Developer Forum

Hi everyone, I am using the CreateProcessAsUser function as specified in the
example "staring an interactive client process in C++" to create a new process.
I used the sample code given by microsoft at
http://www.yqcomputer.com/
as guidance. However after creating new processes say about 50 times. I get the
error ERROR_NOT_ENOUGH_QUOTA by the function SetUserObjectSecurity in both
AddTheAceWindowStation and AddTheAceDesktop functions. The above link to the kb
mentions this error and refers to the following link
http://www.yqcomputer.com/
be cleaned up for desktop and windowstation objects when the processes die.
It also says that if one cannot track when the process dies
If you cannot track when the process dies, there are several procedures that
you can use to remove any unnecessary ACEs. You can enumerate processes, read
the Logon Security Identifier (SID) or User SID from the process token, and
compare one of them to the ACEs stored in the DACL for the window station
and desktop objects.
In my case I cannot determine when the process dies. I am new to MFC and I need
some help. Can any one give me a code sample on how to achieve the above.
I am reallllyyy stuck here

Thanks a million in advance
Vijay

Hi user1976,


The best option is to track the process and remove the ACE. This could be
easily done in an thread which only waits for the process-handle
(WaitForSingleObject).

The second best option is the last in the KB-article:
<quote>
If you are launching many processes, you might want to add an ACE based on
the processes logon type. For example, this could be either the Interactive
or Batch SID. You would not have to add any additional ACEs for processes
with the same logon type.
</quote>

If you cannot do this, you must do the enum-process-stuff (which also might
have some side-effects if a process adds a special ACE...).

This is not a small task to do...


You need to open the desired window-station and enum the ACEs here (this is
already described in the KB article you mentioned or here:); you can enum
with GetACE...
http://www.yqcomputer.com/
us/secauthz/security/starting_an_interactive_client_process_in_c__.asp

Then you need to mark all entries which are still valid and used by
processes.
After enumeration the processes you could then remove all "unmarked"
entries and set the new ACL.

Here is an example of enumeration processes and displaying the SIDs:
http://www.yqcomputer.com/

Sorry that I do not have a working example...

--
Greetings
Jochen

My blog about Win32 and .NET
http://www.yqcomputer.com/

Hi user1976,


I just added to the very good example of Dumpacl at
http://www.yqcomputer.com/
the ability to dump Winsta-ACLs:
Maybe Felix will update his site to relfect the changes...
In the meanwhile you can download it here:

http://www.yqcomputer.com/


To dump an ACL of an windows-station (winsta0) do the following:

dumpacl WINSTA:winsta0


--
Greetings
Jochen

My blog about Win32 and .NET
http://www.yqcomputer.com/

Hi user1976,


I just added to the very good example of Dumpacl at
http://www.yqcomputer.com/
the ability to dump Winsta-ACLs and dump process-ACLs:

Maybe Felix will update his site to reflect the changes...
In the meanwhile you can download it here:

http://www.yqcomputer.com/


To dump an ACL of an windows-station (winsta0) do the following:
dumpacl WINSTA:winsta0
To dump all ACLs of all winstas, do:
dumpacl WINSTA:


To dump an ACL of a given processId do the following:
dumpacl PID:3523
To dump all ACLs of all processes, do:
dumpacl PID:

Maybe it helps you with correcting the ACLs...

--
Greetings
Jochen

My blog about Win32 and .NET
http://www.yqcomputer.com/

<quote>
If you are launching many processes, you might want to add an ACE
based on
the processes logon type. For example, this could be either the
Interactive
or Batch SID. You would not have to add any additional ACEs for
processes
with the same logon type.
</quote>

Does this mean that even when I am launching the process in the
context of a different user, I don't need to add a new ACE if the
logon type is same?

Hi user1976,


As far as I understand, you only need to add the Interactive- or Batch-SID,
and then it whould work the next time you start with the corresponding
logon typ. But I have not testet it...


--
Greetings
Jochen

My blog about Win32 and .NET
http://www.yqcomputer.com/

XXXX@XXXXX.COM (user1976) writes:


Hi,

I'm just facing this problem too. What I was able to find, is that it is
ACL of desktop object is what "accumulates" ACEs.

In AddTheAceDesktop function (from MS example), when you examine
Access Control List you can see that there are some elements on it,
let's say N (usually about 10 in my case). When I try to delete
assigned ACE and open default desktop after process completes, I get
access list with only 2 elements. Then, when I enumerate ACEs _no_ ACE
matches the SID in question (EqualSid) returns FALSE. When I call
AddTheAceDesktop again, I can see that number of ACE is N+1. So after
few dozens of tries you get this error. ACE enumeration is done
exactly the same before and after process completes so I don't
understand why it gets different ACE count???

I've also observed that this happens only when my application works as
service. When I run it as normal (super)user process it works fine -
ACE does not "accumulate".

Maybe someone have any hints???

Maciej

Jochen , thanks for all you help. I don't even know how to do this.
Say if I know when the process died, how do I delete the ACEs for
a given process id

I tried to add only the first time by saving the state in a global
variable,
but this did not work. It gives the same error as if nothing was added
to
the ACE list in the first place. I read on another thread that you can
overcome this by saving the original list that comes from the actual
logon
and appending a new ace each time you create process. This way you
actually
overwrite the aces that are just added previously and thus the total
count would not increase. Do you know how to accomplish this

Hi user1976,


If you look at the examples, you see that they enumerate the original ACEs
and then add all these entried to a new ACL. You only need to remember the
original ACEs and the set the ACL to the old ACEs.

--
Greetings
Jochen

My blog about Win32 and .NET
http://www.yqcomputer.com/