{"id":104669,"date":"2021-01-06T07:00:00","date_gmt":"2021-01-06T15:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=104669"},"modified":"2021-01-06T21:53:57","modified_gmt":"2021-01-07T05:53:57","slug":"20210106-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20210106-00\/?p=104669","title":{"rendered":"How can I tell whether my process is running as SYSTEM?"},"content":{"rendered":"

A customer wanted to know how to check whether the current process is running as the SYSTEM account. They proposed this algorithm:<\/p>\n

\/\/ Code in italics is wrong\r\nbool IsCurrentProcessRunningAsSystem()\r\n{\r\n DWORD session_id;\r\n return ProcessIdToSessionId(GetCurrentProcessId(), &session_id) &&\r\n        session_id == 0;\r\n}<\/i>\r\n<\/pre>\n
This algorithm is flawed both for the possibility of false positives as well as false negatives.<\/p>\n
You can see this for yourself by opening Task Manager:<\/p>\n\n\n\n\n\n\n
Name<\/td>\nUser name<\/td>\nSession ID<\/td>\n<\/tr>\n
LogonUI.exe<\/td>\nSYSTEM<\/td>\n3<\/td>\n<\/tr>\n
winlogon.exe<\/td>\nSYSTEM<\/td>\n3<\/td>\n<\/tr>\n
fontdrvhost.exe<\/td>\nUMFD-0<\/td>\n0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
We have some processes running as SYSTEM which aren’t in session zero. And we have a process in session zero that is not running as SYSTEM.<\/p>\n
If you want to know whether you are running as SYSTEM, check your token to see whether it represents the SYSTEM user.<\/p>\n
I’m going to use  wil<\/a> as my RAII library.<\/p>\n
#include <wil\/token_helpers.h<\/a>>\r\n\r\nbool DoesTokenRepresentSid(HANDLE token, WELL_KNOWN_SID_TYPE type)\r\n{\r\n \/\/ maps to GetTokenInformation(token, TokenUser, ...);\r\n auto user = wil::get_token_information<TOKEN_USER>(token);\r\n return !!IsWellKnownSid(user->User.Sid, type);\r\n}\r\n\r\nbool IsCurrentProcessRunningAsSystem()\r\n{\r\n return DoesTokenRepresentSid(GetCurrentProcessToken(),\r\n                              WinLocalSystemSid);\r\n}\r\n\r\nbool IsCurrentThreadRunningAsSystem()\r\n{\r\n return DoesTokenRepresentSid(GetCurrentThreadEffectiveToken(),\r\n                              WinLocalSystemSid);\r\n}\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
Check your token.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-104669","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"
Check your token.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/104669","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=104669"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/104669\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=104669"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=104669"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=104669"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}