The priv utility has three syntaxes, each of which manipulates the rights/privileges list for a list of users, a command, or a list of process IDs.
When you invoke priv with neither the
user can be either a user name or a group name.
The -p option is similar to the -e option except that all adjustments are made to the specified list of process IDs (pid ...).
All three syntaxes have options that allow you to specify a
rights_list with the
-a SeAssignPrimaryTokenPrivilege,SeBatchLogonRight -a "SeAssignPrimaryTokenPrivilege SeBatchLogonRight"
When neither the
The priv utility does not manipulate the privileges or rights directly; it passes them to the operating system. As a result, priv is not limited to a built-in set of rights of privileges, and thus, independent of the revision level of Windows NT/2000/XP/2003/Vista/7/2008/8/2012. However, the case sensitivity of privilege and right names is dependent upon the operating system. Some privileges appear to be case insensitive while some rights appear to be case sensitive. This case sensitivity may vary based on the revision of the Windows NT/2000/XP/2003/Vista/7/2008/8/2012 operating system.
adds (or enables, for
-eand -p) the rights/privileges specified by rights_list. -Ddomain-name
specifies the domain where the security database resides for the users whose rights/privileges are to be manipulated. priv normally performs actions on the local system.
-Dand -Soptions are mutually exclusive. -drights_list
removes (or disables, for
-eand -p) the rights/privileges specified by rights_list. -e
manipulates the process tokens for a specified command rather than the rights/privileges lists of users.
manipulates the process tokens for a specified list of process IDs (pid ...) rather than the rights/privileges lists of users.
specifies the host machine where the security database resides for the users whose rights/privileges are to be manipulated. priv normally performs actions on the local system. Optionally, hostname may be preceded by \\ or //.
-Dand -Soptions are mutually exclusive. -v
displays more information about rights/privileges lists or process tokens. With neither
-enor -p, this option displays the verbose english description of the privilege rather than just its name.
-eor -p, when priv displays the rights list for a given token, it displays both the privilege name and the privilege display name.
The following command runs the standard task manager with the debug privilege enabled:
priv -e -a SeDebugPrivilege taskmgr&
Normally, in taskmgr, if you try to kill a process owned by somebody else, you get an Access Denied message. The debug privilege allows you to bypass that requirement, and by enabling before invoking taskmgr, the task manager can kill many more processes. Alternatively,
priv -e -a SeDebugPrivilege taskmgr& priv -e -d SeDebugPrivilege
enables the debug privilege, runs the task manager (which would have the debug privilege enabled), and finally, disables the debug privilege.
Possible exit status values are:
One confusing thing about Windows NT/2000/XP/2003/Vista/7/2008/8/2012 is that many system calls and programs silently enable privileges if they can be enabled. For example, the MKS Toolkit kill command automatically enables the sedebugprivilege privilege if you have it.
Windows NT 4.0. Windows 2000. Windows XP. Windows Server 2003.
MKS Toolkit for System Administrators
MKS Toolkit for Developers
MKS Toolkit for Interoperability
MKS Toolkit for Professional Developers
MKS Toolkit for Enterprise Developers
MKS Toolkit for Enterprise Developers 64-Bit Edition
MKS Toolkit 9.5 Documentation Build 3.