https://bugs.winehq.org/show_bug.cgi?id=52059
Bug ID: 52059 Summary: Non-installable program needs Admin rights. Product: Wine Version: 6.21 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: 2ndforwine@inmano.com Distribution: ---
Created attachment 71071 --> https://bugs.winehq.org/attachment.cgi?id=71071 log
Hello, I downloaded a memory testing program(https://testmem.tz.ru/tm5.rar) which doesn't have an installer. When i try to launch it it states: To enable AWE you must run with Administrator privileges
and the console prints: 01f8:fixme:process:GetProcessWorkingSetSizeEx (FFFFFFFF,01D1FC10,01D1FC0C,00000000): stub
https://bugs.winehq.org/show_bug.cgi?id=52059
2ndforwine@inmano.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download
https://bugs.winehq.org/show_bug.cgi?id=52059
--- Comment #1 from Ken Sharp imwellcushtymelike@gmail.com --- Can you make the source available? I don't fancy running that file at all.
https://bugs.winehq.org/show_bug.cgi?id=52059
--- Comment #2 from 2ndforwine@inmano.com --- Since it's not OSS, I can't.
https://bugs.winehq.org/show_bug.cgi?id=52059
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net Component|-unknown |advapi32 Status|UNCONFIRMED |NEW URL| |https://web.archive.org/web | |/20211009060326/https://tes | |tmem.tz.ru/tm5.rar Keywords| |obfuscation Ever confirmed|0 |1 Summary|Non-installable program |TestMem5 v0.12 reports 'To |needs Admin rights. |enable AWE, you must run | |with Administrator | |privileges!' on startup | |(unable to add | |'SeLockMemoryPrivilege' due | |to 'LsaAddAccountRights' | |stub)
--- Comment #3 from Anastasius Focht focht@gmx.net --- Hello folks,
the app seems legit, although the original 'testmem.tz.ru' site/domain is flagged as dangerous by browsers/AV plugins.
https://www.virustotal.com/gui/file/b7ed4b39de012e88ec9ad7f21b0ac68a4e863fe0...
Relevant part of trace log:
--- snip --- $ WINEDEBUG=+seh,+relay,+advapi,+server wine ./TM5.exe >>log.txt 2>&1 ... 0104:Call KERNEL32.CreateProcessA(00448fe4 "Z:\home\focht\Downloads\TM5\TM5.exe",004490e4 " \r\x07",00000000,00000000,00000000,00000020,00000000,00000000,00448fa0,01fb8418) ret=00403613 ... 013c: init_first_thread() = 0 { pid=0138, tid=013c, server_start=1d7e483224f8388 (-1.5113650), session_id=00000001, info_size=15826, machines={8664,014c} } ... 0104:Ret KERNEL32.CreateProcessA() retval=00000001 ret=00403613 ... 013c:Call KERNEL32.CreateThread(00000000,00000000,00404481,00000007,00000000,0044920c) ret=00404f68 ... 0158: *fd* 14 <- 308 013c:Ret KERNEL32.CreateThread() retval=000000a0 ret=00404f68 ... 0158:Call KERNEL32.LoadLibraryA(01f33c10 "bin\MT0.dll") ret=00403cb2 ... 0158:Ret KERNEL32.LoadLibraryA() retval=021f0000 ret=00403cb2 0158:Call KERNEL32.GetProcAddress(021f0000,01f33c28 "MemManager") ret=00403d6c 0158:Ret KERNEL32.GetProcAddress() retval=021f245d ret=00403d6c ... 0158:Call advapi32.OpenProcessToken(ffffffff,00000020,021cfba0) ret=021f121d 0158:Call ntdll.NtOpenProcessToken(ffffffff,00000020,021cfba0) ret=7b044236 0158: open_token( handle=ffffffff, access=00000020, attributes=00000000, flags=00000000 ) 0158: open_token() = 0 { token=00a4 } 0158:Ret ntdll.NtOpenProcessToken() retval=00000000 ret=7b044236 0158:Ret advapi32.OpenProcessToken() retval=00000001 ret=021f121d 0158:Call advapi32.LookupPrivilegeValueA(00000000,021f40f3,021cfb94) ret=021f1234 ... 0158:trace:advapi:LookupPrivilegeValueW --- snip ---
The log/trace was corrupted here - even in append mode. It tried to look up 'SeLockMemoryPrivilege'.
--- snip --- 0158:Ret advapi32.LookupPrivilegeValueA() retval=00000001 ret=021f1234 0158:Call advapi32.AdjustTokenPrivileges(000000a4,00000000,021cfb90,00000010,00000000,00000000) ret=021f124f 0158:Call ntdll.NtAdjustPrivilegesToken(000000a4,00000000,021cfb90,00000010,00000000,00000000) ret=7b043d85 0158: adjust_token_privileges( handle=00a4, disable_all=0, get_modified_state=0, privileges={{luid=0000000000000004,attr=2}} ) 0158: adjust_token_privileges() = NOT_ALL_ASSIGNED { len=00000000, privileges={} } 0158:Ret ntdll.NtAdjustPrivilegesToken() retval=00000106 ret=7b043d85 0158:Call ntdll.RtlNtStatusToDosError(00000106) ret=7b043d8e 0158:Ret ntdll.RtlNtStatusToDosError() retval=00000514 ret=7b043d8e 0158:Ret advapi32.AdjustTokenPrivileges() retval=00000001 ret=021f124f 0158:Call KERNEL32.CloseHandle(000000a4) ret=021f1257 0158:Call ntdll.NtClose(000000a4) ret=7b038140 0158: close_handle( handle=00a4 ) 0158: close_handle() = 0 0158:Ret ntdll.NtClose() retval=00000000 ret=7b038140 0158:Ret KERNEL32.CloseHandle() retval=00000001 ret=021f1257 0158:Call KERNEL32.GetLastError() ret=021f125c 0158:Ret KERNEL32.GetLastError() retval=00000514 ret=021f125c ... --- snip ---
This obviously fails because 'SeLockMemoryPrivilege' is by default not present in the token. The call to AdjustTokenPrivileges() can only enable privileges that you already have (but are masked).
https://source.winehq.org/git/wine.git/blob/f03933fbb73152c7a54383fba411a611...
The app then tries to add the privilege to the current user account:
--- snip --- ... 0158:Call advapi32.OpenProcessToken(ffffffff,00000028,021cfb6c) ret=021f1061 0158:Call ntdll.NtOpenProcessToken(ffffffff,00000028,021cfb6c) ret=7b044236 0158: open_token( handle=ffffffff, access=00000028, attributes=00000000, flags=00000000 ) 0158: open_token() = 0 { token=00a4 } 0158:Ret ntdll.NtOpenProcessToken() retval=00000000 ret=7b044236 0158:Ret advapi32.OpenProcessToken() retval=00000001 ret=021f1061 0158:Call advapi32.GetTokenInformation(000000a4,00000001,00000000,00000000,021cfb60) ret=021f107b 0158:Call ntdll.NtQueryInformationToken(000000a4,00000001,00000000,00000000,021cfb60) ret=7b0443d4 0158: get_token_sid( handle=00a4, which_sid=00000001 ) 0158: get_token_sid() = BUFFER_TOO_SMALL { sid_len=28<invalid sid> } 0158:Ret ntdll.NtQueryInformationToken() retval=c0000023 ret=7b0443d4 0158:Call ntdll.RtlNtStatusToDosError(c0000023) ret=7b0443e1 0158:Ret ntdll.RtlNtStatusToDosError() retval=0000007a ret=7b0443e1 0158:Ret advapi32.GetTokenInformation() retval=00000000 ret=021f107b 0158:Call KERNEL32.GetProcessHeap() ret=021f1088 0158:Ret KERNEL32.GetProcessHeap() retval=00450000 ret=021f1088 0158:Call ntdll.RtlAllocateHeap(00450000,00000040,00000024) ret=021f1098 0158:Ret ntdll.RtlAllocateHeap() retval=00492fb0 ret=021f1098 0158:Call advapi32.GetTokenInformation(000000a4,00000001,00492fb0,00000024,021cfb60) ret=021f10af 0158:Call ntdll.NtQueryInformationToken(000000a4,00000001,00492fb0,00000024,021cfb60) ret=7b0443d4 0158: get_token_sid( handle=00a4, which_sid=00000001 ) 0158: get_token_sid() = 0 { sid_len=28, sid={S-1-5-21-0-0-0-1000} } 0158:Ret ntdll.NtQueryInformationToken() retval=00000000 ret=7b0443d4 0158:Ret advapi32.GetTokenInformation() retval=00000001 ret=021f10af 0158:Call advapi32.LsaAddAccountRights(0000cafe,00492fb8,021cfb74,00000001) ret=021f10c6 0158:fixme:advapi:LsaAddAccountRights (0000CAFE,00492FB8,021CFB74,0x00000001) stub 0158:Ret advapi32.LsaAddAccountRights() retval=00000000 ret=021f10c6 0158:Call advapi32.LookupPrivilegeValueA(00000000,021f4009,021cfb98) ret=021f10da 0158:trace:advapi:LookupPrivilegeValueW L"",L"SeLockMemoryPrivilege",021CFB98 ... 0158:trace:advapi:LookupPrivilegeValueW L"" -> 00000000-00000004 0158:Ret advapi32.LookupPrivilegeValueA() retval=00000001 ret=021f1234 0158:Call advapi32.AdjustTokenPrivileges(000000a4,00000000,021cfb90,00000010,00000000,00000000) ret=021f124f 0158:Call ntdll.NtAdjustPrivilegesToken(000000a4,00000000,021cfb90,00000010,00000000,00000000) ret=7b043d85 0158: adjust_token_privileges( handle=00a4, disable_all=0, get_modified_state=0, privileges={{luid=0000000000000004,attr=2}} ) 0158: adjust_token_privileges() = NOT_ALL_ASSIGNED { len=00000000, privileges={} } 0158:Ret ntdll.NtAdjustPrivilegesToken() retval=00000106 ret=7b043d85 0158:Call ntdll.RtlNtStatusToDosError(00000106) ret=7b043d8e 0158:Ret ntdll.RtlNtStatusToDosError() retval=00000514 ret=7b043d8e 0158:Ret advapi32.AdjustTokenPrivileges() retval=00000001 ret=021f124f 0158:Call KERNEL32.CloseHandle(000000a4) ret=021f1257 0158:Call ntdll.NtClose(000000a4) ret=7b038140 0158: close_handle( handle=00a4 ) 0158: close_handle() = 0 0158:Ret ntdll.NtClose() retval=00000000 ret=7b038140 0158:Ret KERNEL32.CloseHandle() retval=00000001 ret=021f1257 0158:Call KERNEL32.GetLastError() ret=021f125c 0158:Ret KERNEL32.GetLastError() retval=00000514 ret=021f125c 0158:Call user32.MessageBoxA(00000000,021f4060 "To enable AWE, you must run with\r\nAdministrator privileges!",021f404b "TestMem5, AWE module",00200040) ret=021f24dd ---- snip ---
Since 'LsaAddAccountRights' is a stub, the privilege can't be added to the user account.
https://source.winehq.org/git/wine.git/blob/f03933fbb73152c7a54383fba411a611...
--- snip --- 165 /****************************************************************************** 166 * LsaAddAccountRights [ADVAPI32.@] 167 * 168 */ 169 NTSTATUS WINAPI LsaAddAccountRights( 170 LSA_HANDLE policy, 171 PSID sid, 172 PLSA_UNICODE_STRING rights, 173 ULONG count) 174 { 175 FIXME("(%p,%p,%p,0x%08x) stub\n", policy, sid, rights, count); 176 return STATUS_SUCCESS; 177 } --- snip ---
The sequence is pretty similar what is described here:
https://web.archive.org/web/20211128192224/https://stackoverflow.com/questio...
Poking a bit more reveals that the app will later make use AllocateUserPhysicalPages() API which requires this privilege.
https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-al...
--- quote --- Remarks
The AllocateUserPhysicalPages function is used to allocate physical memory that can later be mapped within the virtual address space of the process. The SeLockMemoryPrivilege privilege must be enabled in the caller's token or the function will fail with ERROR_PRIVILEGE_NOT_HELD. For more information, see Privilege Constants. ... --- quote ---
You could probably do a quick hack by adding this privilege to the default (admin) token if you can build Wine from source but it won't get you far. AWS APIs are stubs in Wine:
* AllocateUserPhysicalPages * FreeUserPhysicalPages * MapUserPhysicalPages
Stable download link via Internet Archive:
https://web.archive.org/web/20211009060326/https://testmem.tz.ru/tm5.rar
https://www.virustotal.com/gui/file/b7ed4b39de012e88ec9ad7f21b0ac68a4e863fe0...
$ sha1sum tm5.rar f141a919d7d1cfb1baaea671fb6dcd3bf213cdf7 tm5.rar
$ du -sh tm5.rar 24K tm5.rar
$ sha1sum TM5.exe 13122d07d828637943ca7e8043f77beca4e76928 TM5.exe $ sha1sum bin/MT0.dll 21c3a60a648615317421be93432697253a3c7ff3 bin/MT0.dll
Regards
https://bugs.winehq.org/show_bug.cgi?id=52059
--- Comment #4 from Anastasius Focht focht@gmx.net --- Hello folks,
I've found a small tool which uses the same sequence for granting 'SeLockMemoryPrivilege'. Good for testing because it actually calls 'LsaEnumerateAccountRights' later which deserves own bug.
https://web.archive.org/web/20211128192930/http://www.numberworld.org/y-crun...
--- quote --- There are 3 requirements for large (and locked) pages to work on Windows:
1. You need to have the "SeLockMemoryPrivilege" token. This privilege is disabled for all users by default. You will need to enable it manually. 2. y-cruncher needs to be running as an administrator. 3. There needs to be enough contiguous physical memory in the system.
Enabling SeLockMemoryPrivilege:
"SeLockMemoryPrivilege" is disabled for all users by default. So you will likely need to enable it manually.
Instructions for enabling it using the Group Policy Editor can be found here: https://msdn.microsoft.com/en-us/library/ms190730.aspx
If your version of Windows is a Home Edition and does not have the Group Policy Editor, you can also enable it by running the following program:
Enable "SeLockMemoryPrivilege" on Windows:
* Precompiled Binary * Source Code
Run y-cruncher as an Administrator:
Right-click the program and select "Run as administrator". You may get a UAC warning depending on your settings. --- quote ---
https://web.archive.org/web/20171109063809/http://numberworld.org/y-cruncher...
--- snip --- $ wine ./enable_permissions.exe ... Retrieving Account Name... Account Name: focht Opening LSA Handle... Success Obtaining Security ID... Domain: N550 Adding permission for: SeLockMemoryPrivilege 0024:fixme:advapi:LsaAddAccountRights (0000CAFE,0045EC38,0032FE6C,0x00000001) stub Success
Enumerating User-specific Permissions... 0024:fixme:advapi:LsaEnumerateAccountRights (0000CAFE,0045EC38,0032FE54,0032FE50) stub
Please restart for changes to take effect.
Press any key to continue... --- snip ---
$ sha1sum enable_permissions.exe 947cc8f8c809b88fa22d72f283f123a712f38b02 enable_permissions.exe
$ du -sh enable_permissions.exe 216K enable_permissions.exe
https://web.archive.org/web/20190924092347/http://www.numberworld.org/y-crun...
$ wine --version wine-6.22-204-gf03933fbb73
Regards