ISWIX, LLC View Christopher Painter's profile on LinkedIn profile for Christopher Painter at Stack Overflow, Q&A for professional and enthusiast programmers

October 12, 2006

Vista Deferred CA consideration

I don't believe I've seen this mentioned elsewhere so listen up friends!

In the microsoft.public.platformsdk.msi newsgroup, Antti Nivala recently posted a thread talking about a problem running an EXE Type 3074 custom action on Vista. Antti figured out that the CA was failing because it wasn't being granted the SeBackupPrivilege and that a call to AdjustTokenPrivileges would not yield the expected power that was previously available on Windows XP.

The part that caught my eye though was Antti said this was happening even with UAC turned off. Now HOW could that be?

The answer was revealed to me in this Microsoft Document. It seems that on Vista a service can be configured to run as LocalSystem and yet also be configured to run with a reduced subset of rights. A quick peek at the registry showed that MsiServer is configured with the following rights:

SeTcbPrivilege
SeCreatePagefilePrivilege
SeLockMemoryPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePermanentPrivilege
SeAuditPrivilegeSeSecurityPrivilege
SeChangeNotifyPrivilege
SeProfileSingleProcessPrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeAssignPrimaryTokenPrivilege
SeRestorePrivilege
SeIncreaseQuotaPrivilege
SeShutdownPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege

I'm suspecting that this is a defect in the MSI 4.0 in Vista.

1 comment:

Christopher Painter said...

I did some research and these are the rights that were revoked in MSI 4.0.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/authorization_constants.asp

SE_BACKUP_NAME

Required to perform backup operations. This privilege causes the system to grant all read access control to any file, regardless of the access control list (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. This privilege is required by the RegSaveKey and RegSaveKeyExfunctions. The following access rights are granted if this privilege is held:

SE_CREATE_TOKEN_NAME
Required to create a primary token.

SE_DEBUG_NAME
Required to debug and adjust the memory of a process owned by another account.

SE_ENABLE_DELEGATION_NAME
Required to mark user and computer accounts as trusted for delegation.

SE_MACHINE_ACCOUNT_NAME
Required to create a computer account.

SE_MANAGE_VOLUME_NAME
Required to enable volume management privileges.

SE_SECURITY_NAME
Required to perform a number of security-related functions, such as controlling and viewing audit messages. This privilege identifies its holder as a security operator.

SE_SYNC_AGENT_NAME
Required for a domain controller to use the LDAP directory synchronization services. This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.

SE_SYSTEM_ENVIRONMENT_NAME
Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.

SE_SYSTEM_PROFILE_NAME
Required to gather profiling information for the entire system.

SE_SYSTEMTIME_NAME
Required to modify the system time.

SE_UNDOCK_NAME
Required to undock a laptop.

SE_UNSOLICITED_INPUT_NAME
Required to read unsolicited input from a terminal device.