I know this is an unusual request for scripting but I have been asked to retrieve an access token. I don't yet know what kind of a token is needed.
Everything I know telss me that their are only access tokens on code objects. Users and groups have privileges that are converted into access tokens by teh system and applied to processes and threads. Every code object in a Windows system is either a process or a thread. In fact a process is reaaly the initial thred but has a tracking structure that contains the default token.
With that in mind I decided to find out if there wasn't some snaeaky way to get teh process token from script.
Does anyone know if any object in the system can return a process token?
I know that AzRoles in NET can check access but this is not an installed subsystem before Vista and so has to be deployed. THe Active directory extensions can get teh security on AD objects and classes but has nothing for getting token (why would it?)
The wmi Win32_Process class cannot retrieve teh security dsescriptor before Vista and has no method for returning the access token for the process that I can find.
AS I remember from programming we always either used the default token or created a new token with customized settings. This would then be checked to see if the rights asked for were truly available. You could use this method to eventually determine the potential rights available but not the actual contents of the default token.
I also know that I can get teh access token for a thread or object of any running process using undocumented APis or possibly toolhelp.dll but non of this is available to scripting from what I can tell.
Getting an Access Token
Forum rules
Do not post any licensing information in this forum.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Do not post any licensing information in this forum.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Getting an Access Token
I know this is an unusual request for scripting but I have been asked to retrieve an access token. I don't yet know what kind of a token is needed.
Everything I know telss me that their are only access tokens on code objects. Users and groups have privileges that are converted into access tokens by teh system and applied to processes and threads. Every code object in a Windows system is either a process or a thread. In fact a process is reaaly the initial thred but has a tracking structure that contains the default token.
With that in mind I decided to find out if there wasn't some snaeaky way to get teh process token from script.
Does anyone know if any object in the system can return a process token?
I know that AzRoles in NET can check access but this is not an installed subsystem before Vista and so has to be deployed. THe Active directory extensions can get teh security on AD objects and classes but has nothing for getting token (why would it?)
The wmi Win32_Process class cannot retrieve teh security dsescriptor before Vista and has no method for returning the access token for the process that I can find.
AS I remember from programming we always either used the default token or created a new token with customized settings. This would then be checked to see if the rights asked for were truly available. You could use this method to eventually determine the potential rights available but not the actual contents of the default token.
I also know that I can get teh access token for a thread or object of any running process using undocumented APis or possibly toolhelp.dll but non of this is available to scripting from what I can tell.
Everything I know telss me that their are only access tokens on code objects. Users and groups have privileges that are converted into access tokens by teh system and applied to processes and threads. Every code object in a Windows system is either a process or a thread. In fact a process is reaaly the initial thred but has a tracking structure that contains the default token.
With that in mind I decided to find out if there wasn't some snaeaky way to get teh process token from script.
Does anyone know if any object in the system can return a process token?
I know that AzRoles in NET can check access but this is not an installed subsystem before Vista and so has to be deployed. THe Active directory extensions can get teh security on AD objects and classes but has nothing for getting token (why would it?)
The wmi Win32_Process class cannot retrieve teh security dsescriptor before Vista and has no method for returning the access token for the process that I can find.
AS I remember from programming we always either used the default token or created a new token with customized settings. This would then be checked to see if the rights asked for were truly available. You could use this method to eventually determine the potential rights available but not the actual contents of the default token.
I also know that I can get teh access token for a thread or object of any running process using undocumented APis or possibly toolhelp.dll but non of this is available to scripting from what I can tell.
Getting an Access Token
No COM object, no; you have to make native API calls, and a script can't handle the necessary data structures.
Getting an Access Token
Thanks DOn, Jeff.
I have a doxxen utilities that can get the access token in various ways. I believe the only way to get it is direct API calls or through NET classes.
I have never seen any COM object before Authorization MAnager that could get a token. Even AzMan is limited in what tokens it can get and how they are returned from what I can see.
Still, I ask because someone always sees something I have missed.
Whoami is nice utility. It gets the "privileges" for an account and how they are assembled (Group membership). It cannot tell you the token for a process or thread. The process or thread token is built as s subset and can be tailored by the process. The access rights mask is variable dependent on where you look at it.
Results of Policy (Policy Wizard) does this too. It just doesn't give such a composite report. Whoami also reports on Netware Bindery info.
The token that we are probably interested in is teh default token for teh session. This will not, by default, have rights like given out due to the SeDebugPrivilege or SeSecurityPrivilege. These have to be requested by a process or thread. The SDK recommends asking for the right and then relinquishing t as soon as possible. I don't see anything in te API that says get me an access token with all available rights set in it.
Thanks for the answer. It supports what I currently believe.
WHo knows, someone else may know of some COM server available to script engines that can do this and we have just missed it.
I have a doxxen utilities that can get the access token in various ways. I believe the only way to get it is direct API calls or through NET classes.
I have never seen any COM object before Authorization MAnager that could get a token. Even AzMan is limited in what tokens it can get and how they are returned from what I can see.
Still, I ask because someone always sees something I have missed.
Whoami is nice utility. It gets the "privileges" for an account and how they are assembled (Group membership). It cannot tell you the token for a process or thread. The process or thread token is built as s subset and can be tailored by the process. The access rights mask is variable dependent on where you look at it.
Results of Policy (Policy Wizard) does this too. It just doesn't give such a composite report. Whoami also reports on Netware Bindery info.
The token that we are probably interested in is teh default token for teh session. This will not, by default, have rights like given out due to the SeDebugPrivilege or SeSecurityPrivilege. These have to be requested by a process or thread. The SDK recommends asking for the right and then relinquishing t as soon as possible. I don't see anything in te API that says get me an access token with all available rights set in it.
Thanks for the answer. It supports what I currently believe.
WHo knows, someone else may know of some COM server available to script engines that can do this and we have just missed it.