public static void EnablePrivilege(this Process process, SystemPrivilege privilege)
{
using (var hObj = SafeTokenHandle.FromProcess(process.Handle, AccessTypes.TOKEN_ADJUST_PRIVILEGES | AccessTypes.TOKEN_QUERY))
{
hObj.AdjustPrivilege(privilege, PrivilegeAttributes.SE_PRIVILEGE_ENABLED);
}
}
/// <summary>Gets the privileges for this process.</summary>
/// <param name="process">The process.</param>
/// <returns>
/// An enumeration of <see cref="PrivilegeAndAttributes"/> instances that include the process privileges and their associated attributes (enabled,
/// disabled, removed, etc.).
/// </returns>
public static IEnumerable <PrivilegeAndAttributes> GetPrivileges(this Process process)
{
using (var hObj = SafeTokenHandle.FromProcess(process.Handle, AccessTypes.TOKEN_QUERY | AccessTypes.TOKEN_DUPLICATE))
{
return(hObj.GetPrivileges().Select(la => new PrivilegeAndAttributes(la.Luid.GetPrivilege(process.MachineName), la.Attributes)));
}
}
public static void RemovePrivilege(this Process process, SystemPrivilege privilege)
{
using (var hObj = SafeTokenHandle.FromProcess(process.Handle, TokenAccess.TOKEN_ADJUST_PRIVILEGES | TokenAccess.TOKEN_QUERY))
{
hObj.AdjustPrivilege(privilege, PrivilegeAttributes.SE_PRIVILEGE_REMOVED);
}
}
public void DuplicateTokenTest()
{
var pval = SafeTokenHandle.FromProcess(System.Diagnostics.Process.GetCurrentProcess().Handle);
Assert.That(pval.IsInvalid, Is.False);
Assert.That(DuplicateToken(pval, SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, out SafeTokenHandle dtok));
Assert.That(dtok.IsInvalid, Is.False);
}
/// <summary>Determines whether the specified process is elevated.</summary>
/// <param name="process">The process. If this value is <c>null</c>, then the current process is used.</param>
/// <returns><c>true</c> if the specified process is elevated; otherwise, <c>false</c>.</returns>
public static bool IsElevated(Process process = null)
{
try
{
// Open the access token of the current process with TOKEN_QUERY.
using (var hObject = SafeTokenHandle.FromProcess((process ?? Process.GetCurrentProcess()).Handle, TokenAccess.TOKEN_QUERY | TokenAccess.TOKEN_DUPLICATE))
return(hObject.IsElevated);
}
catch { }
return(false);
}
public static SafeAUTHZ_CLIENT_CONTEXT_HANDLE GetTokenAuthContext(SafeAUTHZ_RESOURCE_MANAGER_HANDLE hRM)
{
using (var hTok = SafeTokenHandle.FromProcess(GetCurrentProcess(), TokenAccess.TOKEN_QUERY))
{
var b = AuthzInitializeContextFromToken(0, hTok, hRM, IntPtr.Zero, new LUID(), IntPtr.Zero, out SafeAUTHZ_CLIENT_CONTEXT_HANDLE hCtx);
if (!b)
{
TestContext.WriteLine($"AuthzAccessCheck:{Win32Error.GetLastError()}");
}
Assert.That(b);
Assert.That(!hCtx.IsInvalid);
return(hCtx);
}
}
/// <summary>
/// The function checks whether the primary access token of the process belongs to user account that is a member of the local Administrators group,
/// even if it currently is not elevated.
/// </summary>
/// <param name="proc">The process to check.</param>
/// <returns>
/// Returns true if the primary access token of the process belongs to user account that is a member of the local Administrators group. Returns false
/// if the token does not.
/// </returns>
public static bool IsRunningAsAdmin(Process proc = null)
{
SafeTokenHandle hObjectToCheck = null;
if (proc == null)
{
proc = Process.GetCurrentProcess();
}
// Open the access token of the current process for query and duplicate.
using (var hObject = SafeTokenHandle.FromProcess(proc.Handle, TokenAccess.TOKEN_QUERY | TokenAccess.TOKEN_DUPLICATE))
{
// Determine whether system is running Windows Vista or later operating systems (major version >= 6) because they support linked tokens, but
// previous versions (major version < 6) do not.
if (Environment.OSVersion.Version.Major >= 6)
{
// Marshal the TOKEN_ELEVATION_TYPE enum from native to .NET.
var elevType = hObject.GetInfo <TOKEN_ELEVATION_TYPE>(TOKEN_INFORMATION_CLASS.TokenElevationType);
// If limited, get the linked elevated token for further check.
if (elevType == TOKEN_ELEVATION_TYPE.TokenElevationTypeLimited)
{
// Marshal the linked token value from native to .NET.
hObjectToCheck = new SafeTokenHandle(hObject.GetInfo <IntPtr>(TOKEN_INFORMATION_CLASS.TokenLinkedToken));
}
}
// CheckTokenMembership requires an impersonation token. If we just got a linked token, it already is an impersonation token. If we did not get a
// linked token, duplicate the original into an impersonation token for CheckTokenMembership.
if (hObjectToCheck == null)
{
if (!DuplicateToken(hObject, SECURITY_IMPERSONATION_LEVEL.SecurityIdentification, out hObjectToCheck))
{
throw new Win32Exception();
}
}
}
if (hObjectToCheck == null || hObjectToCheck.IsInvalid)
{
return(false);
}
// Check if the token to be checked contains admin SID.
var id = new WindowsIdentity(hObjectToCheck.DangerousGetHandle());
return(id.IsAdmin());
}
/// <summary>
/// The function gets the elevation information of the current process. It dictates whether the process is elevated or not. Token elevation is only
/// available on Windows Vista and newer operating systems, thus IsProcessElevated throws a C++ exception if it is called on systems prior to Windows
/// Vista. It is not appropriate to use this function to determine whether a process is run as administrator.
/// </summary>
/// <returns>Returns true if the process is elevated. Returns false if it is not.</returns>
/// <exception cref="System.ComponentModel.Win32Exception">
/// When any native Windows API call fails, the function throws a Win32Exception with the last error code.
/// </exception>
/// <exception cref="System.ArgumentNullException"><paramref name="p"/> must be a valid <see cref="Process"/>.</exception>
/// <remarks>
/// TOKEN_INFORMATION_CLASS provides TokenElevationType to check the elevation type (TokenElevationTypeDefault / TokenElevationTypeLimited /
/// TokenElevationTypeFull) of the process. It is different from TokenElevation in that, when UAC is turned off, elevation type always returns
/// TokenElevationTypeDefault even though the process is elevated (Integrity Level == High). In other words, it is not safe to say if the process is
/// elevated based on elevation type. Instead, we should use TokenElevation.
/// </remarks>
public static bool IsElevated(this Process p)
{
if (p == null)
{
throw new ArgumentNullException(nameof(p));
}
try
{
// Open the access token of the current process with TOKEN_QUERY.
using (var hObject = SafeTokenHandle.FromProcess(p.Handle, TokenAccess.TOKEN_QUERY | TokenAccess.TOKEN_DUPLICATE))
return(hObject.IsElevated);
}
catch { }
return(false);
}
public PrivilegedCodeBlock(Process process, params SystemPrivilege[] systemPrivileges)
{
if (systemPrivileges == null || systemPrivileges.Length == 0)
{
return;
}
RuntimeHelpers.PrepareConstrainedRegions();
hObj = SafeTokenHandle.FromProcess(process.Handle, TokenAccess.TOKEN_ADJUST_PRIVILEGES | TokenAccess.TOKEN_QUERY);
if (systemPrivileges.Length == 1)
{
prev = hObj.AdjustPrivilege(systemPrivileges[0], PrivilegeAttributes.SE_PRIVILEGE_ENABLED);
}
else
{
prev = hObj.AdjustPrivileges(systemPrivileges.Select(p => new PrivilegeAndAttributes(p, PrivilegeAttributes.SE_PRIVILEGE_ENABLED)).ToArray());
}
}
public void PrivilegeCheckTest()
{
using (var t = SafeTokenHandle.FromProcess(GetCurrentProcess(), TokenAccess.TOKEN_QUERY))
{
Assert.That(LookupPrivilegeValue(null, "SeDebugPrivilege", out LUID luid));
Assert.That(PrivilegeCheck(t, new PRIVILEGE_SET(PrivilegeSetControl.PRIVILEGE_SET_ALL_NECESSARY, luid, PrivilegeAttributes.SE_PRIVILEGE_ENABLED), out bool res));
TestContext.WriteLine($"Has {luid}={res}");
Assert.That(LookupPrivilegeValue(null, "SeChangeNotifyPrivilege", out luid));
Assert.That(PrivilegeCheck(t, new PRIVILEGE_SET(PrivilegeSetControl.PRIVILEGE_SET_ALL_NECESSARY, new[] { new LUID_AND_ATTRIBUTES(luid, PrivilegeAttributes.SE_PRIVILEGE_ENABLED_BY_DEFAULT), new LUID_AND_ATTRIBUTES(luid, PrivilegeAttributes.SE_PRIVILEGE_ENABLED) }), out res));
TestContext.WriteLine($"Has {luid}={res}");
Assert.That(LookupPrivilegeValue(null, "SeShutdownPrivilege", out luid));
Assert.That(PrivilegeCheck(t, new PRIVILEGE_SET(PrivilegeSetControl.PRIVILEGE_SET_ALL_NECESSARY, luid, PrivilegeAttributes.SE_PRIVILEGE_ENABLED), out res));
TestContext.WriteLine($"Has {luid}={res}");
}
}
public void GetTokenInformationTest()
{
//var p = SafeTokenHandle.CurrentProcessToken.GetInfo<PTOKEN_PRIVILEGES>(TOKEN_INFORMATION_CLASS.TokenPrivileges).Privileges;
using (var t = SafeTokenHandle.FromProcess(GetCurrentProcess(), TokenAccess.TOKEN_QUERY))
{
Assert.That(t, Is.Not.Null);
var p = t.GetInfo <PTOKEN_PRIVILEGES>(TOKEN_INFORMATION_CLASS.TokenPrivileges);
Assert.That(p, Is.Not.Null);
Assert.That(p.PrivilegeCount, Is.GreaterThan(0));
TestContext.WriteLine("Privs: " + string.Join("; ", p.Privileges.Select(i => i.ToString())));
using (var hMem = PTOKEN_PRIVILEGES.GetAllocatedAndEmptyInstance(50))
{
var b = GetTokenInformation(t, TOKEN_INFORMATION_CLASS.TokenPrivileges, hMem, hMem.Size, out int sz);
Assert.That(b);
var p1 = PTOKEN_PRIVILEGES.FromPtr((IntPtr)hMem);
Assert.That(p1.PrivilegeCount, Is.EqualTo(p.PrivilegeCount));
Assert.That(p.Privileges, Is.EquivalentTo(p1.Privileges));
}
}
using (var t = SafeTokenHandle.FromThread(GetCurrentThread(), TokenAccess.TOKEN_QUERY))
{
var id = t.GetInfo <uint>(TOKEN_INFORMATION_CLASS.TokenSessionId);
Assert.That(id, Is.Not.Zero);
TestContext.WriteLine($"SessId: {id}");
var ve = t.GetInfo <bool>(TOKEN_INFORMATION_CLASS.TokenVirtualizationEnabled);
TestContext.WriteLine($"VirtEnable: {ve}");
var et = t.GetInfo <TOKEN_ELEVATION_TYPE>(TOKEN_INFORMATION_CLASS.TokenElevationType);
Assert.That(et, Is.Not.Zero);
TestContext.WriteLine($"ElevType: {et}");
var e = t.GetInfo <TOKEN_ELEVATION>(TOKEN_INFORMATION_CLASS.TokenElevation);
Assert.That(e, Is.Not.Zero);
TestContext.WriteLine($"Elev: {e.TokenIsElevated}");
}
}
/// <summary>
/// The function gets the integrity level of the current process. Integrity level is only available on Windows Vista and newer operating systems, thus
/// GetProcessIntegrityLevel throws an exception if it is called on systems prior to Windows Vista.
/// </summary>
/// <returns>Returns the integrity level of the current process.</returns>
/// <exception cref="System.ComponentModel.Win32Exception">
/// When any native Windows API call fails, the function throws a Win32Exception with the last error code.
/// </exception>
/// <exception cref="System.ArgumentNullException"><paramref name="p"/> must be a valid <see cref="Process"/>.</exception>
public static ProcessIntegrityLevel GetIntegrityLevel(this Process p)
{
if (p == null)
{
throw new ArgumentNullException(nameof(p));
}
// Open the access token of the current process with TOKEN_QUERY.
var hObject = SafeTokenHandle.FromProcess(p.Handle, AccessTypes.TOKEN_QUERY | AccessTypes.TOKEN_DUPLICATE);
// Marshal the TOKEN_MANDATORY_LABEL struct from native to .NET object.
var tokenIL = hObject.GetConvertedInfo <TOKEN_MANDATORY_LABEL>(TOKEN_INFORMATION_CLASS.TokenIntegrityLevel);
// Integrity Level SIDs are in the form of S-1-16-0xXXXX. (e.g. S-1-16-0x1000 stands for low integrity level SID). There is one and only one subauthority.
var pIL = GetSidSubAuthority(tokenIL.Label.Sid, 0);
var il = Marshal.ReadInt32(pIL);
if (il == 0)
{
return(ProcessIntegrityLevel.Untrusted);
}
if (il == 0x1000)
{
return(ProcessIntegrityLevel.Low);
}
if (il >= 0x2000 && il < 0x3000)
{
return(ProcessIntegrityLevel.Medium);
}
if (il >= 0x4000)
{
return(ProcessIntegrityLevel.System);
}
if (il >= 0x3000)
{
return(ProcessIntegrityLevel.High);
}
return(ProcessIntegrityLevel.Undefined);
}
/// <summary>
/// The function gets the elevation information of the current process. It dictates whether the process is elevated or not. Token elevation is only
/// available on Windows Vista and newer operating systems, thus IsProcessElevated throws a C++ exception if it is called on systems prior to Windows
/// Vista. It is not appropriate to use this function to determine whether a process is run as administrator.
/// </summary>
/// <returns>Returns true if the process is elevated. Returns false if it is not.</returns>
/// <exception cref="System.ComponentModel.Win32Exception">
/// When any native Windows API call fails, the function throws a Win32Exception with the last error code.
/// </exception>
/// <exception cref="System.ArgumentNullException"><paramref name="p"/> must be a valid <see cref="Process"/>.</exception>
/// <remarks>
/// TOKEN_INFORMATION_CLASS provides TokenElevationType to check the elevation type (TokenElevationTypeDefault / TokenElevationTypeLimited /
/// TokenElevationTypeFull) of the process. It is different from TokenElevation in that, when UAC is turned off, elevation type always returns
/// TokenElevationTypeDefault even though the process is elevated (Integrity Level == High). In other words, it is not safe to say if the process is
/// elevated based on elevation type. Instead, we should use TokenElevation.
/// </remarks>
public static bool IsElevated(this Process p)
{
if (p == null)
{
throw new ArgumentNullException(nameof(p));
}
try
{
// Open the access token of the current process with TOKEN_QUERY.
using (var hObject = SafeTokenHandle.FromProcess(p.Handle, AccessTypes.TOKEN_QUERY | AccessTypes.TOKEN_DUPLICATE))
{
// Marshal the TOKEN_ELEVATION struct from native to .NET object.
var elevation = hObject.GetConvertedInfo <TOKEN_ELEVATION>(TOKEN_INFORMATION_CLASS.TokenElevation);
// TOKEN_ELEVATION.TokenIsElevated is a non-zero value if the token has elevated privileges; otherwise, a zero value.
return(elevation.TokenIsElevated);
}
}
catch { }
return(false);
}
/// <summary>Determines whether the specified privileges are had by the process.</summary>
/// <param name="process">The process.</param>
/// <param name="requireAll">if set to <c>true</c> require all privileges to be enabled in order to return <c>true</c>.</param>
/// <param name="privs">The privileges to check.</param>
/// <returns><c>true</c> if the process has the specified privilege; otherwise, <c>false</c>.</returns>
public static bool HasPrivileges(this Process process, bool requireAll, params SystemPrivilege[] privs)
{
using (var hObj = SafeTokenHandle.FromProcess(process.Handle, AccessTypes.TOKEN_QUERY | AccessTypes.TOKEN_DUPLICATE))
return(hObj.HasPrivileges(requireAll, privs));
}