HOWTO: List Account Privileges

MORE INFORMATION

When a user starts a process, that process takes on the security attributes of the user. These attributes are stored within the access token for the process. The security attributes inherited from the user include account privileges, which control access to system services. To list the privileges belonging to a process (and thus to the current user), perform the following steps:

1. Call the GetCurrentProcess function to obtain a handle to the current process.
2. Call the GetProcessToken function to obtain the process's access token.
3. Call the GetTokenInformation function to obtain the list of privileges.
4. Cycle through the list of privileges, by using the LookupPrivilegeName and LookupPrivilegeDisplayName functions to obtain textual privilege names for each privilege in the list.

Sample Code

The following sample code lists the privilege name, along with a user friendly description of the privilege (called a display name), for each privilege contained within the access token of the current process. The privilege names and display names are defined in the Winnt.h header file.

#include <windows.h>
#include <stdio.h>

#define NAME_SIZE 255

void main(void) {

   HANDLE            hToken        = NULL;
   DWORD             cbTokenInfo   = 0;
   PTOKEN_PRIVILEGES ptiPrivileges = NULL;

   char  szPrivilegeName[NAME_SIZE];
   DWORD cbPrivilegeName;
   char  szDisplayName[NAME_SIZE];
   DWORD cbDisplayName;
   DWORD dwLangId;
   UINT  nIndex;

   __try {


      // Retrieve a handle for the process's access token.
      if (!OpenProcessToken(GetCurrentProcess(), TOKEN_READ, 
            &hToken)) {

         printf("OpenProcessToken() failed.  Error %d\n", 
               GetLastError());
         __leave;
      }

      // Determine required size of buffer for token privileges.
      if (GetTokenInformation(hToken, TokenPrivileges, 
            NULL, 0, &cbTokenInfo)) {

         // Call should have failed due to zero-length buffer.
         __leave;
      
      } else {

         // Call should have failed due to zero-length buffer.
         if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
            printf("GetTokenInformation() failed.  Error %d\n",
                  GetLastError());
            __leave;
         }
      }

      // Allocate a buffer for the token privileges.
      ptiPrivileges = (PTOKEN_PRIVILEGES) HeapAlloc(GetProcessHeap(),
            HEAP_ZERO_MEMORY, cbTokenInfo);
      if (!ptiPrivileges) {
         printf("HeapAlloc() failed.  Error %d\n", GetLastError());
         __leave;
      }

      // Retrieve the token privileges.
      if (!GetTokenInformation(hToken, TokenPrivileges, 
            ptiPrivileges, cbTokenInfo, &cbTokenInfo)) {
         
         printf("GetTokenInformation() failed.  Error %d\n", 
               GetLastError());
         __leave;
      }
      
      // Display the privileges.
      printf("%-32s %s\n", "PRIVILEGE NAME", "DISPLAY NAME");
      printf("%-32s %s\n", "--------------", "------------");

      // Scan through all of the LUIDs.
      for (nIndex = 0; nIndex < ptiPrivileges->PrivilegeCount; 
         nIndex++) {

         // Retrieve the privilege name associated with this LUID.
         cbPrivilegeName = NAME_SIZE;
         if (!LookupPrivilegeName(NULL, 
               &ptiPrivileges->Privileges[nIndex].Luid,
               szPrivilegeName, &cbPrivilegeName)) {
         
            printf("LookupPrivilegeName() failed.  Error %d\n",
                  GetLastError());
            __leave;
         }

         // Retrieve the display name associated with this LUID.
         cbDisplayName = NAME_SIZE;
         if (!LookupPrivilegeDisplayName(NULL, szPrivilegeName,
               szDisplayName, &cbDisplayName, &dwLangId)) {
            
            printf("LookupPrivilegeDisplayName() failed.  Error %d\n",
                  GetLastError());
            __leave;
         }

         printf("%-32s %s\n", szPrivilegeName, szDisplayName);
      }
   
   } __finally {

      // Free resources.
      if (hToken)
         CloseHandle(hToken);

      if (!ptiPrivileges) 
         HeapFree(GetProcessHeap(), 0, ptiPrivileges);
   }
   
   return;
}