[Bug] RegisterGPNotification and logged-in users

Started by fixer, July 06, 2017, 05:42:06 PM

Previous topic - Next topic

fixer

This API function simply doesn't work for non-logged-in users. The problem is it sends query via ALPC to a service. And the service checks access rights against this hardcoded security descriptor D:(A;;CCLCSW;;;SY)(A;;CCLCSW;;;BA)(A;;CCLCSW;;;NS)(A;;CCLCSW;;;%s) substituting %s with Sid from token from internal list. Translating from SDDL into english: it allows access to System, Administrators, Network Service and logged-in user Sid. So if user hasn't logged-in, access denied, sorry, bye-bye. So if we try to start process from another user (using API, using runas) and that user isn't logged-in, this function call will fail.

This issue was found several months ago, it wasn't fixed then. I haven't checked it since, but I suspect it to remain broken for many years to come.