How to list all Privileges held by a Process?

security windows process privileges process-explorer

Using Process Explorer tool, we can see the privileges held by a running process. A running process might delete the privileges, and hence effective privileges held by the process would be less than what's allowed to the user/group.

If we open a process in ProcExp, and select 'Security' tab, we can see all privileges currently held by the process, and status of each privilege: enter image description here

If we select any other process (Service) running under SYSTEM account, it would not have all the privileges (like SeTcbPrivilege) - the process itself might have deleted the process (using AdjustTokenPrivilege with SE_PRIVILEGE_REMOVED flag).

Which command can list the privileges held by a running process?


This only works for the current user. I don't know how to specify a pid.

C:\WINDOWS\system32>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege         Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled

C:\WINDOWS\system32>

Related

0KB Outlook PST file
FORMAT ext4 filesystem from Windows
How can I add and save customized colours to 'Standard Colors', in Word?
Why does Windows 10 still automatically download, install updates and restart system despite I telling it not to? [duplicate]
What's the NXDOMAIN meaning of nslookup?
Bash Auto-completion with Tab button doesn't complete at some condition
Why does Outlook 2010 not redraw the email list as I drag the scroll bar?
How do I recursively add ACL settings identical to the owners' for another user
USB 2.0 and 3.0 speed comparison for HDD
Git - The revocation function was unable to check revocation for the certificate
Failed to start the virtual machine 'MobyLinuxVM' because one of the Hyper-V components is not running
GraphQL gql Syntax Error: Expected Name, found }