Privileges determine the type of system operations that a process can perform. Process Privileges is a set of extension methods, written in C#, for System.Diagnostics.Process. It implements the functionality necessary to query, enable, disable or remove privileges on a process.
This is unofficial fork of original project from CodePlex.
Privileges determine the type of system operations that a process can perform.
Process Privileges is a set of extension methods, written in C#, for System.Diagnostics.Process. It implements the functionality necessary to query, enable, disable or remove privileges on a process.
The following extension methods are offered:
- DisablePrivilege - Disables the specified privilege on a process.
- EnablePrivilege - Enables the specified privilege on a process.
- GetAccessTokenHandle - Gets an access token handle for a process.
- GetPrivilegeAttributes - Gets the attributes for a privilege on a process.
- GetPrivilegeState - Gets the state of a privilege.
- GetPrivileges - Gets the privileges and associated attributes from a process.
- RemovePrivilege - Removes the specified privilege from a process.
In addition, a privilege enabler class is offered that enables privileges on a process in a safe way, ensuring that they are returned to their original state when an operation that requires a privilege completes.
Background
For more information on privileges, see:
Privileges https://docs.microsoft.com/en-gb/windows/desktop/SecAuthZ/privileges
Privilege Constants https://docs.microsoft.com/en-gb/windows/desktop/SecAuthZ/privilege-constants
Guidance
Enabling a privilege allows a process to perform system-level actions that it could not previously.
Before enabling a privilege, many potentially dangerous, thoroughly verify that functions or operations in your code actually require them.
It is not normally appropriate to hold privileges that you enable for the lifetime of a process. Use sparingly; enable when needed, disable when not.
Example 1: Safely Enabling a Privilege
{{ using System; using System.Diagnostics; using ProcessPrivileges;
internal static class PrivilegeEnablerExample { public static void Main() { Process process = Process.GetCurrentProcess();
using (new PrivilegeEnabler(process, Privilege.TakeOwnership))
{
// Privilege is enabled within the using block.
Console.WriteLine(
"{0} => {1}",
Privilege.TakeOwnership,
process.GetPrivilegeState(Privilege.TakeOwnership));
}
// Privilege is disabled outside the using block.
Console.WriteLine(
"{0} => {1}",
Privilege.TakeOwnership,
process.GetPrivilegeState(Privilege.TakeOwnership));
}
} }} {{ TakeOwnership => Enabled TakeOwnership => Disabled }}
Example 2: Using the Extension Methods
{{ using System; using System.Diagnostics; using System.Linq; using ProcessPrivileges;
internal static class ProcessPrivilegesExample { public static void Main() { // Get the current process. Process process = Process.GetCurrentProcess();
// Get the privileges and associated attributes.
PrivilegeAndAttributesCollection privileges = process.GetPrivileges();
int maxPrivilegeLength = privileges.Max(privilege => privilege.Privilege.ToString().Length);
foreach (PrivilegeAndAttributes privilegeAndAttributes in privileges)
{
// The privilege.
Privilege privilege = privilegeAndAttributes.Privilege;
// The privilege state.
PrivilegeState privilegeState = privilegeAndAttributes.PrivilegeState;
// Write out the privilege and its state.
Console.WriteLine(
"{0}{1} => {2}",
privilege,
GetPadding(privilege.ToString().Length, maxPrivilegeLength),
privilegeState);
}
Console.WriteLine();
// Privileges can only be enabled on a process if they are disabled.
if (process.GetPrivilegeState(Privilege.TakeOwnership) == PrivilegeState.Disabled)
{
// Enable the TakeOwnership privilege on it.
AdjustPrivilegeResult result = process.EnablePrivilege(Privilege.TakeOwnership);
// Get the state of the TakeOwnership privilege.
PrivilegeState takeOwnershipState = process.GetPrivilegeState(Privilege.TakeOwnership);
// Write out the TakeOwnership privilege, its state and the result.
Console.WriteLine(
"{0}{1} => {2} ({3})",
Privilege.TakeOwnership,
GetPadding(Privilege.TakeOwnership.ToString().Length, maxPrivilegeLength),
takeOwnershipState,
result);
}
}
private static string GetPadding(int length, int maxLength)
{
int paddingLength = maxLength - length;
char[]() padding = new char[paddingLength](paddingLength);
for (int i = 0; i < paddingLength; i++)
{
padding[i](i) = ' ';
}
return new string(padding);
}
} }} {{ ChangeNotify => Enabled Security => Disabled Backup => Disabled Restore => Disabled SystemTime => Disabled Shutdown => Enabled RemoteShutdown => Disabled TakeOwnership => Disabled Debug => Enabled SystemEnvironment => Disabled SystemProfile => Disabled ProfileSingleProcess => Disabled IncreaseBasePriority => Disabled LoadDriver => Enabled CreatePagefile => Disabled IncreaseQuota => Enabled Undock => Enabled ManageVolume => Disabled Impersonate => Enabled CreateGlobal => Enabled
TakeOwnership => Enabled (PrivilegeModified) }}
Example 3: Reusing an Access Token Handle
{{ using System; using System.Diagnostics; using ProcessPrivileges;
internal static class ReusingAccessTokenHandleExample { public static void Main() { // Access token handle reused within the using block. using (AccessTokenHandle accessTokenHandle = Process.GetCurrentProcess().GetAccessTokenHandle( TokenAccessRights.AdjustPrivileges | TokenAccessRights.Query)) { // Enable privileges using the same access token handle. AdjustPrivilegeResult backupResult = accessTokenHandle.EnablePrivilege(Privilege.Backup); AdjustPrivilegeResult restoreResult = accessTokenHandle.EnablePrivilege(Privilege.Restore);
Console.WriteLine(
"{0} => {1} ({2})",
Privilege.Backup,
accessTokenHandle.GetPrivilegeState(Privilege.Backup),
backupResult);
Console.WriteLine(
"{0} => {1} ({2})",
Privilege.Restore,
accessTokenHandle.GetPrivilegeState(Privilege.Restore),
restoreResult);
}
}
} }} {{ Backup => Enabled (PrivilegeModified) Restore => Enabled (PrivilegeModified) }}
Privileges
|| Privilege || Constant || Enum || Description || Support Baseline || | SeAssignPrimaryTokenPrivilege | {"SE_ASSIGNPRIMARYTOKEN_NAME"} | Privilege.AssignPrimaryToken | Replace a process-level token. | Windows 2000 | | SeAuditPrivilege | {"SE_AUDIT_NAME"} | Privilege.Audit | Generate security audits. | Windows 2000 | | SeBackupPrivilege | {"SE_BACKUP_NAME"} | Privilege.Backup | Back up files and directories. | Windows 2000 | | SeChangeNotifyPrivilege | {"SE_CHANGE_NOTIFY_NAME"} | Privilege.ChangeNotify | Bypass traverse checking. | Windows 2000 | | SeCreateGlobalPrivilege | {"SE_CREATE_GLOBAL_NAME"} | Privilege.CreateGlobal | Create global objects. | Windows 2000 SP4, Windows XP SP2 | | SeCreatePagefilePrivilege | {"SE_CREATE_PAGEFILE_NAME"} | Privilege.CreatePageFile | Create a pagefile. | Windows 2000 | | SeCreatePermanentPrivilege | {"SE_CREATE_PERMANENT_NAME"} | Privilege.CreatePermanent | Create permanent shared objects. | Windows 2000 | | SeCreateSymbolicLinkPrivilege | {"SE_CREATE_SYMBOLIC_LINK_NAME"} | Privilege.CreateSymbolicLink | Create symbolic links. | Windows 2000 | | SeCreateTokenPrivilege | {"SE_CREATE_TOKEN_NAME"} | Privilege.CreateToken | Create a token object. | Windows 2000 | | SeDebugPrivilege | {"SE_DEBUG_NAME"} | Privilege.Debug | Debug programs. | Windows 2000 | | SeEnableDelegationPrivilege | {"SE_ENABLE_DELEGATION_NAME"} | Privilege.EnableDelegation | Enable computer and user accounts to be trusted for delegation. | Windows 2000 | | SeImpersonatePrivilege | {"SE_IMPERSONATE_NAME"} | Privilege.Impersonate | Impersonate a client after authentication. | Windows 2000 SP4, Windows XP SP2 | | SeIncreaseBasePriorityPrivilege | {"SE_INC_BASE_PRIORITY_NAME"} | Privilege.IncreaseBasePriority | Increase scheduling priority. | Windows 2000 | | SeIncreaseQuotaPrivilege | {"SE_INCREASE_QUOTA_NAME"} | Privilege.IncreaseQuota | Adjust memory quotas for a process. | Windows 2000 | | SeIncreaseWorkingSetPrivilege | {"SE_INC_WORKING_SET_NAME"} | Privilege.IncreaseWorkingSet | Increase a process working set. | Windows 2000 | | SeLoadDriverPrivilege | {"SE_LOAD_DRIVER_NAME"} | Privilege.LoadDriver | Load and unload device drivers. | Windows 2000 | | SeLockMemoryPrivilege | {"SE_LOCK_MEMORY_NAME"} | Privilege.LockMemory | Lock pages in memory. | Windows 2000 | | SeMachineAccountPrivilege | {"SE_MACHINE_ACCOUNT_NAME"} | Privilege.MachineAccount | Add workstations to domain. | Windows 2000 | | SeManageVolumePrivilege | {"SE_MANAGE_VOLUME_NAME"} | Privilege.ManageVolume | Manage the files on a volume. | Windows 2000 | | SeProfileSingleProcessPrivilege | {"SE_PROF_SINGLE_PROCESS_NAME"} | Privilege.ProfileSingleProcess | Profile single process. | Windows 2000 | | SeRelabelPrivilege | {"SE_RELABEL_NAME"} | Privilege.Relabel | Modify an object label. | Windows 2000 | | SeRemoteShutdownPrivilege | {"SE_REMOTE_SHUTDOWN_NAME"} | Privilege.RemoteShutdown | Force shutdown from a remote system. | Windows 2000 | | SeRestorePrivilege | {"SE_RESTORE_NAME"} | Privilege.Restore | Restore files and directories. | Windows 2000 | | SeSecurityPrivilege | {"SE_SECURITY_NAME"} | Privilege.Security | Manage auditing and security log. | Windows 2000 | | SeShutdownPrivilege | {"SE_SHUTDOWN_NAME"} | Privilege.Shutdown | Shut down the system. | Windows 2000 | | SeSyncAgentPrivilege | {"SE_SYNC_AGENT_NAME"} | Privilege.SyncAgent | Synchronize directory service data. | Windows 2000 | | SeSystemEnvironmentPrivilege | {"SE_SYSTEM_ENVIRONMENT_NAME"} | Privilege.SystemEnvironment | Modify firmware environment values. | Windows 2000 | | SeSystemProfilePrivilege | {"SE_SYSTEM_PROFILE_NAME"} | Privilege.SystemProfile | Profile system performance. | Windows 2000 | | SeSystemtimePrivilege | {"SE_SYSTEMTIME_NAME"} | Privilege.SystemTime | Change the system time. | Windows 2000 | | SeTakeOwnershipPrivilege | {"SE_TAKE_OWNERSHIP_NAME"} | Privilege.TakeOwnership | Take ownership of files or other objects. | Windows 2000 | | SeTcbPrivilege | {"SE_TCB_NAME"} | Privilege.TrustedComputerBase | Act as part of the operating system. | Windows 2000 | | SeTimeZonePrivilege | {"SE_TIME_ZONE_NAME"} | Privilege.TimeZone | Change the time zone. | Windows 2000 | | SeTrustedCredManAccessPrivilege | {"SE_TRUSTED_CREDMAN_ACCESS_NAME"} | Privilege.TrustedCredentialManagerAccess | Access Credential Manager as a trusted caller. | Windows 2000 | | SeUndockPrivilege | {"SE_UNDOCK_NAME"} | Privilege.Undock | Remove computer from docking station. | Windows 2000 | | SeUnsolicitedInputPrivilege | {"SE_UNSOLICITED_INPUT_NAME"} | Privilege.UnsolicitedInput | Read unsolicited input from a terminal device. | Windows 2000 |
Related: Process Token Privileges, AdjustTokenPrivileges, GetTokenInformation, LookupPrivilegeName, LookupPrivilegeValue, LUID, LUID_AND_ATTRIBUTES, TOKEN_PRIVILEGES