priv

manipulate rights/privileges lists 

Command


SYNOPSIS

priv [-v] [-a rights_list] [-d rights_list] [-S hostname | -D domain-name] [user ...]

priv -e [-v] [-a rights_list] [-d rights_list] [command [argument ...]]

priv -p [-v] [-a rights_list] [-d rights_list] pid ...


DESCRIPTION

The priv utility has three syntaxes, each of which manipulates the rights/privileges list for a list of users, a command, or a list of process IDs.

When you invoke priv with neither the -e or the -p option, it manipulates the actual rights/privileges for the specified users. These changes are made permanently in the base list of rights for the system and affect future logons; they do not affect the current session. When no user arguments appear on the command line, priv manipulates the rights/privileges of the current user.

Note:

user can be either a user name or a group name.

With the -e option, priv instead executes the specified command (with arguments) using the process tokens for that command as modified by the -a and -d options. In this case, the -a and -d options simply enable or disable existing tokens; you cannot specify a privilege that the process does not already have. When no command appears on the priv command line, priv adjusts the process tokens for the parent process of priv (that is, the command processor). The command processor now has that adjustment permanently and applies it to all future children.

The -p option is similar to the -e option except that all adjustments are made to the specified list of process IDs (pid ...).

All three syntaxes have options that allow you to specify a rights_list with the -a and -d options (see Options). rights_list is a list of privileges or rights that are separated by commas or spaces. For example, both of these are valid:

-a SeAssignPrimaryTokenPrivilege,SeBatchLogonRight
-a "SeAssignPrimaryTokenPrivilege SeBatchLogonRight"

When neither the -a nor the -d options are specified, priv displays the rights/privileges list rather than manipulating it.

The priv utility does not manipulate the privileges or rights directly; it passes them to the operating system. As a result, priv is not limited to a built-in set of rights of privileges, and thus, independent of the revision level of XP/2003/Vista/7/2008/8/2012. However, the case sensitivity of privilege and right names is dependent upon the operating system. Some privileges appear to be case insensitive while some rights appear to be case sensitive. This case sensitivity may vary based on the revision of the XP/2003/Vista/7/2008/8/2012 operating system.

Options

-a rights_list 

adds (or enables, for -e and -p) the rights/privileges specified by rights_list.

-D domain-name 

specifies the domain where the security database resides for the users whose rights/privileges are to be manipulated. priv normally performs actions on the local system.

The -D and -S options are mutually exclusive.

-d rights_list 

removes (or disables, for -e and -p) the rights/privileges specified by rights_list.

-e 

manipulates the process tokens for a specified command rather than the rights/privileges lists of users.

-p 

manipulates the process tokens for a specified list of process IDs (pid ...) rather than the rights/privileges lists of users.

-S hostname 

specifies the host machine where the security database resides for the users whose rights/privileges are to be manipulated. priv normally performs actions on the local system. Optionally, hostname may be preceded by \\ or //.

The -D and -S options are mutually exclusive.

-v 

displays more information about rights/privileges lists or process tokens. With neither -e nor -p, this option displays the verbose english description of the privilege rather than just its name.

With -e or -p, when priv displays the rights list for a given token, it displays both the privilege name and the privilege display name.

Examples

The following command runs the standard task manager with the debug privilege enabled:

priv -e -a SeDebugPrivilege taskmgr&

Normally, in taskmgr, if you try to kill a process owned by somebody else, you get an Access Denied message. The debug privilege allows you to bypass that requirement, and by enabling before invoking taskmgr, the task manager can kill many more processes. Alternatively,

priv -e -a SeDebugPrivilege
taskmgr&
priv -e -d SeDebugPrivilege

enables the debug privilege, runs the task manager (which would have the debug privilege enabled), and finally, disables the debug privilege.


DIAGNOSTICS

Possible exit status values are:

0 

Successful completion.

>0 

An error occurred.


NOTES

One confusing thing about XP/2003/Vista/7/2008/8/2012 is that many system calls and programs silently enable privileges if they can be enabled. For example, the PTC MKS Toolkit kill command automatically enables the sedebugprivilege privilege if you have it.


PORTABILITY

Windows XP. Windows Server 2003. Windows Vista. Windows 7. Windows Server 2008. Windows 8. Windows Server 2012.


AVAILABILITY

PTC MKS Toolkit for System Administrators
PTC MKS Toolkit for Developers
PTC MKS Toolkit for Interoperability
PTC MKS Toolkit for Professional Developers
PTC MKS Toolkit for Enterprise Developers
PTC MKS Toolkit for Enterprise Developers 64-Bit Edition


PTC MKS Toolkit 9.6 Documentation Build 9.