How to determine the integrity level of a process？

Question

4.00/5 (1 vote)

See more:

Hi, all
I recently need to get the integrity level of a process, and I found help from MSDN. The sample code looks like this:

C++

if (GetTokenInformation(hToken, TokenIntegrityLevel, 
         pTIL, dwLengthNeeded, &dwLengthNeeded))
     {
      dwIntegrityLevel = *GetSidSubAuthority(pTIL->Label.Sid, 
        (DWORD)(UCHAR)(*GetSidSubAuthorityCount(pTIL->Label.Sid)-1));
 
      if (dwIntegrityLevel == SECURITY_MANDATORY_LOW_RID)
      {
       // Low Integrity
       wprintf(L"Low Process");
      }
      else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID && 
           dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID)
      {
       // Medium Integrity
       wprintf(L"Medium Process");
      }
      else if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID)
      {
       // High Integrity
       wprintf(L"High Integrity Process");
      }
      else if (dwIntegrityLevel >= SECURITY_MANDATORY_SYSTEM_RID)
      {
       // System Integrity
       wprintf(L"System Integrity Process");
      }
     }

As you all know, SECURITY_MANDATORY_LOW_RID == 0x00001000L, SECURITY_MANDATORY_MEDIUM_RID == 0x00002000L, SECURITY_MANDATORY_HIGH_RID == 0x00003000L, and SECURITY_MANDATORY_SYSTEM_RID == 0x00004000L.

Here is my question:
If this sample code is correct, then what integrity level does process A have if it has the dwIntegrityLevel of 0x00004100L? SECURITY_MANDATORY_HIGH_RID and SECURITY_MANDATORY_SYSTEM_RID? Does it mean that a process have SECURITY_MANDATORY_SYSTEM_RID level also have a SECURITY_MANDATORY_HIGH_RID?

If the sample code is wrong, then what is the right way to determine the integrity level of a process?

Thanks for any of your suggestion.

Posted 7-Oct-12 16:38pm

ericchan1336

Updated 7-Oct-12 21:32pm

v3

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Jochen Arndt · Accepted Answer · 2012-10-07T22:30:00

Solution 1

0x4100 is SECURITY_MANDATORY_SYSTEM_RID + 0x100 (not 0x1000).

See Well-known SIDs[^] in the MSDN.

There is no definition for 0x4100 but one for 0x2100. It seems that an offset of 0x100 can be treated as 'PLUS'.

Posted 7-Oct-12 22:30pm

Jochen Arndt

Comments

ericchan1336 8-Oct-12 21:31pm

What I really wanna know is whether the sample code is the right way to determine the integrity level of a process?

Jochen Arndt 9-Oct-12 3:07am

It is the recommended way because the code is from the MSDN (I assume from the article 'Getting the Integrity Level for an Access Token').

Regarding the 0x100 offset: The code uses if - else conditions with comparisons. So the 0x100 offset is ignored printing 'System Integrity Process' for a level of 0x4100.

ericchan1336 9-Oct-12 3:57am

If the code is correct, then wprintf(L"System Integrity Process"); will never be executed, since a dwIntegrityLevel which is larger than SECURITY_MANDATORY_SYSTEM_RID is also larger than SECURITY_MANDATORY_HIGH_RID.

Jochen Arndt 9-Oct-12 4:14am

You are right. I missed that. It must be:
else if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID &&
dwIntegrityLevel < SECURITY_MANDATORY_SYSTEM_RID)

Another option would be using a switch statement with a masked value:
switch (dwIntegrityLevel & 0x7000)
{
case SECURITY_MANDATORY_LOW_RID : wprintf(L"Low Process"); break;
...
}

You may also add the missing codes SECURITY_MANDATORY_UNTRUSTED_RID (0x0000) and SECURITY_MANDATORY_PROTECTED_PROCESS_RID (0x5000).

ericchan1336 9-Oct-12 4:23am

That's what I think it should be. Thanks Jochen.