Microsoft KB Archive/841086

= Introduction of new functions may cause calls to AdjustTokenPrivileges and LookupPrivilegeDisplayName not to work =

Article ID: 841086

Article Last Modified on 10/26/2006

-

APPLIES TO


 * Microsoft Windows XP Professional
 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Windows 2000 Advanced Server

-





SYMPTOMS
After you apply the MS04-011 security update on your Windows XP computer, programs that impersonate users and act on their behalf may log errors, or you may receive error messages. A program vendor who analyzes the errors may discover that the SeImpersonatePrivilege privilege or the SeCreateGlobalPrivilege privilege is present on the computer, and that a few API calls that use this privilege work (such as LookupPrivilegeValue) and others do not work (such as LookupPrivilegeDisplayName).

LookupPrivilegeDisplayName does not work and returns error 1313, ERROR_NO_SUCH_PRIVILEGE, &quot;A specified privilege does not exist.&quot; Therefore, you cannot administer the function through the Local Group Policy Tool.

Because the count SE_MAX_WELL_KNOWN_PRIVILEGE is changed by adding certain functions, other problems may occur. For example, if you add the AdjustTokenPrivilegesAPI function, the function does not work, and you receive an error 87 (ERROR_INVALID_PARAMETER) error message when more than SE_MAX_WELL_KNOWN_PRIVILEGE functions are passed in the NewStat->PrivilegeCount parameter. This behavior may occur in programs that are compiled with an SDK version that has the definitions for the two new functions.



CAUSE
The privileges were added in recent Windows XP hotfixes to resolve upgrade problems from Windows 2000 Professional Service Pack 4 computers that support this function. The security hotfix MS04-011 is missing dependent files that Windows must have to support these privileges.

Note The new functions are not enforced until you have Windows XP Service Pack 2 installed. They help prevent compatibility problems.



RESOLUTION
Windows 2000 Service Pack 4 includes full support for these functions.



WORKAROUND
If you do not want to retrieve the friendly names of the privileges, ignore the error message. The privilege will work correctly, but you cannot obtain the friendly name for it.

To resolve the problem with AdjustTokenPrivileges, do not pass the SID_AND_ATTRIBUTES entry that belongs to SeImpersonatePrivilege and SeCreateGlobalPrivilege with the NewState parameter to the API.

If you cannot do this, install the KB839210 hotfix. It contains the dependent files required to make the privileges work.

For additional information about the KB839210 hotfix, click the following article number to view the article in the Microsoft Knowledge Base:

839210 &quot;STOP 0x0000007B: INACCESSIBLE_BOOT_DEVICE&quot; error message when you start a Windows Server 2003 computer from a Windows Preinstall Environment CD-ROM



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Keywords: kbtshoot kbbug kbnofix kbprb KB841086

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.