The priv utility has three syntaxes, each of which manipulates the rights/privileges list for a list of users, a command, or a list of process IDs.
When you invoke priv with neither the
user can be either a user name or a group name.
The -p option is similar to the -e option except that all adjustments are made to the specified list of process IDs (pid ...).
All three syntaxes have options that allow you to specify a
rights_list with the
-a SeAssignPrimaryTokenPrivilege,SeBatchLogonRight -a "SeAssignPrimaryTokenPrivilege SeBatchLogonRight"
When neither the
The priv utility does not manipulate the privileges or rights directly; it passes them to the operating system. As a result, priv is not limited to a built-in set of rights of privileges, and thus, independent of the revision level of 2012/8.1/2012R2/10/2016/2019. However, the case sensitivity of privilege and right names is dependent upon the operating system. Some privileges appear to be case insensitive while some rights appear to be case sensitive. This case sensitivity may vary based on the revision of the 2012/8.1/2012R2/10/2016/2019 operating system.
adds (or enables, for
-eand -p) the rights/privileges specified by rights_list. -Ddomain-name
specifies the domain where the security database resides for the users whose rights/privileges are to be manipulated. priv normally performs actions on the local system.
-Dand -Soptions are mutually exclusive. -drights_list
removes (or disables, for
-eand -p) the rights/privileges specified by rights_list. -e
manipulates the process tokens for a specified command rather than the rights/privileges lists of users.
manipulates the process tokens for a specified list of process IDs (pid ...) rather than the rights/privileges lists of users.
specifies the host machine where the security database resides for the users whose rights/privileges are to be manipulated. priv normally performs actions on the local system. Optionally, hostname may be preceded by \\ or //.
-Dand -Soptions are mutually exclusive. -v
displays more information about rights/privileges lists or process tokens. With neither
-enor -p, this option displays the verbose english description of the privilege rather than just its name.
-eor -p, when priv displays the rights list for a given token, it displays both the privilege name and the privilege display name.
The following command runs the standard task manager with the debug privilege enabled:
priv -e -a SeDebugPrivilege taskmgr&
Normally, in taskmgr, if you try to kill a process owned by somebody else, you get an Access Denied message. The debug privilege allows you to bypass that requirement, and by enabling before invoking taskmgr, the task manager can kill many more processes. Alternatively,
priv -e -a SeDebugPrivilege taskmgr& priv -e -d SeDebugPrivilege
enables the debug privilege, runs the task manager (which would have the debug privilege enabled), and finally, disables the debug privilege.
Possible exit status values are:
One confusing thing about 2012/8.1/2012R2/10/2016/2019 is that many system calls and programs silently enable privileges if they can be enabled. For example, the PTC MKS Toolkit kill command automatically enables the sedebugprivilege privilege if you have it.
Windows Server 2012. Windows 8.1. Windows Server 2012 R2. Windows 10. Windows Server 2016. Windows Server 2019.
PTC MKS Toolkit for System Administrators
PTC MKS Toolkit for Developers
PTC MKS Toolkit for Interoperability
PTC MKS Toolkit for Professional Developers
PTC MKS Toolkit for Professional Developers 64-Bit Edition
PTC MKS Toolkit for Enterprise Developers
PTC MKS Toolkit for Enterprise Developers 64-Bit Edition
PTC MKS Toolkit 10.3 Documentation Build 39.