0

I've got some code that works fine on all Windows OS except Windows Server 2008 64bits. This code determines whether UAC is turned on.

int TokenInfLength = 0;
bool Result;
// first call gets length of TokenInformation
Result = GetTokenInformation(WindowsIdentity.GetCurrent().Token, TOKEN_INFORMATION_CLASS.TokenElevationType, IntPtr.Zero, TokenInfLength, out TokenInfLength);
IntPtr TokenInformation = Marshal.AllocHGlobal(TokenInfLength);

Result = GetTokenInformation(WindowsIdentity.GetCurrent().Token, TOKEN_INFORMATION_CLASS.TokenElevationType, TokenInformation, TokenInfLength, out TokenInfLength);

if (Result)
{
    TOKEN_ELEVATION_TYPE elevationType = (TOKEN_ELEVATION_TYPE)Marshal.ReadInt32(TokenInformation);
    Marshal.FreeHGlobal(TokenInformation);

    switch (elevationType)
    {
        case TOKEN_ELEVATION_TYPE.TokenElevationTypeDefault:
            Console.WriteLine("UAC (User Account Control) is turned off in your operating system. Please turn on UAC and restart your computer.");            break;
        case TOKEN_ELEVATION_TYPE.TokenElevationTypeFull:
            Console.WriteLine("User has a split token, and the process is running elevated");
            break;
        case TOKEN_ELEVATION_TYPE.TokenElevationTypeLimited:
            Console.WriteLine("User has a split token, but the process is not running elevated");
            break;
    }
}

...

enum TOKEN_ELEVATION_TYPE : int
{
    TokenElevationTypeDefault = 1,
    TokenElevationTypeFull,
    TokenElevationTypeLimited
}
enum TOKEN_INFORMATION_CLASS
{
    TokenUser = 1,
    TokenGroups,
    TokenPrivileges,
    TokenOwner,
    TokenPrimaryGroup,
    TokenDefaultDacl,
    TokenSource,
    TokenType,
    TokenImpersonationLevel,
    TokenStatistics,
    TokenRestrictedSids,
    TokenSessionId,
    TokenGroupsAndPrivileges,
    TokenSessionReference,
    TokenSandBoxInert,
    TokenAuditPolicy,
    TokenOrigin,
    TokenElevationType,
    TokenLinkedToken,
    TokenElevation,
    TokenHasRestrictions,
    TokenAccessInformation,
    TokenVirtualizationAllowed,
    TokenVirtualizationEnabled,
    TokenIntegrityLevel,
    TokenUIAccess,
    TokenMandatoryPolicy,
    TokenLogonSid,
    MaxTokenInfoClass
}

TOKEN_INFORMATION_CLASS.TokenElevationType is an enum const, which ordinal value is 18.

So, with my UAC enabled on WS 2008 64 bits I've got message that "UAC (User Account Control) is turned off in your operating system. Please turn on UAC and restart your computer". Does anyone know what's the matter?

Marc
  • 16,170
  • 20
  • 76
  • 119
franza
  • 2,297
  • 25
  • 39
  • Your question is not clear. `TokenElevationTypeDefault` is equal to **1** not **17**. Based on the message you are getting, the value of `elevationType` is **1** not **17**, despite what you feel. – Security Hound Nov 13 '12 at 14:30
  • I'm speaking about `TOKEN_INFORMATION_CLASS.TokenElevationType` in the calling of `GetTokenInformation` function. – franza Nov 13 '12 at 14:32
  • I know what your talking about, but your code is clearly fireing a code path where, the value of `elevationType` must equal 1. – Security Hound Nov 13 '12 at 14:45
  • Yes, I got `elevationType` is 1, so I'm having a message "UAC (User Account Control) is turned off in your operating system. Please turn on UAC and restart your computer". – franza Nov 13 '12 at 15:02
  • It should be pointed out TokenElevationType is equal to `18` not `17`. Your question is still not clear. In addition you send `TokenInfLength` as a parameter twice which is odd. – Security Hound Nov 13 '12 at 15:09
  • It's not my code, I'm analyzing it now. It seems that first call gets length of TokenInformation. And btw, it's really 18, sorry. – franza Nov 13 '12 at 15:24
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/19487/discussion-between-franza-and-ramhound) – franza Nov 13 '12 at 15:25
  • Chat is not an option. You need to debug the code in question. I am unable help somebody who is unable to explain the problem properly. If TokenInfLength is suppose to be the length then sending a `0` is certainly not the correct behavior. I would ask the author of the code what the problem is. – Security Hound Nov 13 '12 at 15:31
  • `TokenInfLength` is not 0 (it's 4) and `elevationType` has value of `TOKEN_ELEVATION_TYPE.TokenElevationTypeDefault`. With same UAC settings I have different results of this part of code on Windows Server 2008 x64 and another Windows version. That is the problem. – franza Nov 13 '12 at 15:51
  • What other version of Windows exactly? I don't know what code your looking at but `TokenInfLength` is clearly equal to 0 when its passed as the argument in question and only change when the method returns a value to the out parameter. – Security Hound Nov 13 '12 at 17:26
  • Other version is Windows 7, for example. `TokenInfLength` is 0 only when it is initialized. Then, after calling `GetTokenInformation` at the first time, it's value becomes 4. So I'm trying to allocate 4 bytes for the `TokenInformation`. – franza Nov 14 '12 at 06:33
  • The value you send for the argument is not `4` it is `0` and only becomes for when the value is returned. The code doesn't make a great deal of sense, why are you using the same method, to get the length of the token. Windows 7 and Windows 2008 are entirely seperate opeating systems you can't expect their behavior to be similar dealing with something like this. I really wish I could use the chat room, but I can't, I hoped somebody else would. – Security Hound Nov 14 '12 at 13:17

1 Answers1

0

Be very afraid of this approach. It will correctly tell you if you have a split token, but that doesn't necessarily mean anything useful.

For example:

  • What happens if you disable UAC? You won’t have a split token. You’d get TokenElevationTypeDefault.
  • What happens if you are logged in as the .\Administrator account? Same thing, you'll get TokenElevationTypeDefault

Neither one means you're a standard user, which is a common mistake by misapplying the above logic for the "typical" case.

  • What about if you happen to have one, and only one, super privilege, and you elevated to get that into your token? Then you’d have TokenElevationTypeFull – which is frequently interpreted as meaning you’re an admin.

Lifted shamelessly from Chris Jackson's: How to Determine if a User is a Member of the Administrators Group with UAC Enabled on Windows Vista

Harry Johnston
  • 35,639
  • 6
  • 68
  • 158
Ian Boyd
  • 246,734
  • 253
  • 869
  • 1,219