Location: Symbol Reference > Classes > TJwSecurityToken Class > TJwSecurityToken.CreateTokenByProcess Constructor
Collapse All
JWSCL Documentation
ContentsIndexHome
PreviousUpNext
TJwSecurityToken.CreateTokenByProcess Constructor
TJwSecurityToken Class  TJwSecurityToken Members  TJwSecurityToken Class  Send Feedback
Pascal
constructor CreateTokenByProcess(const aProcessHandle: TJwProcessHandle; const aDesiredAccess: TJwAccessMask; const Duplicate: Boolean = false); virtual;
Parameters
Parameters 
Description 
const aProcessHandle: TJwProcessHandle 
Receives a process handle which is used to get the process token. The handle can be zero (0) to use the current process handle of the caller  
const aDesiredAccess: TJwAccessMask 
Receives the desired access for this token. The access types can be get from the following list. Access flags must be concatenated with or operator. Can be MAXIMUM_ALLOWED to get maximum access.  
const Duplicate: Boolean = false 
Defines whether the token of the Processhandle should be spawned into this process. If this parameter is true the token handle is opened and duplicated. The new handle may have more rights for the current process. This is especially useful if another process is defined in aProcessHandle because the handle to this process token may be restricted.
If you want to use DuplicateToken or creating an impersonated token (by ConvertToImpersonatedToken) you must specific TOKEN_DUPLICATE.
Access Rights for Access-Token Objects: from http://msdn2.microsoft.com/en-us/library/aa374905.aspx:
  • TOKEN_ADJUST_DEFAULT Required to change the default owner, primary group, or DACL of an access token.
  • TOKEN_ADJUST_GROUPS Required to adjust the attributes of the groups in an access token.
  • TOKEN_ADJUST_PRIVILEGES Required to enable or disable the privileges in an access token.
  • TOKEN_ADJUST_SESSIONID Required to adjust the session ID of an access token. The SE_TCB_NAME privilege is required.
  • TOKEN_ASSIGN_PRIMARY Required to attach a primary token to a process. The SE_ASSIGNPRIMARYTOKEN_NAME privilege is also required to accomplish this task.
  • TOKEN_DUPLICATE Required to duplicate an access token.
  • TOKEN_EXECUTE Combines STANDARD_RIGHTS_EXECUTE and TOKEN_IMPERSONATE.
  • TOKEN_IMPERSONATE Required to attach an impersonation access token to a process.
  • TOKEN_QUERY Required to query an access token.
  • TOKEN_QUERY_SOURCE Required to query the source of an access token.
  • TOKEN_READ Combines STANDARD_RIGHTS_READ and TOKEN_QUERY.
  • TOKEN_WRITE Combines STANDARD_RIGHTS_WRITE, TOKEN_ADJUST_PRIVILEGES, TOKEN_ADJUST_GROUPS, and TOKEN_ADJUST_DEFAULT.
  • TOKEN_ALL_ACCESS

Standard Access Rights: from http://msdn2.microsoft.com/en-us/library/aa379607.aspx
  • DELETE The right to delete the object.
  • READ_CONTROL The right to read the information in the object's security descriptor, not including the information in the SACL.
  • SYNCHRONIZE The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
  • WRITE_DAC The right to modify the DACL in the object's security descriptor.
  • WRITE_OWNER The right to change the owner in the object's security descriptor.

The Windows API also defines the following combinations of the standard access rights constants.
  • Constant Meaning
  • STANDARD_RIGHTS_ALL Combines DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, and SYNCHRONIZE access.
  • STANDARD_RIGHTS_EXECUTE Currently defined to equal READ_CONTROL.
  • STANDARD_RIGHTS_READ Currently defined to equal READ_CONTROL.
  • STANDARD_RIGHTS_REQUIRED Combines DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER access.
  • STANDARD_RIGHTS_WRITE

Description

CreateTokenByProcess creates a new instances and opens a process token. 

To open a token of another session rather than the current session the current process token must be the SYSTEM token. Only the access right TOKEN_READ can be used with an admin token. 

If parameter aDesiredAccess is MAXIMUM_ALLOWED and the right READ_CONTROL is not granted the value of the property AccessMask is zero. Otherwise it contains all granted rights for the token. 

If you do not specify TOKEN_DUPLICATE, you will get direct access to the target process' token. Therefore you can change the behaviour of the process by changing enabled privileges. This does not affect an impersonation of the token because for this action is has to be duplicated. 

 

Exceptions
Exceptions 
Description 
EJwsclOpenProcessTokenException 
If the token could not be opened 
Class
Links
Copyright (c) 2010. All rights reserved.
This help was created by Doc-O-Matic sponsored by toolsfactory software inc.
Contents | Index | Home
What do you think about this topic? Send feedback!