How to determine the integrity level of a process?

Question

I recently needed to get the integrity level of a process, and I found help from MSDN. The sample code looks like this:

if (GetTokenInformation(hToken, TokenIntegrityLevel, 
     pTIL, dwLengthNeeded, &dwLengthNeeded))
 {
  dwIntegrityLevel = *GetSidSubAuthority(pTIL->Label.Sid, 
    (DWORD)(UCHAR)(*GetSidSubAuthorityCount(pTIL->Label.Sid)-1));

  if (dwIntegrityLevel == SECURITY_MANDATORY_LOW_RID)
  {
   // Low Integrity
   wprintf(L"Low Process");
  }
  else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID && 
       dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID)
  {
   // Medium Integrity
   wprintf(L"Medium Process");
  }
  else if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID)
  {
   // High Integrity
   wprintf(L"High Integrity Process");
  }
  else if (dwIntegrityLevel >= SECURITY_MANDATORY_SYSTEM_RID)
  {
   // System Integrity
   wprintf(L"System Integrity Process");
  }
 }

As you all know,

SECURITY_MANDATORY_LOW_RID == 0x00001000L
SECURITY_MANDATORY_MEDIUM_RID == 0x00002000L
SECURITY_MANDATORY_HIGH_RID == 0x00003000L
SECURITY_MANDATORY_SYSTEM_RID == 0x00004000L.

Here is my question:
If this sample code is correct, then what integrity level does process A have if it has the dwIntegrityLevel of 0x00004100L? SECURITY_MANDATORY_HIGH_RID and SECURITY_MANDATORY_SYSTEM_RID? Does it mean that a process that has the SECURITY_MANDATORY_SYSTEM_RID level also has the SECURITY_MANDATORY_HIGH_RID level?

If the sample code is wrong, then what is the right way to determine the integrity level of a process?

Hans Passant · Accepted Answer

Note an equivalent declaration in WinNT.h:

#define SECURITY_MANDATORY_MEDIUM_PLUS_RID  (SECURITY_MANDATORY_MEDIUM_RID + 0x100)

So that sounds like you ran into a process that's SYSTEM_PLUS.

How to determine the integrity level of a process?

Answers (2)

Related Questions