1

When I call the function CreateProcessAsUser(), it returns a failure.
And then the call to GetLastError() to check why the error occurred returns the value 0x16f.

I couldn't find out what the error is supposed to mean.

zx485
  • 28,498
  • 28
  • 50
  • 59
Hyunwoo Kim
  • 105
  • 1
  • 1
  • 5
  • The first stop for error codes is `net helpmsg`. In this case `net helpmsg 367` returns "The process creation has been blocked." Not very clear, unfortunately, and Googling doesn't turn up much. Possibly caused by anti-virus software deciding your child process is malicious? Or your process is assigned to a job object with restrictions preventing you from launching a child process? Or perhaps something to do with the Windows Store sandbox? (We might be able to help more if you can explain the circumstances in which the error occurred.) – Harry Johnston Jan 25 '17 at 08:51
  • Some highlighting, some spelling fixes, and some improvement of grammar (I hope). – zx485 Jan 26 '17 at 12:03

1 Answers1

2

ERROR_CHILD_PROCESS_BLOCKED is converted NTSTATUS - STATUS_CHILD_PROCESS_BLOCKED (0xC000049D) - I search in ntoskrnl.exe and found that this code referenced only from 2 place when NtCreateUserProcess called - from SeSubProcessToken and for log error:

NtCreateUserProcess
  PspAllocateProcess
    PspInitializeProcessSecurity
      SeSubProcessToken
        if (!SeTokenIsNoChildProcessRestricted(Token))
        {
            status = STATUS_CHILD_PROCESS_BLOCKED;
        }


  if (PspAllocateProcess() == STATUS_CHILD_PROCESS_BLOCKED)
  {
    EtwTraceDeniedTokenCreation();
  }

so when SeTokenIsNoChildProcessRestricted(Token) return FALSE you can got ERROR_CHILD_PROCESS_BLOCKED from CreateProcess.

this is new api, exist only from 1607 build of win10

#if (NTDDI_VERSION >= NTDDI_WIN10_RS1)
NTKERNELAPI
BOOLEAN
SeTokenIsNoChildProcessRestricted(
    _In_ PACCESS_TOKEN Token
    );// return (Token->TokenFlags & 0x80000) != 0;
#endif

declared in ntifs.h but not documented.

so process, which fail call CreateProcessAsUser is somehow restricted. Windows Store sandbox , as how Harry Johnston guess ?

RbMm
  • 31,280
  • 3
  • 35
  • 56