PRB: OpenThreadToken()/OpenProcessToken() Fails with ERROR_ACCESS_DENIED

ID: Q225091

The information in this article applies to:

Microsoft Win32 Application Programming Interface (API), included with:
- Microsoft Windows NT 4.0

SYMPTOMS

Calling the OpenThreadToken()/OpenProcessToken() Win32 API to obtain an access token associated with a thread or a process respectively with the TOKEN_ALL_ACCESS request can fail with the following error message:

ERROR_ACCESS_DENIED

CAUSE

TOKEN_ALL_ACCESS can include TOKEN_ADJUST_SESSIONID in Winnt.h as in the following example:


#define TOKEN_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED  |\ 
                          TOKEN_ASSIGN_PRIMARY      |\ 
                          TOKEN_DUPLICATE           |\ 
                          TOKEN_IMPERSONATE         |\ 
                          TOKEN_QUERY               |\ 
                          TOKEN_QUERY_SOURCE        |\ 
                          TOKEN_ADJUST_PRIVILEGES   |\ 
                          TOKEN_ADJUST_GROUPS       |\ 
                          TOKEN_ADJUST_SESSIONID    |\ 
                          TOKEN_ADJUST_DEFAULT)

TOKEN_ADJUST_SESSIONID is a new access mask that has been added for Windows 2000. In Windows NT 4.0, the access token's discretionary access-control list (DACL) does not have TOKEN_ADJUST_SESSIONID access mask set. If an application is built using the latest Winnt.h in the Platform SDK and run on Windows NT 4.0, then specifying TOKEN_ALL_ACCESS in an OpenThreadToken()/OpenProcessToken() call can fail with a GetLastError() of ERROR_ACCESS_DENIED.

RESOLUTION

An application can work around this behavior by specifying only the required access rights to an access token. For more information on specific access rights for access tokens please refer to the Platform SDK documentation.

Additional query words:

Keywords : kbAPI kbKernBase kbNTOS400 kbSDKPlatform kbSDKWin32 kbSecurity kbfaq kbDSupport kbGrpKernBase
Version : winnt:4.0
Platform : winnt
Issue type : kbprb