OpenProcess:是否可以为 PROCESS_QUERY_LIMITED_INFORMATION 获取 ERROR_ACCESS_DENIED 但不能为 SYNCHRONIZE 获取?
OpenProcess: Is it possible to get ERROR_ACCESS_DENIED for PROCESS_QUERY_LIMITED_INFORMATION but not for SYNCHRONIZE?
我正在使用 OpenProcess 从 PID 获取进程句柄。
该函数应该执行的两个任务是:
- 必须有:等待进程终止,用
WaitForSingleObject (process, INFINITE) 完成
- 如果可能:获取退出代码,用
GetExitCodeProcess (process, &ret) 完成
问题:是否有可能 PROCESS_QUERY_LIMITED_INFORMATION 得到 ERROR_ACCESS_DENIED 而 SYNCHRONIZE 却不能?如果是:哪种情况?
我的完整代码供参考:
/* wait for a pid to end and return its exit code
error codes are returned as negative value
*/
int
waitpid (const int pid)
{
int status = 0;
HANDLE process = NULL;
DWORD ret;
/* windows will wait for the own process to end... abort */
if (pid == _getpid ()) {
status = 0 - ERROR_INVALID_DATA;
return status;
}
/* get process handle */
process = OpenProcess (SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid);
/* if we don't get access to query the process' exit status try to get at least
access to the process end (needed for WaitForSingleObject)
*/
if (!process && GetLastError () == ERROR_ACCESS_DENIED) {
OpenProcess (SYNCHRONIZE, FALSE, pid);
status = -2;
}
if (process) {
/* wait until process exit */
ret = WaitForSingleObject (process, INFINITE);
if (ret == WAIT_FAILED) {
status = 0 - GetLastError ();
/* get exit code, if possible */
} else if (status != -2) {
if (!GetExitCodeProcess (process, &ret)) {
status = 0 - GetLastError ();
} else {
status = (int) ret;
}
}
CloseHandle (process);
} else {
status = 0 - GetLastError ();
}
return status;
}
(如果您对代码有任何意见:使用评论并分享您的想法)
是的,这是可能的,因为PROCESS_QUERY_LIMITED_INFORMATION和SYNCHRONIZE绝对独立访问。但是在打开进程之前——您需要(如果可能)启用 SE_DEBUG_PRIVILEGE——有了这个权限,您可以打开任何独立于进程 DACL 的进程(系统保护除外)。然而,即使是受保护的进程也可以使用 PROCESS_QUERY_LIMITED_INFORMATION
打开
我在 win 10 (1607) 上快速检查进程访问掩码
----------------------
0000000000000004 System
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-32-544 Administrators
----------------------
0000000000000110 smss.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-32-544 Administrators
----------------------
0000000000000170 csrss.exe
T FL AcessMsK Sid
0 00 00020C79 S-1-5-18 SYSTEM
----------------------
00000000000001B4 wininit.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-32-544 Administrators
----------------------
00000000000001C0 csrss.exe
T FL AcessMsK Sid
0 00 00020C79 S-1-5-18 SYSTEM
----------------------
0000000000000210 winlogon.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-32-544 Administrators
----------------------
000000000000025C services.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-32-544 Administrators
----------------------
000000000000026C lsass.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-32-544 Administrators
----------------------
00000000000002B4 svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-42363 LogonSessionId_0_42363
0 00 00001400 S-1-5-32-544 Administrators
----------------------
00000000000002F0 svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-63646 LogonSessionId_0_63646
0 00 00001400 S-1-5-32-544 Administrators
----------------------
0000000000000354 dwm.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-90-0-1 DWM-1
0 00 001FFFFF S-1-5-18 SYSTEM
----------------------
00000000000003A8 svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-67924 LogonSessionId_0_67924
0 00 00001400 S-1-5-32-544 Administrators
----------------------
00000000000003B0 svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-72026 LogonSessionId_0_72026
0 00 00001400 S-1-5-32-544 Administrators
----------------------
00000000000003D8 svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-72302 LogonSessionId_0_72302
0 00 00001400 S-1-5-32-544 Administrators
----------------------
00000000000003F0 svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-75312 LogonSessionId_0_75312
0 00 00001400 S-1-5-32-544 Administrators
----------------------
0000000000000184 WUDFHost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-84-0-76843-0-0-0
0 00 00000400 S-1-5-32-544 Administrators
----------------------
0000000000000314 svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-78668 LogonSessionId_0_78668
0 00 00001400 S-1-5-32-544 Administrators
----------------------
00000000000004BC svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-84911 LogonSessionId_0_84911
0 00 00001400 S-1-5-32-544 Administrators
----------------------
00000000000004C4 svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-86762 LogonSessionId_0_86762
0 00 00001400 S-1-5-32-544 Administrators
----------------------
0000000000000528 svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-89099 LogonSessionId_0_89099
0 00 00001400 S-1-5-32-544 Administrators
----------------------
00000000000005A0 svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-92315 LogonSessionId_0_92315
0 00 00001400 S-1-5-32-544 Administrators
----------------------
0000000000000718 svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-136688 LogonSessionId_0_136688
0 00 00001400 S-1-5-32-544 Administrators
----------------------
0000000000000444 WmiPrvSE.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-144257 LogonSessionId_0_144257
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646
0 00 00100000 S-1-5-18 SYSTEM
----------------------
00000000000006E0 dllhost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-146109 LogonSessionId_0_146109
0 00 00001400 S-1-5-32-544 Administrators
----------------------
0000000000000844 VSSVC.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-157627 LogonSessionId_0_157627
0 00 00001400 S-1-5-32-544 Administrators
----------------------
00000000000008E8 sppsvc.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-279111 LogonSessionId_0_279111
0 00 00001400 S-1-5-32-544 Administrators
----------------------
00000000000008B4 WmiPrvSE.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646
0 00 00100000 S-1-5-18 SYSTEM
----------------------
000000000000092C WmiApSrv.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-306945 LogonSessionId_0_306945
0 00 00001400 S-1-5-32-544 Administrators
----------------------
00000000000009AC sihost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-21-1621835565-972595261-354493311-1001 Kelly
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-5-0-315893 LogonSessionId_0_315893
----------------------
0000000000000A64 taskhostw.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-21-1621835565-972595261-354493311-1001 Kelly
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-5-0-315893 LogonSessionId_0_315893
----------------------
0000000000000A38 explorer.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-21-1621835565-972595261-354493311-1001 Kelly
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-5-0-315893 LogonSessionId_0_315893
----------------------
0000000000000808 RuntimeBroker.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-21-1621835565-972595261-354493311-1001 Kelly
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646
0 00 00100000 S-1-5-18 SYSTEM
----------------------
0000000000000E74 SppExtComObj.Exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-20 NETWORK SERVICE
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646
0 00 00100000 S-1-5-18 SYSTEM
----------------------
0000000000000F88 audiodg.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-80-2676549577-1911656217-2625096541-4178041876-1366760775 Audiosrv
0 00 00001000 S-1-5-11 Authenticated Users
----------------------
0000000000000BB8 backgroundTaskHost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-21-1621835565-972595261-354493311-1001 Kelly
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-5-0-315893 LogonSessionId_0_315893
0 00 001FFFFF S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
----------------------
0000000000000FB0 conhost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-32-544 Administrators
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-5-0-315893 LogonSessionId_0_315893
在
上寻找例子
0000000000000E74 SppExtComObj.Exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-20 NETWORK SERVICE
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646
0 00 00100000 S-1-5-18 SYSTEM
说 SYSTEM 有 SYNCHRONIZE (0x00100000) 但没有 PROCESS_QUERY_LIMITED_INFORMATION (0x1000) 或另一个例子
00000000000008B4 WmiPrvSE.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646
0 00 00100000 S-1-5-18 SYSTEM
编辑
win 8.1 演示测试
我启用 SE_DEBUG_PRIVILEGE 并尝试使用 PROCESS_QUERY_LIMITED_INFORMATION|SYNCHRONIZE 打开进程
我成功打开系统中的 ALL 个进程,包括受保护的
当我尝试使用 PROCESS_QUERY_INFORMATION 打开时,我遇到了下一个进程的错误:
c0000022 0000000000000004 System
c0000022 0000000000000138 smss.exe
c0000022 00000000000001A8 csrss.exe
c0000022 00000000000001EC csrss.exe
c0000022 0000000000000244 services.exe
c0000022 00000000000005B8 sppsvc.exe
所有这些都是 windows 受保护的进程。
现在我用 open disabled SE_DEBUG_PRIVILEGE 进行测试。结果自言自语
------------ 尝试用 PROCESS_QUERY_LIMITED_INFORMATION
打开
c0000022 00000000000001A8 csrss.exe
c0000022 00000000000001EC csrss.exe
c0000022 000000000000033C dwm.exe
c0000022 00000000000005D0 WUDFHost.exe
c0000022 00000000000007E4 WUDFHost.exe
------------ 尝试使用 SYNCHRONIZE
打开
c0000022 00000000000001A8 csrss.exe
c0000022 00000000000001EC csrss.exe
c0000022 00000000000002A4 svchost.exe
c0000022 00000000000002C8 svchost.exe
c0000022 0000000000000320 svchost.exe
c0000022 000000000000033C dwm.exe
c0000022 0000000000000358 svchost.exe
c0000022 0000000000000390 svchost.exe
c0000022 00000000000003CC svchost.exe
c0000022 00000000000001E0 svchost.exe
c0000022 00000000000005D0 WUDFHost.exe
c0000022 00000000000007F0 svchost.exe
c0000022 00000000000005B8 sppsvc.exe
c0000022 00000000000007E4 WUDFHost.exe
所以有和没有填的不一样SE_DEBUG_PRIVILEGE
但是我没有发现可以用 SYNCHRONIZE 打开但不能用 PROCESS_QUERY_LIMITED_INFORMATION
的情况
我正在使用 OpenProcess 从 PID 获取进程句柄。
该函数应该执行的两个任务是:
- 必须有:等待进程终止,用
WaitForSingleObject (process, INFINITE)完成
- 如果可能:获取退出代码,用
GetExitCodeProcess (process, &ret) 完成
问题:是否有可能 PROCESS_QUERY_LIMITED_INFORMATION 得到 ERROR_ACCESS_DENIED 而 SYNCHRONIZE 却不能?如果是:哪种情况?
我的完整代码供参考:
/* wait for a pid to end and return its exit code
error codes are returned as negative value
*/
int
waitpid (const int pid)
{
int status = 0;
HANDLE process = NULL;
DWORD ret;
/* windows will wait for the own process to end... abort */
if (pid == _getpid ()) {
status = 0 - ERROR_INVALID_DATA;
return status;
}
/* get process handle */
process = OpenProcess (SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid);
/* if we don't get access to query the process' exit status try to get at least
access to the process end (needed for WaitForSingleObject)
*/
if (!process && GetLastError () == ERROR_ACCESS_DENIED) {
OpenProcess (SYNCHRONIZE, FALSE, pid);
status = -2;
}
if (process) {
/* wait until process exit */
ret = WaitForSingleObject (process, INFINITE);
if (ret == WAIT_FAILED) {
status = 0 - GetLastError ();
/* get exit code, if possible */
} else if (status != -2) {
if (!GetExitCodeProcess (process, &ret)) {
status = 0 - GetLastError ();
} else {
status = (int) ret;
}
}
CloseHandle (process);
} else {
status = 0 - GetLastError ();
}
return status;
}
(如果您对代码有任何意见:使用评论并分享您的想法)
是的,这是可能的,因为PROCESS_QUERY_LIMITED_INFORMATION和SYNCHRONIZE绝对独立访问。但是在打开进程之前——您需要(如果可能)启用 SE_DEBUG_PRIVILEGE——有了这个权限,您可以打开任何独立于进程 DACL 的进程(系统保护除外)。然而,即使是受保护的进程也可以使用 PROCESS_QUERY_LIMITED_INFORMATION
我在 win 10 (1607) 上快速检查进程访问掩码
----------------------
0000000000000004 System
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-32-544 Administrators
----------------------
0000000000000110 smss.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-32-544 Administrators
----------------------
0000000000000170 csrss.exe
T FL AcessMsK Sid
0 00 00020C79 S-1-5-18 SYSTEM
----------------------
00000000000001B4 wininit.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-32-544 Administrators
----------------------
00000000000001C0 csrss.exe
T FL AcessMsK Sid
0 00 00020C79 S-1-5-18 SYSTEM
----------------------
0000000000000210 winlogon.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-32-544 Administrators
----------------------
000000000000025C services.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-32-544 Administrators
----------------------
000000000000026C lsass.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-32-544 Administrators
----------------------
00000000000002B4 svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-42363 LogonSessionId_0_42363
0 00 00001400 S-1-5-32-544 Administrators
----------------------
00000000000002F0 svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-63646 LogonSessionId_0_63646
0 00 00001400 S-1-5-32-544 Administrators
----------------------
0000000000000354 dwm.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-90-0-1 DWM-1
0 00 001FFFFF S-1-5-18 SYSTEM
----------------------
00000000000003A8 svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-67924 LogonSessionId_0_67924
0 00 00001400 S-1-5-32-544 Administrators
----------------------
00000000000003B0 svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-72026 LogonSessionId_0_72026
0 00 00001400 S-1-5-32-544 Administrators
----------------------
00000000000003D8 svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-72302 LogonSessionId_0_72302
0 00 00001400 S-1-5-32-544 Administrators
----------------------
00000000000003F0 svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-75312 LogonSessionId_0_75312
0 00 00001400 S-1-5-32-544 Administrators
----------------------
0000000000000184 WUDFHost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-84-0-76843-0-0-0
0 00 00000400 S-1-5-32-544 Administrators
----------------------
0000000000000314 svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-78668 LogonSessionId_0_78668
0 00 00001400 S-1-5-32-544 Administrators
----------------------
00000000000004BC svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-84911 LogonSessionId_0_84911
0 00 00001400 S-1-5-32-544 Administrators
----------------------
00000000000004C4 svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-86762 LogonSessionId_0_86762
0 00 00001400 S-1-5-32-544 Administrators
----------------------
0000000000000528 svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-89099 LogonSessionId_0_89099
0 00 00001400 S-1-5-32-544 Administrators
----------------------
00000000000005A0 svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-92315 LogonSessionId_0_92315
0 00 00001400 S-1-5-32-544 Administrators
----------------------
0000000000000718 svchost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-136688 LogonSessionId_0_136688
0 00 00001400 S-1-5-32-544 Administrators
----------------------
0000000000000444 WmiPrvSE.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-144257 LogonSessionId_0_144257
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646
0 00 00100000 S-1-5-18 SYSTEM
----------------------
00000000000006E0 dllhost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-146109 LogonSessionId_0_146109
0 00 00001400 S-1-5-32-544 Administrators
----------------------
0000000000000844 VSSVC.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-157627 LogonSessionId_0_157627
0 00 00001400 S-1-5-32-544 Administrators
----------------------
00000000000008E8 sppsvc.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-279111 LogonSessionId_0_279111
0 00 00001400 S-1-5-32-544 Administrators
----------------------
00000000000008B4 WmiPrvSE.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646
0 00 00100000 S-1-5-18 SYSTEM
----------------------
000000000000092C WmiApSrv.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-5-0-306945 LogonSessionId_0_306945
0 00 00001400 S-1-5-32-544 Administrators
----------------------
00000000000009AC sihost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-21-1621835565-972595261-354493311-1001 Kelly
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-5-0-315893 LogonSessionId_0_315893
----------------------
0000000000000A64 taskhostw.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-21-1621835565-972595261-354493311-1001 Kelly
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-5-0-315893 LogonSessionId_0_315893
----------------------
0000000000000A38 explorer.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-21-1621835565-972595261-354493311-1001 Kelly
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-5-0-315893 LogonSessionId_0_315893
----------------------
0000000000000808 RuntimeBroker.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-21-1621835565-972595261-354493311-1001 Kelly
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646
0 00 00100000 S-1-5-18 SYSTEM
----------------------
0000000000000E74 SppExtComObj.Exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-20 NETWORK SERVICE
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646
0 00 00100000 S-1-5-18 SYSTEM
----------------------
0000000000000F88 audiodg.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-80-2676549577-1911656217-2625096541-4178041876-1366760775 Audiosrv
0 00 00001000 S-1-5-11 Authenticated Users
----------------------
0000000000000BB8 backgroundTaskHost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-21-1621835565-972595261-354493311-1001 Kelly
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-5-0-315893 LogonSessionId_0_315893
0 00 001FFFFF S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
----------------------
0000000000000FB0 conhost.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-32-544 Administrators
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00121411 S-1-5-5-0-315893 LogonSessionId_0_315893
在
上寻找例子0000000000000E74 SppExtComObj.Exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-20 NETWORK SERVICE
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646
0 00 00100000 S-1-5-18 SYSTEM
说 SYSTEM 有 SYNCHRONIZE (0x00100000) 但没有 PROCESS_QUERY_LIMITED_INFORMATION (0x1000) 或另一个例子
00000000000008B4 WmiPrvSE.exe
T FL AcessMsK Sid
0 00 001FFFFF S-1-5-18 SYSTEM
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646
0 00 00100000 S-1-5-18 SYSTEM
编辑
win 8.1 演示测试
我启用 SE_DEBUG_PRIVILEGE 并尝试使用 PROCESS_QUERY_LIMITED_INFORMATION|SYNCHRONIZE 打开进程
我成功打开系统中的 ALL 个进程,包括受保护的
当我尝试使用 PROCESS_QUERY_INFORMATION 打开时,我遇到了下一个进程的错误:
c0000022 0000000000000004 System
c0000022 0000000000000138 smss.exe
c0000022 00000000000001A8 csrss.exe
c0000022 00000000000001EC csrss.exe
c0000022 0000000000000244 services.exe
c0000022 00000000000005B8 sppsvc.exe
所有这些都是 windows 受保护的进程。
现在我用 open disabled SE_DEBUG_PRIVILEGE 进行测试。结果自言自语
------------ 尝试用 PROCESS_QUERY_LIMITED_INFORMATION
打开c0000022 00000000000001A8 csrss.exe
c0000022 00000000000001EC csrss.exe
c0000022 000000000000033C dwm.exe
c0000022 00000000000005D0 WUDFHost.exe
c0000022 00000000000007E4 WUDFHost.exe
------------ 尝试使用 SYNCHRONIZE
打开c0000022 00000000000001A8 csrss.exe
c0000022 00000000000001EC csrss.exe
c0000022 00000000000002A4 svchost.exe
c0000022 00000000000002C8 svchost.exe
c0000022 0000000000000320 svchost.exe
c0000022 000000000000033C dwm.exe
c0000022 0000000000000358 svchost.exe
c0000022 0000000000000390 svchost.exe
c0000022 00000000000003CC svchost.exe
c0000022 00000000000001E0 svchost.exe
c0000022 00000000000005D0 WUDFHost.exe
c0000022 00000000000007F0 svchost.exe
c0000022 00000000000005B8 sppsvc.exe
c0000022 00000000000007E4 WUDFHost.exe
所以有和没有填的不一样SE_DEBUG_PRIVILEGE
但是我没有发现可以用 SYNCHRONIZE 打开但不能用 PROCESS_QUERY_LIMITED_INFORMATION