2

I have a Windows app that runs without requiring elevation. I need to create a file mapping object for a memory array to be shared between all running instances of the app (note that some of those instances may run in different logon sessions.)

I call the CreateFileMapping API to create it, with a global name, i.e. Global\sharedname, using a security descriptor that gives all access to everyone but that API fails with error code 5, or ERROR_ACCESS_DENIED.

I then started reading the docs and found that my process is required the SeCreateGlobalPrivilege privilege. But then when I try to assign that privilege the AdjustTokenPrivileges returns error code ERROR_NOT_ALL_ASSIGNED, and I'm stuck....

So what's the trick here, how does that freakin' MS want us to do it???

PS. I can previously create a global named mutex (for synchronized access to the shared memory) with the same all access for everyone security descriptor and Global\sharedmutex name without a problem.

Ulrich Eckhardt
  • 16,572
  • 3
  • 28
  • 55
c00000fd
  • 20,994
  • 29
  • 177
  • 400
  • From what I can tell, "GLOBAL\sharedname" is for creating objects that can be accessed from all sessions. Do you really need this to be accessed from multiple sessions or just by multiple processes? – Mooing Duck Nov 22 '13 at 01:57

1 Answers1

6

Only administrators, and services running in session 0, can gain the SeCreateGlobalPrivilege privilege needed to create file mappings in the Global namespace. Assuming you do not want to re-write your code into a service, you will have to spawn a separate elevated process to create the file mapping.

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
  • Thanks for your confirmation. I was inclining to think so. On the side note, how ridiculous to impose this limitation? Why can't we share data among non-elevated processes... Anyway, it's not a question, it's just my frustration with the platform. And to answer your point, no, I can't spawn an elevated process. The workaround is to use shared file system file to share data. The only downside is that it will be pretty insecure, since I will have to change its ACL to `everyone has read-write access`. – c00000fd Feb 23 '13 at 17:26