2006-10Oct-27
Checking for privileges
Windows maintains two different security related information: permissions and privileges
Permissions apply to particular objects. They control if a user can read, write, delete, etc.
a particular file, manage a certain printer, or access a specifc registry key. Permissions never apply to
some abstract group, but always to a very specifc object. To manage permissions, Windows uses ACLs.
Privileges, on the other hand, are enforced system wide. They define if a user or group has the
right to perform some kind of operation independed of the object. For example, a user might have the
right to install any driver, debug any program, shutdown the entire system. You can't limit a user
to only install a particular driver, debug a specific program, etc.
A user (called Token in Microsoft security speak) has a certain set of privileges. However, this
doesn't mean that a privilege is enabled. A privilege that is assigned to a user can be enabled, disabled
or removed. Disabled privileges can be enabled. Privileges that have been removed or never have been assigned
cannot be added to the list of privileges for that user. If your application depends on a partiular privilege,
such as installing a printer (SeLoadDriverPrivilege), you have to check if the privilege is available and
enabled.
There are only a limited number of privileges defined in Windows. You cannot add your own ones:
SeCreateTokenPrivilege
SeAssignPrimaryTokenPrivilege
SeLockMemoryPrivilege
SeIncreaseQuotaPrivilege
SeUnsolicitedInputPrivilege
eMachineAccountPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege
SeUndockPrivilege
SeSyncAgentPrivilege
SeEnableDelegationPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
To check whether a user has got a particular privilege, I wrote a little utility
called HasPrivilege.prg.
