Reputation: 4331
What is wrong with this SeBackupPrivilege (backup mode) implementation?
(Background information: feel free to skip to last paragraph)
Current, I have a hard drive that is a full image of an O/S drive from another computer. It's an external USB drive and is connected to a write blocker and then my computer. I'm using it to test some code I have for copying files (among other things) and I've ran into a file that couldn't be copied with just administrator privileges.
After reading up on privileges in Windows, I determined that I needed back up privileges in order to access all files on a local drive. I've verified that this is what I needed by using robocopy with the "/b" flag which enables backup mode for the copy. Everything copied just fine with no problems. I just need to be able to have my own code be able to run under backup privileges.
In my code (C#) I've tried implementing the necessary winapi calls (AdjustTokenPrivileges) to give the current process backup privileges with unverified results. I used some code from this article (http://www.codeproject.com/Articles/21202/Reparse-Points-in-Vista) to use a known "working" implementation. In the code project, I've tried adding a File.Copy() with "Access denied" error. I've also tried using the winapi call CopyFileW() with the same error. At this point I'm out of ideas :(.
For reference (from the article), here's the code I'm using for the privilege escalation:
bool success;
IntPtr token;
TOKEN_PRIVILEGES tokenPrivileges = new TOKEN_PRIVILEGES();
tokenPrivileges.Privileges = new LUID_AND_ATTRIBUTES[1];
success = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,
out token);
if (success)
{
// null for local system
success = LookupPrivilegeValue(null, SE_BACKUP_NAME,
out tokenPrivileges.Privileges[0].Luid);
if (success)
{
tokenPrivileges.PrivilegeCount = 1;
tokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
success = AdjustTokenPrivileges(
token,
false,
ref tokenPrivileges,
Marshal.SizeOf(tokenPrivileges),
IntPtr.Zero,
IntPtr.Zero);
}
CloseHandle(token);
}
Edit: To add more information, the ReparsePoint code linked works just fine if I run the project as is. When I remove the call the AdjustTokenPrivilege, it throws "Access Denied" errors.
Upvotes: 2
Views: 3103
Answers (1)
Reputation: 86718
You still have to call CreateFile with the FILE_FLAG_BACKUP_SEMANTICS flag specified. This means you can't use standard Windows APIs, because they don't specify that flag.
Upvotes: 5
Related Questions
- Privileges/owner issue when writing in C:\ProgramData\
- PrivilegeNotHeldException when privilege is given
- CreateFile returns ERROR_ACCESS_DENIED despite FILE_FLAG_BACKUP_SEMANTICS
- seBackupPrivilige required when backing up Application Event Log with WMI
- RegSaveKey returns ERROR_PRIVILEGE_NOT_HELD
- Cannot copy file, even though FileIOPermission is granted in C#
- Access Denied when doing SQL Backup
- SetAccessControl "unauthorized operation" even when run as administrator
- Windows BackupRead / BackupWrite and ACLs
- Can't copy file with appropriate permissions using FileIOPermission