OpenProcess() fails for some users with access denied

Question

I'm using Java JNA in order to access a process' memory on Windows . My code looks like this:

static WinNT.HANDLE openProcessHandle(int processId)
{
    val processAccessRights = PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_TERMINATE
            | PROCESS_NAME_NATIVE | PROCESS_SUSPEND_RESUME | PROCESS_QUERY_INFORMATION | PROCESS_QUERY_LIMITED_INFORMATION;
    val processHandle = Kernel32.INSTANCE.OpenProcess(processAccessRights, false, processId);
    if (processHandle == null)
    {
        val lastError = Native.getLastError();
        val formatMessageFromLastErrorCode = Kernel32Util.formatMessageFromLastErrorCode(lastError);
        val message = "OpenProcess() failed to open process id "
                + processId + ": " + formatMessageFromLastErrorCode;
        throw new IllegalStateException(message);
    }

    return processHandle;
}

I'm already not using PROCESS_ALL_ACCESSdue to the problems it causes .

According to this answer, I also need to enable the debug privilege for my process. However, despite calling this code successfully (eg all return values indicate success) before OpenProcess() , some users still get the error message OpenProcess() failed to open process id xxxx: Access denied . My application is not running as administrator. Why does it work for me and most users without administrator rights but not all users? What exactly causes this inconsistency? I would prefer to understand and tackle this problem specifically rather than making all users run my software as administrator since my software generally doesn't need those extra rights.

Answer 1

I authored the answer you cited in 2017, and learned last year that I had missed something key. I probably should edit that older answer to update it, but I'd forgotten about it. See this answer for a corrected version of the code that I'll be editing into the previous one you cited.

The API for AdjustTokenPrivileges() is somewhat broken in that it will give a false indication of success:

If the function succeeds, the return value is nonzero. To determine whether the function adjusted all of the specified privileges, call GetLastError, which returns one of... ERROR_SUCCESS ... ERROR_NOT_ALL_ASSIGNED .

Given you are attempting to adjust the privileges with a non-admin user, you are not able to actually do so, and the other users will not be able to OpenProcess() for other users' processes. I don't think there is a workaround other than running your program with the necessary administrative power ( SE_DEBUG_PRIVILEGE ), which must be assigned by an administrator at some point.

It is likely you are still getting a misleading indication of success, but need to check GetLastError() to see if it actually worked.