Failed acquisition of SeDebugPrivilege should not trigger a warning

lowleveldesign · Mar 4, 2023 · 3897235 · 3897235
1 parent 5d1e135
commit 3897235
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 16 deletions.
diff --git a/procgov/AccountPrivilegeModule.cs b/procgov/AccountPrivilegeModule.cs
@@ -22,7 +22,8 @@ public static bool IsCurrentUserAdministrator()
         return principal.IsInRole(WindowsBuiltInRole.Administrator);
     }
 
-    internal static List<AccountPrivilege> EnablePrivileges(uint pid, SafeHandle processHandle, string[] privilegeNames)
+    internal static List<AccountPrivilege> EnablePrivileges(uint pid, SafeHandle processHandle,
+        string[] privilegeNames, TraceEventType errorSeverity)
     {
         CheckWin32Result(PInvoke.OpenProcessToken(processHandle, TOKEN_ACCESS_MASK.TOKEN_QUERY | TOKEN_ACCESS_MASK.TOKEN_ADJUST_PRIVILEGES,
             out var tokenHandle));
@@ -45,7 +46,7 @@ internal static List<AccountPrivilege> EnablePrivileges(uint pid, SafeHandle pro
                     var result = Marshal.GetLastWin32Error();
                     if (result != (int)WIN32_ERROR.NO_ERROR)
                     {
-                        logger.TraceEvent(TraceEventType.Warning, 0, $"Setting privilege {privilegeName} for process {pid} failed - 0x{result:x} " +
+                        logger.TraceEvent(errorSeverity, 0, $"Setting privilege {privilegeName} for process {pid} failed - 0x{result:x} " +
                             "(probably privilege is not available)");
                     }
                     return new AccountPrivilege(privilegeName, result, previousPrivileges);
@@ -55,7 +56,7 @@ internal static List<AccountPrivilege> EnablePrivileges(uint pid, SafeHandle pro
                     var result = Marshal.GetLastWin32Error();
                     if (result != (int)WIN32_ERROR.NO_ERROR)
                     {
-                        logger.TraceEvent(TraceEventType.Warning, 0, $"Setting privilege {privilegeName} for process {pid} failed - 0x{result:x} ");
+                        logger.TraceEvent(errorSeverity, 0, $"Setting privilege {privilegeName} for process {pid} failed - 0x{result:x} ");
                     }
                     return new AccountPrivilege(privilegeName, result, new TOKEN_PRIVILEGES { PrivilegeCount = 0 });
                 }
@@ -67,7 +68,8 @@ internal static List<AccountPrivilege> EnablePrivileges(uint pid, SafeHandle pro
         }
     }
 
-    internal static void RestorePrivileges(uint pid, SafeHandle processHandle, List<AccountPrivilege> privileges)
+    internal static void RestorePrivileges(uint pid, SafeHandle processHandle, List<AccountPrivilege> privileges,
+        TraceEventType errorSeverity)
     {
         if (PInvoke.OpenProcessToken(processHandle, TOKEN_ACCESS_MASK.TOKEN_ADJUST_PRIVILEGES, out var tokenHandle))
         {
@@ -78,7 +80,7 @@ internal static void RestorePrivileges(uint pid, SafeHandle processHandle, List<
                     if (!PInvoke.AdjustTokenPrivileges(tokenHandle, false, priv.ReplacedPrivilege, 0, null, null))
                     {
                         int winerr = Marshal.GetLastWin32Error();
-                        logger.TraceEvent(TraceEventType.Error, 0,
+                        logger.TraceEvent(errorSeverity, 0,
                             $"Error while reverting the {priv.PrivilegeName} privilege for process {pid}: 0x{winerr:x}");
                     }
                 }
@@ -91,7 +93,7 @@ internal static void RestorePrivileges(uint pid, SafeHandle processHandle, List<
         else
         {
             int winerr = Marshal.GetLastWin32Error();
-            logger.TraceEvent(TraceEventType.Error, 0, $"Error while reverting the privileges for process {pid}: 0x{winerr:x}");
+            logger.TraceEvent(errorSeverity, 0, $"Error while reverting the privileges for process {pid}: 0x{winerr:x}");
         }
     }
 

diff --git a/procgov/ProcessModule.cs b/procgov/ProcessModule.cs
@@ -18,7 +18,8 @@ public static Win32Job AssignProcessToJobObject(int pid, SessionSettings session
     {
         var currentProcessId = (uint)Environment.ProcessId;
         using var currentProcessHandle = PInvoke.GetCurrentProcess_SafeHandle();
-        var dbgpriv = AccountPrivilegeModule.EnablePrivileges(currentProcessId, currentProcessHandle, new[] { "SeDebugPrivilege" });
+        var dbgpriv = AccountPrivilegeModule.EnablePrivileges(currentProcessId, currentProcessHandle, new[] { "SeDebugPrivilege" },
+                        TraceEventType.Information);
 
         try
         {
@@ -56,13 +57,13 @@ Win32Job OpenOrCreateJob()
             Debug.Assert(job != null);
             Win32JobModule.SetLimits(job, session, GetSystemOrProcessorGroupAffinity(targetProcessHandle, session));
 
-            AccountPrivilegeModule.EnablePrivileges((uint)pid, targetProcessHandle, session.Privileges);
+            AccountPrivilegeModule.EnablePrivileges((uint)pid, targetProcessHandle, session.Privileges, TraceEventType.Error);
 
             return job;
         }
         finally
         {
-            AccountPrivilegeModule.RestorePrivileges(currentProcessId, currentProcessHandle, dbgpriv);
+            AccountPrivilegeModule.RestorePrivileges(currentProcessId, currentProcessHandle, dbgpriv, TraceEventType.Information);
         }
     }
 
@@ -119,7 +120,7 @@ void AssignProcessToExistingJobObject(int processId, Win32Job job, bool checkIfA
                     logger.TraceEvent(TraceEventType.Verbose, 0, $"Process {processId} already assigned to job '{jobName}'.");
                     SetProcessEnvironmentVariables(processId, session.AdditionalEnvironmentVars);
 
-                    AccountPrivilegeModule.EnablePrivileges((uint)processId, processHandle, session.Privileges);
+                    AccountPrivilegeModule.EnablePrivileges((uint)processId, processHandle, session.Privileges, TraceEventType.Error);
                 }
                 else
                 {
@@ -135,13 +136,14 @@ void AssignProcessToExistingJobObject(int processId, Win32Job job, bool checkIfA
                 logger.TraceEvent(TraceEventType.Verbose, 0, $"Assigning process {processId} to job '{job.JobName}'");
                 Win32JobModule.AssignProcess(job, processHandle, session.PropagateOnChildProcesses);
 
-                AccountPrivilegeModule.EnablePrivileges((uint)processId, processHandle, session.Privileges);
+                AccountPrivilegeModule.EnablePrivileges((uint)processId, processHandle, session.Privileges, TraceEventType.Error);
             }
         }
 
         var currentProcessId = (uint)Environment.ProcessId;
         using var currentProcessHandle = PInvoke.GetCurrentProcess_SafeHandle();
-        var dbgpriv = AccountPrivilegeModule.EnablePrivileges(currentProcessId, currentProcessHandle, new[] { "SeDebugPrivilege" });
+        var dbgpriv = AccountPrivilegeModule.EnablePrivileges(currentProcessId, currentProcessHandle, new[] { "SeDebugPrivilege" },
+                        TraceEventType.Information);
 
         try
         {
@@ -166,7 +168,7 @@ void AssignProcessToExistingJobObject(int processId, Win32Job job, bool checkIfA
                     // we need to update variables and priviles in the 'job process' manually as we
                     // won't be assigning it to the job to which it is already assigned
                     SetProcessEnvironmentVariables(jobProcessId, session.AdditionalEnvironmentVars);
-                    AccountPrivilegeModule.EnablePrivileges((uint)jobProcessId, jobProcessHandle, session.Privileges);
+                    AccountPrivilegeModule.EnablePrivileges((uint)jobProcessId, jobProcessHandle, session.Privileges, TraceEventType.Error);
 
                     job = new Win32Job(jobHandle, jobName, session.ClockTimeLimitInMilliseconds);
 
@@ -198,7 +200,7 @@ void AssignProcessToExistingJobObject(int processId, Win32Job job, bool checkIfA
         }
         finally
         {
-            AccountPrivilegeModule.RestorePrivileges(currentProcessId, currentProcessHandle, dbgpriv);
+            AccountPrivilegeModule.RestorePrivileges(currentProcessId, currentProcessHandle, dbgpriv, TraceEventType.Information);
         }
     }
 
@@ -235,7 +237,7 @@ public static unsafe Win32Job StartProcessAndAssignToJobObject(
                         session.ClockTimeLimitInMilliseconds);
             Win32JobModule.SetLimits(job, session, GetSystemOrProcessorGroupAffinity(processHandle, session));
 
-            AccountPrivilegeModule.EnablePrivileges(pi.dwProcessId, processHandle, session.Privileges);
+            AccountPrivilegeModule.EnablePrivileges(pi.dwProcessId, processHandle, session.Privileges, TraceEventType.Error);
 
             CheckWin32Result(PInvoke.ResumeThread(pi.hThread));
 
@@ -287,7 +289,7 @@ public static unsafe Win32Job StartProcessUnderDebuggerAndAssignToJobObject(
                         session.ClockTimeLimitInMilliseconds);
             Win32JobModule.SetLimits(job, session, GetSystemOrProcessorGroupAffinity(processHandle, session));
 
-            AccountPrivilegeModule.EnablePrivileges(pi.dwProcessId, processHandle, session.Privileges);
+            AccountPrivilegeModule.EnablePrivileges(pi.dwProcessId, processHandle, session.Privileges, TraceEventType.Error);
 
             // resume process main thread by detaching from the debuggee
             CheckWin32Result(PInvoke.DebugActiveProcessStop(pi.dwProcessId));