IGroupPolicyObject::New will fail if thread is impersonating or identity or delegation

Posted on November 18, 2008. Filed under: Debugging, Woes | Tags: , |

I had the chance to debug into CGroupPolicyObject::New method in GPEdit.dll since the call is failing.

My finding is that if a thread’s Security Impersonation Level is anything other than Anonymous, the call will fail.

SecurityAnonymous, SecurityIdentification,
  SecurityImpersonation,
  SecurityDelegation

The reason is that the code in this method is as follows ( this is my code guessed from disassembly):

HTOKEN hToken = NULL;

OpenThreadToken(GetCurrentThread(),TOKEN_DUPLICATE,TRUE,&hToken);

CGroupPolicyObject::EnableSecurityPriv();

SetThreadToken(0,hToken);

You see, they are opening the token without TOKEN_IMPERSONATE flag and SetThreadToken will throw error if this flas is not used in the access token. Reason why it works for anonymous level is OpenThreadToken fails and sets hToken to NULL. And the resulting call is SetThreadToken(0,NULL) which will succeed. See SetThreadToken() in MSDN.

Tool used: WinDbg

Make a Comment

Make a Comment: ( None so far )

blockquote and a tags work here.

    About

    Debugging, gedubbing and all other rotting things in between.

    RSS

    Subscribe Via RSS

    • Subscribe with Bloglines
    • Add your feed to Newsburst from CNET News.com
    • Subscribe in Google Reader
    • Add to My Yahoo!
    • Subscribe in NewsGator Online
    • The latest comments to all posts in RSS
    • Subscribe in Rojo

    Meta

Liked it here?
Why not try sites on the blogroll...