OpenProcess：是否可以獲得PROCESS_QUERY_LIMITED_INFORMATION的ERROR_ACCESS_DENIED，但不能獲得SYNCHRONIZE？

Question

我使用OpenProcess從PID獲取進程句柄。 這兩個任務的功能應該做的是：

• 必須具備：等待進程終止，與WaitForSingleObject (process, INFINITE)
• 如果可能的話做：讓退出代碼，與GetExitCodeProcess (process, &ret)

問題完成：有沒有可能得到ERROR_ACCESS_DENIED的PROCESS_QUERY_LIMITED_INFORMATION，但不是SYNCHRONIZE？如果是的話：哪種情況？

我參考全碼：

/* wait for a pid to end and return its exit code 
    error codes are returned as negative value 
*/ 
int 
waitpid (const int pid) 
{ 
    int status = 0; 
    HANDLE process = NULL; 
    DWORD ret; 

    /* windows will wait for the own process to end... abort */ 
    if (pid == _getpid()) { 
     status = 0 - ERROR_INVALID_DATA; 
     return status; 
    } 
    /* get process handle */ 
    process = OpenProcess (SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid); 
    /* if we don't get access to query the process' exit status try to get at least 
     access to the process end (needed for WaitForSingleObject) 
    */ 
    if (!process && GetLastError() == ERROR_ACCESS_DENIED) { 
     OpenProcess (SYNCHRONIZE, FALSE, pid); 
     status = -2; 
    } 
    if (process) { 
     /* wait until process exit */ 
     ret = WaitForSingleObject (process, INFINITE); 
     if (ret == WAIT_FAILED) { 
      status = 0 - GetLastError(); 
     /* get exit code, if possible */ 
     } else if (status != -2) { 
      if (!GetExitCodeProcess (process, &ret)) { 
       status = 0 - GetLastError(); 
      } else { 
       status = (int) ret; 
      } 
     } 
     CloseHandle (process); 
    } else { 
     status = 0 - GetLastError(); 
    } 
    return status; 
} 

（如果您有任何代碼註釋：使用評論，分享您的想法）

Answer 1

是的，這是可能的，因爲PROCESS_QUERY_LIMITED_INFORMATION和SYNCHRONIZE絕對獨立訪問。但是在打開過程之前 - 您需要（如果可能）啓用SE_DEBUG_PRIVILEGE - 使用此權限，您可以打開與進程DACL無關的任何進程（受保護的系統除外）。 howver即使受保護的進程可以用PROCESS_QUERY_LIMITED_INFORMATION

打開我做快速檢查是否在Win 10進程訪問掩碼（1607）

---------------------- 
0000000000000004 System 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-18 SYSTEM 
0 00 00121411 S-1-5-32-544 Administrators 

---------------------- 
0000000000000110 smss.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-18 SYSTEM 
0 00 00121411 S-1-5-32-544 Administrators 

---------------------- 
0000000000000170 csrss.exe 

T FL AcessMsK Sid 
0 00 00020C79 S-1-5-18 SYSTEM 

---------------------- 
00000000000001B4 wininit.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-18 SYSTEM 
0 00 00121411 S-1-5-32-544 Administrators 

---------------------- 
00000000000001C0 csrss.exe 

T FL AcessMsK Sid 
0 00 00020C79 S-1-5-18 SYSTEM 

---------------------- 
0000000000000210 winlogon.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-18 SYSTEM 
0 00 00121411 S-1-5-32-544 Administrators 

---------------------- 
000000000000025C services.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-18 SYSTEM 
0 00 00121411 S-1-5-32-544 Administrators 

---------------------- 
000000000000026C lsass.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-18 SYSTEM 
0 00 00121411 S-1-5-32-544 Administrators 

---------------------- 
00000000000002B4 svchost.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-5-0-42363 LogonSessionId_0_42363 
0 00 00001400 S-1-5-32-544 Administrators 

---------------------- 
00000000000002F0 svchost.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-5-0-63646 LogonSessionId_0_63646 
0 00 00001400 S-1-5-32-544 Administrators 

---------------------- 
0000000000000354 dwm.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-90-0-1 DWM-1 
0 00 001FFFFF S-1-5-18 SYSTEM 

---------------------- 
00000000000003A8 svchost.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-5-0-67924 LogonSessionId_0_67924 
0 00 00001400 S-1-5-32-544 Administrators 

---------------------- 
00000000000003B0 svchost.exe 

T FL AcessMsK Sid 

0 00 001FFFFF S-1-5-5-0-72026 LogonSessionId_0_72026 
0 00 00001400 S-1-5-32-544 Administrators 

---------------------- 
00000000000003D8 svchost.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-5-0-72302 LogonSessionId_0_72302 
0 00 00001400 S-1-5-32-544 Administrators 

---------------------- 
00000000000003F0 svchost.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-5-0-75312 LogonSessionId_0_75312 
0 00 00001400 S-1-5-32-544 Administrators 

---------------------- 
0000000000000184 WUDFHost.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-84-0-76843-0-0-0 
0 00 00000400 S-1-5-32-544 Administrators 

---------------------- 
0000000000000314 svchost.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-5-0-78668 LogonSessionId_0_78668 
0 00 00001400 S-1-5-32-544 Administrators 

---------------------- 
00000000000004BC svchost.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-5-0-84911 LogonSessionId_0_84911 
0 00 00001400 S-1-5-32-544 Administrators 

---------------------- 
00000000000004C4 svchost.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-5-0-86762 LogonSessionId_0_86762 
0 00 00001400 S-1-5-32-544 Administrators 

---------------------- 
0000000000000528 svchost.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-5-0-89099 LogonSessionId_0_89099 
0 00 00001400 S-1-5-32-544 Administrators 

---------------------- 
00000000000005A0 svchost.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-5-0-92315 LogonSessionId_0_92315 
0 00 00001400 S-1-5-32-544 Administrators 

---------------------- 
0000000000000718 svchost.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-5-0-136688 LogonSessionId_0_136688 
0 00 00001400 S-1-5-32-544 Administrators 

---------------------- 
0000000000000444 WmiPrvSE.exe 

T FL AcessMsK Sid 

0 00 001FFFFF S-1-5-5-0-144257 LogonSessionId_0_144257 
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646 
0 00 00100000 S-1-5-18 SYSTEM 

---------------------- 
00000000000006E0 dllhost.exe 

T FL AcessMsK Sid 

0 00 001FFFFF S-1-5-5-0-146109 LogonSessionId_0_146109 
0 00 00001400 S-1-5-32-544 Administrators 

---------------------- 
0000000000000844 VSSVC.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-5-0-157627 LogonSessionId_0_157627 
0 00 00001400 S-1-5-32-544 Administrators 

---------------------- 
00000000000008E8 sppsvc.exe 

T FL AcessMsK Sid 

0 00 001FFFFF S-1-5-5-0-279111 LogonSessionId_0_279111 
0 00 00001400 S-1-5-32-544 Administrators 

---------------------- 
00000000000008B4 WmiPrvSE.exe 

T FL AcessMsK Sid 

0 00 001FFFFF S-1-5-18 SYSTEM 
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646 
0 00 00100000 S-1-5-18 SYSTEM 

---------------------- 
000000000000092C WmiApSrv.exe 

T FL AcessMsK Sid 

0 00 001FFFFF S-1-5-5-0-306945 LogonSessionId_0_306945 
0 00 00001400 S-1-5-32-544 Administrators 

---------------------- 
00000000000009AC sihost.exe 

T FL AcessMsK Sid 

0 00 001FFFFF S-1-5-21-1621835565-972595261-354493311-1001 Kelly 
0 00 001FFFFF S-1-5-18 SYSTEM 
0 00 00121411 S-1-5-5-0-315893 LogonSessionId_0_315893 

---------------------- 
0000000000000A64 taskhostw.exe 

T FL AcessMsK Sid 

0 00 001FFFFF S-1-5-21-1621835565-972595261-354493311-1001 Kelly 
0 00 001FFFFF S-1-5-18 SYSTEM 
0 00 00121411 S-1-5-5-0-315893 LogonSessionId_0_315893 

---------------------- 
0000000000000A38 explorer.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-21-1621835565-972595261-354493311-1001 Kelly 
0 00 001FFFFF S-1-5-18 SYSTEM 
0 00 00121411 S-1-5-5-0-315893 LogonSessionId_0_315893 

---------------------- 
0000000000000808 RuntimeBroker.exe 

T FL AcessMsK Sid 

0 00 001FFFFF S-1-5-21-1621835565-972595261-354493311-1001 Kelly 
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646 
0 00 00100000 S-1-5-18 SYSTEM 

---------------------- 
0000000000000E74 SppExtComObj.Exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-20 NETWORK SERVICE 
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646 
0 00 00100000 S-1-5-18 SYSTEM 

---------------------- 
0000000000000F88 audiodg.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-80-2676549577-1911656217-2625096541-4178041876-1366760775 Audiosrv 
0 00 00001000 S-1-5-11 Authenticated Users 

---------------------- 
0000000000000BB8 backgroundTaskHost.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-21-1621835565-972595261-354493311-1001 Kelly 
0 00 001FFFFF S-1-5-18 SYSTEM 
0 00 00121411 S-1-5-5-0-315893 LogonSessionId_0_315893 
0 00 001FFFFF S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742 

---------------------- 
0000000000000FB0 conhost.exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-32-544 Administrators 
0 00 001FFFFF S-1-5-18 SYSTEM 
0 00 00121411 S-1-5-5-0-315893 LogonSessionId_0_315893 

外觀例如在

0000000000000E74 SppExtComObj.Exe 

T FL AcessMsK Sid 
0 00 001FFFFF S-1-5-20 NETWORK SERVICE 
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646 
0 00 00100000 S-1-5-18 SYSTEM 

說系統有SYNCHRONIZE（ 0x00100000）但沒有PROCESS_QUERY_LIMITED_INFORMATION（0x1000）或另一個例子

00000000000008B4 WmiPrvSE.exe 

T FL AcessMsK Sid 

0 00 001FFFFF S-1-5-18 SYSTEM 
0 00 00100001 S-1-5-5-0-63646 LogonSessionId_0_63646 
0 00 00100000 S-1-5-18 SYSTEM 

編輯

在Win 8.1演示試驗 啓用SE_DEBUG_PRIVILEGE，並嘗試與開放進程PROCESS_QUERY_LIMITED_INFORMATION|SYNCHRONIZE 我成功打開ALL處理系統，包括受保護 當我試着使用PROCESS_QUERY_INFORMATION開我有錯誤的下一流程：

c0000022 0000000000000004 System 
c0000022 0000000000000138 smss.exe 
c0000022 00000000000001A8 csrss.exe 
c0000022 00000000000001EC csrss.exe 
c0000022 0000000000000244 services.exe 
c0000022 00000000000005B8 sppsvc.exe 

所有這些都是Windows受保護的進程。 現在我測試打開禁用SE_DEBUG_PRIVILEGE。結果通過自我

說-----------嘗試PROCESS_QUERY_LIMITED_INFORMATION開放

c0000022 00000000000001A8 csrss.exe 
c0000022 00000000000001EC csrss.exe 
c0000022 000000000000033C dwm.exe 
c0000022 00000000000005D0 WUDFHost.exe 
c0000022 00000000000007E4 WUDFHost.exe 

-----------與之同步

c0000022 00000000000001A8 csrss.exe 
c0000022 00000000000001EC csrss.exe 
c0000022 00000000000002A4 svchost.exe 
c0000022 00000000000002C8 svchost.exe 
c0000022 0000000000000320 svchost.exe 
c0000022 000000000000033C dwm.exe 
c0000022 0000000000000358 svchost.exe 
c0000022 0000000000000390 svchost.exe 
c0000022 00000000000003CC svchost.exe 
c0000022 00000000000001E0 svchost.exe 
c0000022 00000000000005D0 WUDFHost.exe 
c0000022 00000000000007F0 svchost.exe 
c0000022 00000000000005B8 sppsvc.exe 
c0000022 00000000000007E4 WUDFHost.exe 

嘗試開放

所以填充不同的有和無SE_DEBUG_PRIVILEGE

但我趕不上情況下可以用SYNCHRONIZE打開，但不能與PROCESS_QUERY_LIMITED_INFORMATION