OpenEvent() fails on Vista for some processes while trying to open global event

Discussion:

(too old to reply)

Grzegorz Wróbel

2009-12-16 00:36:24 UTC

Hi,

I am creating an event in a global namespace from within a service. The
event is supposed to be accessed (set) by some other processes that
might be running under different credentials in different sessions, so
during its creation I add following DACL: "D:(A;NP;GRGW;;;WD)" to its
security descriptor (read and write access for Everyone). This is
supposed to ensure other processes have rights to open it for read and
write access.

On pre vista OSes it used to be working, on Vista it works too but not
for every process. For some processes OpenEvent(EVENT_MODIFY_STATE,...)
fails with GetLastError() returning 5 (ERROR_ACCESS_DENIED).

I have no idea what might be causing this and where to look now. Is
there any additional security mechanism in Vista that can override
security descriptor of an object?

--
Grzegorz Wróbel
677265676F727940346E6575726F6E732E636F6D

Pavel A.

2009-12-16 02:06:14 UTC

Permalink

Something related to the integrity classes?
--pa

Post by Grzegorz WrÃ³bel
Hi,
I am creating an event in a global namespace from within a service. The
event is supposed to be accessed (set) by some other processes that might
be running under different credentials in different sessions, so during
its creation I add following DACL: "D:(A;NP;GRGW;;;WD)" to its security
descriptor (read and write access for Everyone). This is supposed to
ensure other processes have rights to open it for read and write access.
On pre vista OSes it used to be working, on Vista it works too but not for
every process. For some processes OpenEvent(EVENT_MODIFY_STATE,...) fails
with GetLastError() returning 5 (ERROR_ACCESS_DENIED).
I have no idea what might be causing this and where to look now. Is there
any additional security mechanism in Vista that can override security
descriptor of an object?
--
Grzegorz Wróbel
677265676F727940346E6575726F6E732E636F6D

Grzegorz Wróbel

2009-12-16 15:58:16 UTC

Permalink

This post might be inappropriate. Click to display it.

Grzegorz Wróbel

2009-12-17 02:31:10 UTC

Permalink

Post by Grzegorz WrÃ³bel
Why the OpenEvent() is failing with ERROR_ACCESS_DENIED I still don't
know. This process can communicate with the service using interprocess
communication but cannot use an event for synchronization.

I have rewritten the service to work even if event synchronization is
malfunctioning. Instead of waiting infinitely on the event I've added
finite time-out interval and the service checks if there are any data
sent to it after each of time-out too. Not very elegant, but will work
even if the other process won't be able to set the event.

I would still like to know why OpenEvent() fails in that particular case.

--
Grzegorz Wróbel
677265676F727940346E6575726F6E732E636F6D

Jochen Kalmbach [MVP]

2009-12-16 06:37:39 UTC

Permalink

Hi Grzegorz!

Post by Grzegorz WrÃ³bel
On pre vista OSes it used to be working, on Vista it works too but not
for every process. For some processes OpenEvent(EVENT_MODIFY_STATE,...)
fails with GetLastError() returning 5 (ERROR_ACCESS_DENIED).

Maybe it is the same problem, as with NamesdPipes...
See:
http://msdn.microsoft.com/en-us/library/bb625963.aspx

And here is a german posting about this problem:
http://blog.m-ri.de/index.php/2009/12/08/windows-integrity-control-schreibzugriff-auf-eine-named-pipe-eines-services-ueber-anonymen-zugriff-auf-vista-windows-2008-server-und-windows-7/

=> you must use the following SDDL-String:
#define UNTRUSTED_INTEGRITY_SDDL_SACL _T("S:(ML;;NW;;;S-1-16-0)")

--
Greetings
Jochen

My blog about Win32 and .NET
http://blog.kalmbachnet.de/

Grzegorz Wróbel

2009-12-16 16:01:06 UTC

Permalink

Post by Jochen Kalmbach [MVP]
Hi Grzegorz!

Hi Jochen,

Post by Jochen Kalmbach [MVP]
http://msdn.microsoft.com/en-us/library/bb625963.aspx

No, it's not it. (See the other reply).

--
Grzegorz Wróbel
677265676F727940346E6575726F6E732E636F6D

Remy Lebeau

2009-12-16 21:22:17 UTC

Permalink

Post by Grzegorz WrÃ³bel
I am creating an event in a global namespace from within a service.
The event is supposed to be accessed (set) by some other processes
that might be running under different credentials in different sessions

Rather then creating a DACL with read/write permissions, try assigning a NULL DACL instead. That will allow unrestricted access to everyone. For example:

SECURITY_DESCRIPTOR sd;
InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&sd, TRUE, NULL, FALSE);

SECURITY_ATTRIBUTES sa = {0};
sa.nLength = sizeof(sa);
sa.lpSecurityDescriptor = &sd;
sa.bInheritHandle = FALSE;

HANDLE hEvent = CreateEvent(&sa, ...);

--
Remy Lebeau (TeamB)

Grzegorz Wróbel

2009-12-17 02:16:02 UTC

Permalink

Among many things I have tried that as well, but to no avail. That's not
surprising really - if granting read/write permission was enough for
other processes (I granted for Everyone) then it is clearly something
must be wrong with the process that tries to open the event, not with
the event itself. I think there must be some very unusual restrictions
added to that particular process by the service that spawns it.

--
Grzegorz Wróbel
677265676F727940346E6575726F6E732E636F6D

Hugo <hugh<underbar>

2009-12-21 11:33:01 UTC

Permalink

I suspect this is all caused by something simple, and that is the way
sessions and namespaces were altered after XP.

I had a similar issue with file mappings, read this to see if does indeed
help:

http://rdn-consulting.com/blog/2007/08/20/kernel-object-namespace-and-vista/

Regards

Hugh

Post by Grzegorz WrÃ³bel
Among many things I have tried that as well, but to no avail. That's not
surprising really - if granting read/write permission was enough for
other processes (I granted for Everyone) then it is clearly something
must be wrong with the process that tries to open the event, not with
the event itself. I think there must be some very unusual restrictions
added to that particular process by the service that spawns it.
--
Grzegorz Wróbel
677265676F727940346E6575726F6E732E636F6D
.

Hugo <hugh<underbar>

2009-12-21 11:42:01 UTC

Permalink

The problem is likelu due to the new session 0 isolation introduced in Vista
and used in W 7 too. Here is a good write up, hope it helps:

http://windowsteamblog.com/blogs/developers/archive/2009/10/01/session-0-isolation.aspx

Hugh

mosesvas

2009-12-22 10:00:35 UTC

Permalink

Hi,
Try changing the integrity of the event to low use this code. Low
integrity process can't access kernel object created from other
integrity levels processes.
static BOOL SetObjectToLowIntegrity(HANDLE hObject, SE_OBJECT_TYPE
type=SE_KERNEL_OBJECT)
{
BOOL bRet = FALSE;
DWORD dwErr = ERROR_SUCCESS;
PSECURITY_DESCRIPTOR pSD = NULL;
PACL pSacl = NULL;
BOOL fSaclPresent = FALSE;
BOOL fSaclDefaulted = FALSE;
// The LABEL_SECURITY_INFORMATION SDDL SACL to be set for low
integrity
LPCWSTR LOW_INTEGRITY_SDDL_SACL_W = L"S:(ML;;NW;;;LW)";

if ( ConvertStringSecurityDescriptorToSecurityDescriptorW
(LOW_INTEGRITY_SDDL_SACL_W, SDDL_REVISION_1, &pSD, NULL ))
{
if (GetSecurityDescriptorSacl
(pSD,&fSaclPresent,&pSacl,&fSaclDefaulted))
{
dwErr = SetSecurityInfo
(hObject,type,LABEL_SECURITY_INFORMATION,NULL,NULL,NULL,pSacl);
bRet = (ERROR_SUCCESS == dwErr);
}
LocalFree ( pSD );
}

return bRet;

}
regards,
vasanth

Post by Grzegorz WrÃ³bel
Hi,
I am creating an event in a global namespace from within a service. The
event is supposed to be accessed (set) by some other processes that
might be running under different credentials in different sessions, so
during its creation I add following DACL: "D:(A;NP;GRGW;;;WD)" to its
security descriptor (read and write access for Everyone). This is
supposed to ensure other processes have rights to open it for read and
write access.
On pre vista OSes it used to be working, on Vista it works too but not
for every process. For some processes OpenEvent(EVENT_MODIFY_STATE,...)
fails with GetLastError() returning 5 (ERROR_ACCESS_DENIED).
I have no idea what might be causing this and where to look now. Is
there any additional security mechanism in Vista that can override
security descriptor of an object?
--
Grzegorz Wróbel
677265676F727940346E6575726F6E732E636F6D

Grzegorz Wróbel

2009-12-26 05:39:07 UTC

Permalink

Post by mosesvas
Hi,
Try changing the integrity of the event to low use this code. Low
integrity process can't access kernel object created from other

It has been already mentioned in this thread that process in question
has System Mandatory Level (highest possible).

--
Grzegorz Wróbel
677265676F727940346E6575726F6E732E636F6D

dc 2000

2010-10-18 00:48:51 UTC

Permalink

I know it's an old thread, but I can't find any more info on the web...

A question to Grzegorz_Wr?bel -- did you resolve this issue? I'm in the exact same boat. Please share what you found and I'll respond with what I was able to find out.

Post by Grzegorz WrÃ³bel
Hi,
I am creating an event in a global namespace from within a service. The
event is supposed to be accessed (set) by some other processes that
might be running under different credentials in different sessions, so
during its creation I add following DACL: "D:(A;NP;GRGW;;;WD)" to its
security descriptor (read and write access for Everyone). This is
supposed to ensure other processes have rights to open it for read and
write access.
On pre vista OSes it used to be working, on Vista it works too but not
for every process. For some processes OpenEvent(EVENT_MODIFY_STATE,...)
fails with GetLastError() returning 5 (ERROR_ACCESS_DENIED).
I have no idea what might be causing this and where to look now. Is
there any additional security mechanism in Vista that can override
security descriptor of an object?
--
Grzegorz Wr?bel
677265676F727940346E6575726F6E732E636F6D

Post by Pavel A.
Something related to the integrity classes?
--pa

Post by Jochen Kalmbach [MVP]
Hi Grzegorz!
Maybe it is the same problem, as with NamesdPipes...
http://msdn.microsoft.com/en-us/library/bb625963.aspx
http://blog.m-ri.de/index.php/2009/12/08/windows-integrity-control-schreibzugriff-auf-eine-named-pipe-eines-services-ueber-anonymen-zugriff-auf-vista-windows-2008-server-und-windows-7/
--
Greetings
Jochen
My blog about Win32 and .NET
http://blog.kalmbachnet.de/

I do not think so. I have excluded such possibility since setting
explicitly access rights to Everyone includes also untrusted level, so
integrity control should not get in the way.
Now after getting two replies suggesting it I have checked it to be sure
and it turns out that the process who fails to open the event has system
integrity level. So it is certainly not it.
The process must have been crippled in some other way. The only
limitation for this process I have found so far is that it has only one
privilege left but that is not the problem as OpenEvent() does not
require any special privileges. Other than that I have found nothing.
Process access token do not have a list of restricting SIDs and the
group accounts associated with a token do not contain any SID with
Sid: S-1-16-16384 (name: System Mandatory Level) Attributes: 0x00000060
Sid: S-1-1-0 (name: Everyone) Attributes: 0x00000007
Sid: S-1-5-32-545 (name: Users) Attributes: 0x00000007
Sid: S-1-5-6 (name: SERVICE) Attributes: 0x00000007
Sid: S-1-5-11 (name: Authenticated Users) Attributes: 0x00000007
Sid: S-1-5-15 (name: This Organization) Attributes: 0x00000007
Sid: S-1-2-0 (name: LOCAL) Attributes: 0x00000007
Sid: S-1-5-5-0-411953 (name: ) Attributes: 0xc0000007
Why the OpenEvent() is failing with ERROR_ACCESS_DENIED I still do not
know. This process can communicate with the service using interprocess
communication but cannot use an event for synchronization.
--
Grzegorz Wr?bel
677265676F727940346E6575726F6E732E636F6D

Post by Grzegorz WrÃ³bel
Hi Jochen,
No, it is not it. (See the other reply).
--
Grzegorz Wr?bel
677265676F727940346E6575726F6E732E636F6D

Post by Grzegorz WrÃ³bel
sessions
Rather then creating a DACL with read/write permissions, try assigning a =
NULL DACL instead. That will allow unrestricted access to everyone. =
SECURITY_DESCRIPTOR sd;
InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&sd, TRUE, NULL, FALSE);
SECURITY_ATTRIBUTES sa =3D {0};
sa.nLength =3D sizeof(sa);=20
sa.lpSecurityDescriptor =3D &sd;
sa.bInheritHandle =3D FALSE;
HANDLE hEvent =3D CreateEvent(&sa, ...);
--=20
Remy Lebeau (TeamB)

Post by Grzegorz WrÃ³bel
I have rewritten the service to work even if event synchronization is
malfunctioning. Instead of waiting infinitely on the event I have added
finite time-out interval and the service checks if there are any data
sent to it after each of time-out too. Not very elegant, but will work
even if the other process will not be able to set the event.
I would still like to know why OpenEvent() fails in that particular case.
--
Grzegorz Wr?bel
677265676F727940346E6575726F6E732E636F6D

Post by Hugo <hugh<underbar>
I suspect this is all caused by something simple, and that is the way
sessions and namespaces were altered after XP.
I had a similar issue with file mappings, read this to see if does indeed
http://rdn-consulting.com/blog/2007/08/20/kernel-object-namespace-and-vista/
Regards
Hugh

Post by Hugo <hugh<underbar>
The problem is likelu due to the new session 0 isolation introduced in Vista
http://windowsteamblog.com/blogs/developers/archive/2009/10/01/session-0-isolation.aspx
Hugh

Post by mosesvas
Hi,
Try changing the integrity of the event to low use this code. Low
integrity process cannot access kernel object created from other
integrity levels processes.
static BOOL SetObjectToLowIntegrity(HANDLE hObject, SE_OBJECT_TYPE
type=3DSE_KERNEL_OBJECT)
{
BOOL bRet =3D FALSE;
DWORD dwErr =3D ERROR_SUCCESS;
PSECURITY_DESCRIPTOR pSD =3D NULL;
PACL pSacl =3D NULL;
BOOL fSaclPresent =3D FALSE;
BOOL fSaclDefaulted =3D FALSE;
// The LABEL_SECURITY_INFORMATION SDDL SACL to be set for low
integrity
LPCWSTR LOW_INTEGRITY_SDDL_SACL_W =3D L"S:(ML;;NW;;;LW)";
if ( ConvertStringSecurityDescriptorToSecurityDescriptorW
(LOW_INTEGRITY_SDDL_SACL_W, SDDL_REVISION_1, &pSD, NULL ))
{
if (GetSecurityDescriptorSacl
(pSD,&fSaclPresent,&pSacl,&fSaclDefaulted))
{
dwErr =3D SetSecurityInfo
(hObject,type,LABEL_SECURITY_INFORMATION,NULL,NULL,NULL,pSacl);
bRet =3D (ERROR_SUCCESS =3D=3D dwErr);
}
LocalFree ( pSD );
}
return bRet;
}
regards,
vasanth

Post by Grzegorz WrÃ³bel
It has been already mentioned in this thread that process in question
has System Mandatory Level (highest possible).
--
Grzegorz Wr?bel
677265676F727940346E6575726F6E732E636F6D
Submitted via EggHeadCafe - Software Developer Portal of Choice
Nested IF Statement ? Excel 2007
http://www.eggheadcafe.com/tutorials/aspnet/195df521-46a8-4b2f-a6aa-dad1fb2c63d5/nested-if-statement--excel-2007.aspx

Petr Pospisil

2010-10-27 22:16:02 UTC

Permalink

try

OpenEventW(SYNCHRONIZE,FALSE,L"Global\\SafeticaDlpRemoveHookEvent");

instead

OpenEventW(SYNCHRONIZE,FALSE,L"SafeticaDlpRemoveHookEvent");

when dealing with driver or service event on windows vista++

Submitted via EggHeadCafe - Software Developer Portal of Choice
SharePoint Workflow Custom Input Forms
http://www.eggheadcafe.com/tutorials/aspnet/2a494ffa-c3b0-41e5-9847-80e7cdf3779a/sharepoint-workflow-custom-input-forms.aspx

Petr Pospisil

2010-10-27 22:20:16 UTC

Permalink

and to be 100% sure

when creating event use security atribute

smth like that:

BYTE sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
SECURITY_ATTRIBUTES sa;

sa.nLength = sizeof(sa);
sa.bInheritHandle = TRUE;
sa.lpSecurityDescriptor = &sd;

InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&sd, TRUE, (PACL) 0, FALSE);
event = CreateEvent(
&sa, // default security attributes
TRUE,// manual-reset event
FALSE,// initial state is nonsignaled
TEXT("SafeticaDlpRemoveHookEvent")
);

Submitted via EggHeadCafe - Software Developer Portal of Choice
ASP.NET Caching Concepts
http://www.eggheadcafe.com/tutorials/aspnet/78de4d09-b013-48c0-8d4a-bedd68f675f5/aspnet-caching-concepts.aspx