locked
Using AdjustTokenPrivileges to allow a user application to access TPMv2.0 RRS feed

  • Question

  • I am trying to use this sample code:

    Enabling and Disabling Privileges in C++ - Win32 apps | Microsoft Docs

    https:// docs.microsoft.com/he-il/windows/win32/secauthz/enabling-and-disabling-privileges-in-c--

    I need to allow my application to access the TPMv2.0 and after initialization of the application disable this access.

    The application executed with a user context (not administrator).

    Question:

    1. What privileges do I need to enable?

    2. Do I use AdjustTokenPrivileges to accomplish this?

    Monday, May 4, 2020 12:48 PM

Answers

  • I am trying to use this sample code:

    Enabling and Disabling Privileges in C++ - Win32 apps | Microsoft Docs

    https:// docs.microsoft.com/he-il/windows/win32/secauthz/enabling-and-disabling-privileges-in-c--

    I need to allow my application to access the TPMv2.0 and after initialization of the application disable this access.

    The application executed with a user context (not administrator).

    Question:

    1. What privileges do I need to enable?

    2. Do I use AdjustTokenPrivileges to accomplish this?

    This doesn't seem like a VC++ issue to me.

    Take a look at the documentation at TPM Base Services.  In particular, Using TBS discusses the accounts that have access for various versions of Windows.

    I suggest you ask in Where is the Forum For ... ? for recommendations about an appropriate forum for questions about this technology.

    Monday, May 4, 2020 8:38 PM
  • Might try asking for help over here.

    https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/home?forum=windowsgeneraldevelopmentissues

    https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/home?forum=windowssecurity

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Tuesday, May 5, 2020 1:57 AM
  • The objective stated in the OP's question was "I need to allow my application to access the TPMv2.0 and after initialization of the application disable this access."

    The TPM Base Services documentation to which I linked made no mention of specific privilege requirements.  It discussed accounts.  If there are specific privileges that need to be enabled then kindly post a link to the related Microsoft documentation.

    I suspect that the OP was guessing about the applicability of AdjustTokenPrivileges (and the related sample code) as a means to achieve the stated objective.

    Tuesday, May 5, 2020 10:38 AM
  • First thing to note is that the documentation indicates that for currently supported versions of Windows (8 and later) -- "The SecurityDescriptor and MaxContexts registry keys became obsolete. For Windows 8, Windows Server 2012 and later, the TBS restricts access to certain commands using Command Blocking."

    I'm just reading documentation.  I suggest you follow Dave Patrick's recommendation to pursue the issue in the Windows Security Forum.

    Wednesday, May 6, 2020 8:53 AM

All replies

  • I am trying to use this sample code:

    Enabling and Disabling Privileges in C++ - Win32 apps | Microsoft Docs

    https:// docs.microsoft.com/he-il/windows/win32/secauthz/enabling-and-disabling-privileges-in-c--

    I need to allow my application to access the TPMv2.0 and after initialization of the application disable this access.

    The application executed with a user context (not administrator).

    Question:

    1. What privileges do I need to enable?

    2. Do I use AdjustTokenPrivileges to accomplish this?

    This doesn't seem like a VC++ issue to me.

    Take a look at the documentation at TPM Base Services.  In particular, Using TBS discusses the accounts that have access for various versions of Windows.

    I suggest you ask in Where is the Forum For ... ? for recommendations about an appropriate forum for questions about this technology.

    Monday, May 4, 2020 8:38 PM
  • Might try asking for help over here.

    https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/home?forum=windowsgeneraldevelopmentissues

    https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/home?forum=windowssecurity

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Tuesday, May 5, 2020 1:57 AM
  • The link which the OP mentioned is definitely to C++ code :-)

    https://docs.microsoft.com/he-il/windows/win32/secauthz/enabling-and-disabling-privileges-in-c--

    it is the Hebrew link but if you will replace the part "he-il" in the link into "en-us" then you will get to the English version of the page

    https://docs.microsoft.com/en-us/windows/win32/secauthz/enabling-and-disabling-privileges-in-c--


    signature   Ronen Ariely
     [Personal Site]    [Blog]    [Facebook]    [Linkedin]

    Tuesday, May 5, 2020 10:16 AM
  • The objective stated in the OP's question was "I need to allow my application to access the TPMv2.0 and after initialization of the application disable this access."

    The TPM Base Services documentation to which I linked made no mention of specific privilege requirements.  It discussed accounts.  If there are specific privileges that need to be enabled then kindly post a link to the related Microsoft documentation.

    I suspect that the OP was guessing about the applicability of AdjustTokenPrivileges (and the related sample code) as a means to achieve the stated objective.

    Tuesday, May 5, 2020 10:38 AM
  • Good day Roeig,

    According to your name and the link you provided, I assume that you speak Hebrew.

    There is Hebrew interface for the MSDN forums:
    https://social.msdn.microsoft.com/Forums/he-il

    but there is no C++ forum as much as I remember (If there is one then it is dead - no activity at all).

    There is C# forum in Hebrew
    https://social.msdn.microsoft.com/Forums/he-IL/home?forum=nethe
    but as the person who is the Moderator there, I can tell you that it will not help you. Don't wast time to publish there in this case, since I will not have a solution for you and not many people come there.

    Did you originally posted the question in the English C++ forum?

    It seems to me like the best place, but if the moderator there already moved the thread here, so maybe going back is not the best option...

    I am not familiar with the topic so all I have is what I found in Google and if my search took me to the right places then it seems like Your question is related to the Trusted Platform Module (TPM) permissions - standard for a secure cryptoprocessor, hardware-based security-related.

    I am not sure which forum best for you and if there is one in the MSDN forums

    You can try the windows security forums as Dave suggested...
    I have a feeling it will not solved there, but please inform in your message that you already search for specific forum for "Trusted Platform Module" and did not found, so they will not continue to move you from one place to the other

    Good luck


    signature   Ronen Ariely
     [Personal Site]    [Blog]    [Facebook]    [Linkedin]


    • Proposed as answer by Shoptool Tuesday, May 5, 2020 12:36 PM
    • Edited by pituachMVP Tuesday, May 5, 2020 1:45 PM
    Tuesday, May 5, 2020 10:43 AM
  • "I suspect that the OP was guessing about the applicability of AdjustTokenPrivileges (and the related sample code) as a means to achieve the stated objective."

    You are right! This is exactly what I am asking.

    To state the issue again:

    I need to allow my application to access the TPMv2.0 and after initialization of the application disable this access.

    The application is executed with a user context (not administrator).

    In trying to solve this issue, according to the link you provided:

     Using TBS discusses the accounts that have access for various versions of Windows.

    I created the registry key Access with a string registry value name SecurityDescriptor.

    Now I am trying to figure how to build the value similar to the example:

    O:BAG:BAD:(A;;0x00000001;;;BA)(A;;0x00000001;;;NS)(A;;0x00000001;;;LS)What are the permissions I need to set? and how to set them?



    Roeig

    Wednesday, May 6, 2020 7:32 AM
  • First thing to note is that the documentation indicates that for currently supported versions of Windows (8 and later) -- "The SecurityDescriptor and MaxContexts registry keys became obsolete. For Windows 8, Windows Server 2012 and later, the TBS restricts access to certain commands using Command Blocking."

    I'm just reading documentation.  I suggest you follow Dave Patrick's recommendation to pursue the issue in the Windows Security Forum.

    Wednesday, May 6, 2020 8:53 AM
  • I moved the question to the security forum as suggested.

    Thanks


    Roeig

    Thursday, May 7, 2020 7:15 AM