PRB: OpenThreadToken()/OpenProcessToken() Fails with ERROR_ACCESS_DENIED (225091)
The information in this article applies to:
- Microsoft Win32 Application Programming Interface (API), when used with:
- the operating system: Microsoft Windows NT 4.0
This article was previously published under Q225091 SYMPTOMS
Calling the OpenThreadToken()/OpenProcessToken() Win32 API to obtain an access token associated with a thread or a process respectively with the TOKEN_ALL_ACCESS request can fail with the following error message:
ERROR_ACCESS_DENIED
CAUSE
TOKEN_ALL_ACCESS can include TOKEN_ADJUST_SESSIONID in Winnt.h as in the following example:
#define TOKEN_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
TOKEN_ASSIGN_PRIMARY |\
TOKEN_DUPLICATE |\
TOKEN_IMPERSONATE |\
TOKEN_QUERY |\
TOKEN_QUERY_SOURCE |\
TOKEN_ADJUST_PRIVILEGES |\
TOKEN_ADJUST_GROUPS |\
TOKEN_ADJUST_SESSIONID |\
TOKEN_ADJUST_DEFAULT)
TOKEN_ADJUST_SESSIONID is a new access mask that has been added for Microsoft Windows 2000 and Microsoft Windows XP. In Microsoft Windows NT 4.0, the access token's discretionary access-control list (DACL) does not have TOKEN_ADJUST_SESSIONID access mask set. If an application is built using the latest Winnt.h in the Platform SDK and run on Windows NT 4.0, then specifying TOKEN_ALL_ACCESS in an OpenThreadToken()/OpenProcessToken() call can fail with a GetLastError() of ERROR_ACCESS_DENIED.
RESOLUTION
An application can work around this behavior by specifying only the required access rights to an access token. For more information on specific access rights for access tokens please refer to the Platform SDK documentation.
| Modification Type: | Major | Last Reviewed: | 2/25/2004 |
|---|
| Keywords: | kbAPI kbFAQ kbKernBase kbprb kbSecurity KB225091 |
|---|
|