Unlike account rights, privileges can be enabled and disabled. For a privilege check to succeed, the privilege must be in the specified token and it must be enabled. The idea behind this scheme is that privileges should be enabled only when their use is required so that a process cannot inadvertently perform a privileged security operation.
EXPERIMENT: Seeing a Privilege Get Enabled
By following these steps, you can see that the Date and Time Control Panel applet enables the SeTimeZonePrivilege privilege in response to you using its interface to change the time zone of the computer:
Run Process Explorer, and set the refresh rate to Paused.
Open the Date And Time item by right-clicking on the clock in the system tray region of the taskbar, and then select Adjust Date/Time. A new Rundll32 process will appear with a green highlight when you force a refresh with F5.
Hover the mouse over the Rundll32 process, and verify that the target contains the text “Time Date Control Panel Applet” as well as a path to Timedate.cpl. The presence of this argument tells Rundll32, which is a Control Panel DLL hosting process, to load the DLL that implements the user interface that enables you to change the time and date.
View the Security tab of the process Properties dialog box for your Rundll32 process. You should see that the SeTimeZonePrivilege privilege is disabled.
Now click the Change Time Zone button in the Control Panel item, close the process Properties dialog box, and then open it again. On the Security tab, you should now see that the SeTimeZonePrivilege privilege is enabled.
Privilege
User Right
Privilege Usage
Replace a process-level token
Checked for by various components, such as
Generate security audits
Required to generate events for the Security event log with the
Back up files and directories
Causes NTFS to grant the following access to any file or directory, regardless of the security descriptor that’s present: READ_CONTROL, ACCESS_SYSTEM_SECURITY, FILE_GENERIC_READ, FILE_TRAVERSE
Note that when opening a file for backup, the caller must specify the FILE_FLAG_BACKUP_SEMANTICS flag.
Also allows corresponding access to registry keys when using
Bypass traverse checking
Used by NTFS to avoid checking permissions on intermediate directories of a multilevel directory lookup. Also used by file systems when applications register for notification of changes to the file system structure.
Create global objects
Required for a process to create section and symbolic link objects in the directories of the object manager namespace that are assigned to a different session than the caller.
Create a pagefile
Checked for by
Create permanent shared objects
Checked for by the object manager when creating a permanent object (one that doesn’t get deallocated when there are no more references to it).
Create symbolic links
Checked for by NTFS when creating symbolic links on the file system with the
Create a token object
Debug programs
If the caller has this privilege enabled, the process manager allows access to any process or thread using
Enable computer and user accounts to be trusted for delegation
Used by Active Directory services to delegate authenticated credentials.
Impersonate a client after authentication
The process manager checks for this when a thread wants to use a token for impersonation and the token represents a different user than that of the thread’s process token.
Increase scheduling priority
Checked for by the process manager and is required to raise the priority of a process.
Adjust memory quotas for a process
Enforced when changing a process’ working set thresholds, a process’ paged and nonpaged pool quotas, and a process’ CPU rate quota.
