SetTimeZoneInformation and Vista  
Author Message
jpatrick62





PostPosted: Security for Applications in Windows Vista, SetTimeZoneInformation and Vista Top

Having a problem where I'm getting a error return code of 1314 (A required privilege is not held by the client) after calling SetTimeZoneInformation API in C++. This is after I adjusted the token privilege for the SeSystemtimePrivelege, which is just baffling me. This code works in XP, but alas, not in Vista Beta 2. The user thread is the administrator and like I mentioned earlier, he now has the seSystemtimePriveilege set in his token. Is there another privileg I need or is this a bug


Software Development for Windows Vista15  
 
 
jgraham





PostPosted: Security for Applications in Windows Vista, SetTimeZoneInformation and Vista Top

I'm having this exact same problem with RC2, anyone find a reason

 
 
Girish123





PostPosted: Security for Applications in Windows Vista, SetTimeZoneInformation and Vista Top

I am facing this exact problem (last error 1314) on Vista RC1.

- Application is running with elevated admin mode.
- Admin user has been granted SeSystemTimePrivilege privilege.

Application verifier (LuaPriv) is reporting error with stop code 0x330F.

This looks like a bug to me.


- <avrf:logEntry Time="2006-10-23 : 10:23:57" LayerName="LuaPriv" StopCode="0x330F" Severity="Error">
<avrf:message>Requested a security-relevant privilege.</avrf:message>
<avrf:formatmessage>Privs: Requested SeSystemtimePrivilege (the "Change the system time" privilege) with NtAdjustPrivilegesToken successfully</avrf:formatmessage>
<avrf:parameter1>12fcc4 - Privilege LUID *</avrf:parameter1>
<avrf:parameter2>2d5cfd0 - Privilege's display name (if available)</avrf:parameter2>
<avrf:parameter3>70c414f8 - Requesting API</avrf:parameter3>
<avrf:parameter4>0 - N/A</avrf:parameter4>
- <avrf:stackTrace>
<avrf:trace>vfluapriv!NS_LuaPriv::AuditPrivilege+154</avrf:trace>
<avrf:trace>vfluapriv!NS_LuaPriv::VfHookNtAdjustPrivilegesToken+88</avrf:trace>
<avrf:trace>ADVAPI32!AdjustTokenPrivileges+1e</avrf:trace>
<avrf:trace>Trim!+4010c4</avrf:trace>
<avrf:trace>Trim!+4057e2</avrf:trace>
<avrf:trace>KERNEL32!BaseThreadInitThunk+12</avrf:trace>
<avrf:trace>ntdll!LdrInitializeThunk+a7</avrf:trace>
</avrf:stackTrace>
</avrf:logEntry>




 
 
Girish123





PostPosted: Security for Applications in Windows Vista, SetTimeZoneInformation and Vista Top

In Addition to the above, I have SE_TIME_ZONE_NAME turned on as well for this admin user.

 
 
Eric Perlin





PostPosted: Security for Applications in Windows Vista, SetTimeZoneInformation and Vista Top

Really
SeTimeZonePrivilege is indeed the privilege that's required for this operation to succeed (this is the only use of this privilege at this point).
Even though it's not enabled by default, elevation is not required.

Is the thread making the call impersonating
The privilege check will be made in the security context of the calling thread if it's impersonating, or will use the process token instead.