[cvsnt-dev] Re: NtCreateToken & SeImpersonatePrivilege

KJK::Hyperion noog at libero.it
Sat May 22 21:32:14 BST 2004

Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.

Tony Hoyle wrote: 

>> This on a Windows 2000 Service Pack 4
> It could just be hardcoded into privcheck (no reference to this in
> google so I can't try it myself.. a homegrown app???).

yeah, I forgot to mention it's an old app I wrote in Delphi. No, it 
doesn't hardcode anything, it's all information queried for. A pretty 
straightforward program, it does exactly what you'd think it does

> Even if such a privilege exists in Win2kSP4 (but not in XP??? that
> *would* be odd)

not that odd. Windows XP doesn't come in a server flavour, so they 
probably didn't deem it important to fix it immediately (but I read it 
will be fixed in SP2). Anyway, I read the KB religiously and have 
subscribed to kbAlertz.com, and I remember when the article and hotfix 
about SeImpersonatePrivilege and SeCreateGlobalPrivilege came out. Note 
the "applies to" section:


> And for the create token issue (no official microsoft stuff but then
> they never officially acknowledged the existence of the function
> anyway): 

oh, so it wasn't a special check in NtCreateToken! I love Microsoft. 
Even when they break things, they do it in a technically sound way. 
Anyway, what does CVSNT need a token for? couldn't the token returned 
by LogonUser do? (it's used for pserver, right? isn't pserver all about 
plaintext athentication?)

More information about the cvsnt-dev mailing list