CODEWITHSUNDEEP
c++windowssecurity
jeffm
jeffm

Reputation: 3151

How to disable ability for Windows user to manually change system time via AdjustTokenPrivileges?

I'm using the function below to disable SeSystemtimePrivilege on a token obtained from:

OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);

The function runs with no errors, but the ability to change the time manually in Windows 7 is still enabled. I think this is because I'm setting privileges for the current process (my program) and not the current user. Is there a way to get an access token for the currently logged in user, or should I be getting the token for the date/time control panel, or is there another way entirely I should be approaching this?

Again, the goal is for the Win7 logged-in user to not be able to change the system time. I don't have access to group policy on the target machines, so I have to disable this function programmatically. The program is ATL/MFC, so I have access to the CAccessToken class if that would be helpful.

BOOL SetPrivilege(
    HANDLE hToken,          // access token handle
    LPCTSTR lpszPrivilege,  // name of privilege to enable/disable
    BOOL bEnablePrivilege   // to enable or disable privilege
    ) 
{
    TOKEN_PRIVILEGES tp;
    LUID luid;

    if ( !LookupPrivilegeValue( 
            NULL,            // lookup privilege on local system
            lpszPrivilege,   // privilege to lookup 
            &luid ) )        // receives LUID of privilege
    {
        printf("LookupPrivilegeValue error: %u\n", GetLastError() ); 
        return FALSE; 
    }

    tp.PrivilegeCount = 1;
    tp.Privileges[0].Luid = luid;
    if (bEnablePrivilege)
        tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    else
        tp.Privileges[0].Attributes = 0;

    // Enable the privilege or disable all privileges.

    if ( !AdjustTokenPrivileges(
           hToken, 
           FALSE, 
           &tp, 
           sizeof(TOKEN_PRIVILEGES), 
           (PTOKEN_PRIVILEGES) NULL, 
           (PDWORD) NULL) )
    { 
          printf("AdjustTokenPrivileges error: %u\n", GetLastError() ); 
          return FALSE; 
    } 

    if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)

    {
          printf("The token does not have the specified privilege. \n");
          return FALSE;
    } 

    return TRUE;
}

Upvotes: 0

Views: 943

Answers (2)

Luke
Luke

Reputation: 11421

AdjustTokenPrivileges() would only have any effect on the current process. You could use LsaRemoveAccountRights(), but that is extreme for what you are trying to achieve. Also, if the user is an administrator they could just re-grant their account that right (and it won't have any effect until they logout and login again).

Whatever you're trying to do, being dependent on the client machine for your business logic looks to be the wrong way to go.

Upvotes: 3

MSalters
MSalters

Reputation: 179991

As the comments and previous answer have already pointed out, you'll need an awfully big hammer. There's one such hammer: GINA.DLL. The logon processing performed by WinLogon can be tailored by providing a custom GINA.DLL.

Upvotes: 0

Related Questions