is
- Is AdjustTokenPrivilages has any effect on services ? If not, how to achieve this ?
- Is this something which can be solved by changing the
Log On
tab ?
Please note that the service is not used by any apps.
I am new to the Windows development and any help would be appriciated.
windows visual-c++ service
|
show 2 more comments
up vote
-1
down vote
favorite
I implemented a console application which can access the UFEI by using the API AdjustTokenPrivilages
and GetFirmwareEnvironmentVariable
. This app works from a command line opened as administrator.
EDIT: adding portion of the code which is working for console app. Same APIs are used in service too.
//function to update privilages
int privilageUpdate ()
{
TOKEN_PRIVILEGES tp;
HANDLE hToken;
LUID luid;
DWORD err;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES,
&hToken)) {
err = GetLastError();
return (-1 * err);
}
if (!LookupPrivilegeValue(NULL, SE_SYSTEM_ENVIRONMENT_NAME, &luid)) {
err = GetLastError();
return (-1*err);
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE/*TRUE*/, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
if (GetLastError() != ERROR_SUCCESS) {
err = GetLastError();
return (-1*err);
}
return ERROR_SUCCESS;
}
INT readUFEI () {
//Reading
INT32 data;
INT success = GetFirmwareEnvironmentVariable(L"VAR"
, L"{xxyyzzaa-xxyy-xxyy-aabb-bbccddeeffgg}"
, &data
, sizeof(data));
if (0 == success) {
err = GetLastError();
return (-1 * err)
}
return data;
}
I am working on a C++ service (since, I've to make use of the C++ API & .dlls and other Windows APIs which are available as C++ APIs) which needs to access the UFEI. The service runs but the API AdjustTokenPrivilages
is failing with 1300 ERROR_NOT_ALL_ASSIGNED
, GetFirmwareEnvironmentVariable
is failing with error code 1314 ERROR_PRIVILEGE_NOT_HELD
(A required privilege is not held by the client).
I am currently logged in with username xyz
and I have admin access rights.
As I understand the services are run differently from the users.
I've tried the following but did not work
- running with command line with
sc start servicename
in administrator mode - running the
services
app as admin and then right clicking to start service.
So my question is
- Is AdjustTokenPrivilages has any effect on services ? If not, how to achieve this ?
- Is this something which can be solved by changing the
Log On
tab ?
Please note that the service is not used by any apps.
I am new to the Windows development and any help would be appriciated.
windows visual-c++ service
IsAdjustTokenPrivilages
has effect on any token. service here unrelated.
– RbMm
Nov 10 at 15:37
@RbMm If you're saying that it is not related to service, why that it works in console app but not when moved to service ?
– neeru
Nov 11 at 3:05
of course AdjustTokenPrivilages is absolute unrelated to service. and you not show any code, what is "working" or not
– RbMm
Nov 11 at 5:55
@RbMm Thanks for the feedback. I updated the code.
– neeru
Nov 11 at 11:34
you forget closehToken
. except this code is correct. (only why you negative returned error code ? return it as is). ifAdjustTokenPrivilages
returnERROR_NOT_ALL_ASSIGNED
this mean that your process token have notSE_SYSTEM_ENVIRONMENT_PRIVILEGE
. for be sure - enumerate and dump current privileges from your process token (or use some utils for this). under which account your service run ? if under LocalSystem you must haveSeSystemEnvironmentPrivilege
– RbMm
Nov 11 at 12:06
|
show 2 more comments
up vote
-1
down vote
favorite
up vote
-1
down vote
favorite
I implemented a console application which can access the UFEI by using the API AdjustTokenPrivilages
and GetFirmwareEnvironmentVariable
. This app works from a command line opened as administrator.
EDIT: adding portion of the code which is working for console app. Same APIs are used in service too.
//function to update privilages
int privilageUpdate ()
{
TOKEN_PRIVILEGES tp;
HANDLE hToken;
LUID luid;
DWORD err;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES,
&hToken)) {
err = GetLastError();
return (-1 * err);
}
if (!LookupPrivilegeValue(NULL, SE_SYSTEM_ENVIRONMENT_NAME, &luid)) {
err = GetLastError();
return (-1*err);
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE/*TRUE*/, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
if (GetLastError() != ERROR_SUCCESS) {
err = GetLastError();
return (-1*err);
}
return ERROR_SUCCESS;
}
INT readUFEI () {
//Reading
INT32 data;
INT success = GetFirmwareEnvironmentVariable(L"VAR"
, L"{xxyyzzaa-xxyy-xxyy-aabb-bbccddeeffgg}"
, &data
, sizeof(data));
if (0 == success) {
err = GetLastError();
return (-1 * err)
}
return data;
}
I am working on a C++ service (since, I've to make use of the C++ API & .dlls and other Windows APIs which are available as C++ APIs) which needs to access the UFEI. The service runs but the API AdjustTokenPrivilages
is failing with 1300 ERROR_NOT_ALL_ASSIGNED
, GetFirmwareEnvironmentVariable
is failing with error code 1314 ERROR_PRIVILEGE_NOT_HELD
(A required privilege is not held by the client).
I am currently logged in with username xyz
and I have admin access rights.
As I understand the services are run differently from the users.
I've tried the following but did not work
- running with command line with
sc start servicename
in administrator mode - running the
services
app as admin and then right clicking to start service.
So my question is
- Is AdjustTokenPrivilages has any effect on services ? If not, how to achieve this ?
- Is this something which can be solved by changing the
Log On
tab ?
Please note that the service is not used by any apps.
I am new to the Windows development and any help would be appriciated.
windows visual-c++ service
I implemented a console application which can access the UFEI by using the API AdjustTokenPrivilages
and GetFirmwareEnvironmentVariable
. This app works from a command line opened as administrator.
EDIT: adding portion of the code which is working for console app. Same APIs are used in service too.
//function to update privilages
int privilageUpdate ()
{
TOKEN_PRIVILEGES tp;
HANDLE hToken;
LUID luid;
DWORD err;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES,
&hToken)) {
err = GetLastError();
return (-1 * err);
}
if (!LookupPrivilegeValue(NULL, SE_SYSTEM_ENVIRONMENT_NAME, &luid)) {
err = GetLastError();
return (-1*err);
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE/*TRUE*/, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
if (GetLastError() != ERROR_SUCCESS) {
err = GetLastError();
return (-1*err);
}
return ERROR_SUCCESS;
}
INT readUFEI () {
//Reading
INT32 data;
INT success = GetFirmwareEnvironmentVariable(L"VAR"
, L"{xxyyzzaa-xxyy-xxyy-aabb-bbccddeeffgg}"
, &data
, sizeof(data));
if (0 == success) {
err = GetLastError();
return (-1 * err)
}
return data;
}
I am working on a C++ service (since, I've to make use of the C++ API & .dlls and other Windows APIs which are available as C++ APIs) which needs to access the UFEI. The service runs but the API AdjustTokenPrivilages
is failing with 1300 ERROR_NOT_ALL_ASSIGNED
, GetFirmwareEnvironmentVariable
is failing with error code 1314 ERROR_PRIVILEGE_NOT_HELD
(A required privilege is not held by the client).
I am currently logged in with username xyz
and I have admin access rights.
As I understand the services are run differently from the users.
I've tried the following but did not work
- running with command line with
sc start servicename
in administrator mode - running the
services
app as admin and then right clicking to start service.
So my question is
- Is AdjustTokenPrivilages has any effect on services ? If not, how to achieve this ?
- Is this something which can be solved by changing the
Log On
tab ?
Please note that the service is not used by any apps.
I am new to the Windows development and any help would be appriciated.
windows visual-c++ service
windows visual-c++ service
edited Nov 11 at 11:26
asked Nov 10 at 12:50
neeru
127210
127210
IsAdjustTokenPrivilages
has effect on any token. service here unrelated.
– RbMm
Nov 10 at 15:37
@RbMm If you're saying that it is not related to service, why that it works in console app but not when moved to service ?
– neeru
Nov 11 at 3:05
of course AdjustTokenPrivilages is absolute unrelated to service. and you not show any code, what is "working" or not
– RbMm
Nov 11 at 5:55
@RbMm Thanks for the feedback. I updated the code.
– neeru
Nov 11 at 11:34
you forget closehToken
. except this code is correct. (only why you negative returned error code ? return it as is). ifAdjustTokenPrivilages
returnERROR_NOT_ALL_ASSIGNED
this mean that your process token have notSE_SYSTEM_ENVIRONMENT_PRIVILEGE
. for be sure - enumerate and dump current privileges from your process token (or use some utils for this). under which account your service run ? if under LocalSystem you must haveSeSystemEnvironmentPrivilege
– RbMm
Nov 11 at 12:06
|
show 2 more comments
IsAdjustTokenPrivilages
has effect on any token. service here unrelated.
– RbMm
Nov 10 at 15:37
@RbMm If you're saying that it is not related to service, why that it works in console app but not when moved to service ?
– neeru
Nov 11 at 3:05
of course AdjustTokenPrivilages is absolute unrelated to service. and you not show any code, what is "working" or not
– RbMm
Nov 11 at 5:55
@RbMm Thanks for the feedback. I updated the code.
– neeru
Nov 11 at 11:34
you forget closehToken
. except this code is correct. (only why you negative returned error code ? return it as is). ifAdjustTokenPrivilages
returnERROR_NOT_ALL_ASSIGNED
this mean that your process token have notSE_SYSTEM_ENVIRONMENT_PRIVILEGE
. for be sure - enumerate and dump current privileges from your process token (or use some utils for this). under which account your service run ? if under LocalSystem you must haveSeSystemEnvironmentPrivilege
– RbMm
Nov 11 at 12:06
Is
AdjustTokenPrivilages
has effect on any token. service here unrelated.– RbMm
Nov 10 at 15:37
Is
AdjustTokenPrivilages
has effect on any token. service here unrelated.– RbMm
Nov 10 at 15:37
@RbMm If you're saying that it is not related to service, why that it works in console app but not when moved to service ?
– neeru
Nov 11 at 3:05
@RbMm If you're saying that it is not related to service, why that it works in console app but not when moved to service ?
– neeru
Nov 11 at 3:05
of course AdjustTokenPrivilages is absolute unrelated to service. and you not show any code, what is "working" or not
– RbMm
Nov 11 at 5:55
of course AdjustTokenPrivilages is absolute unrelated to service. and you not show any code, what is "working" or not
– RbMm
Nov 11 at 5:55
@RbMm Thanks for the feedback. I updated the code.
– neeru
Nov 11 at 11:34
@RbMm Thanks for the feedback. I updated the code.
– neeru
Nov 11 at 11:34
you forget close
hToken
. except this code is correct. (only why you negative returned error code ? return it as is). if AdjustTokenPrivilages
return ERROR_NOT_ALL_ASSIGNED
this mean that your process token have not SE_SYSTEM_ENVIRONMENT_PRIVILEGE
. for be sure - enumerate and dump current privileges from your process token (or use some utils for this). under which account your service run ? if under LocalSystem you must have SeSystemEnvironmentPrivilege
– RbMm
Nov 11 at 12:06
you forget close
hToken
. except this code is correct. (only why you negative returned error code ? return it as is). if AdjustTokenPrivilages
return ERROR_NOT_ALL_ASSIGNED
this mean that your process token have not SE_SYSTEM_ENVIRONMENT_PRIVILEGE
. for be sure - enumerate and dump current privileges from your process token (or use some utils for this). under which account your service run ? if under LocalSystem you must have SeSystemEnvironmentPrivilege
– RbMm
Nov 11 at 12:06
|
show 2 more comments
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53239121%2fwindows-service-in-c-adjusttokenprivileges-accessing-ufei-in-service%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Is
AdjustTokenPrivilages
has effect on any token. service here unrelated.– RbMm
Nov 10 at 15:37
@RbMm If you're saying that it is not related to service, why that it works in console app but not when moved to service ?
– neeru
Nov 11 at 3:05
of course AdjustTokenPrivilages is absolute unrelated to service. and you not show any code, what is "working" or not
– RbMm
Nov 11 at 5:55
@RbMm Thanks for the feedback. I updated the code.
– neeru
Nov 11 at 11:34
you forget close
hToken
. except this code is correct. (only why you negative returned error code ? return it as is). ifAdjustTokenPrivilages
returnERROR_NOT_ALL_ASSIGNED
this mean that your process token have notSE_SYSTEM_ENVIRONMENT_PRIVILEGE
. for be sure - enumerate and dump current privileges from your process token (or use some utils for this). under which account your service run ? if under LocalSystem you must haveSeSystemEnvironmentPrivilege
– RbMm
Nov 11 at 12:06