Click here to get back home

Allow non-Administrator to view and terminate processes for all users
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Allow non-Administrator to view and terminate processes for all users Bruce Sanderson 07-21-2006
Posted by Bruce Sanderson on July 21, 2006, 5:56 pm
Please log in for more thread options
 In Windows 2003 Enterprise Server, is there a user right or group policy
setting (or other means) to allow someone to view and end processes from any
(all) users (e.g. in Task Manager - "Show processes from all users") without
making that someone's user account a member of the Administrators group?

--
Bruce Sanderson MVP
http://members.shaw.ca/bsanders/
It's perfectly useless to know the right answer to the wrong question.




Posted by S. Pidgorny on July 22, 2006, 10:28 pm
Please log in for more thread options
 Interesting question... That might be a matter of changing one of the user
rights in the local security policy. Which one? I'd say "Increase scheduling
priority" or "debug programs".

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

> In Windows 2003 Enterprise Server, is there a user right or group policy
> setting (or other means) to allow someone to view and end processes from
> any (all) users (e.g. in Task Manager - "Show processes from all users")
> without making that someone's user account a member of the Administrators
> group?
>
> --
> Bruce Sanderson MVP
> http://members.shaw.ca/bsanders/
> It's perfectly useless to know the right answer to the wrong question.
>
>
>



Posted by Miha Pihler [MVP] on July 23, 2006, 4:16 am
Please log in for more thread options
Hi,

Any user in hold of Debug permission (SeDebug Privilege) can easily become
an owner (Administrator) on that PC... User with debug permission can run
tools such as lsadump, pwdump etc...

--
Mike
Microsoft MVP - Windows Security

> Interesting question... That might be a matter of changing one of the user
> rights in the local security policy. Which one? I'd say "Increase
> scheduling priority" or "debug programs".
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
>> In Windows 2003 Enterprise Server, is there a user right or group policy
>> setting (or other means) to allow someone to view and end processes from
>> any (all) users (e.g. in Task Manager - "Show processes from all users")
>> without making that someone's user account a member of the Administrators
>> group?
>>
>> --
>> Bruce Sanderson MVP
>> http://members.shaw.ca/bsanders/
>> It's perfectly useless to know the right answer to the wrong question.
>>
>>
>>
>
>



Posted by Bruce Sanderson on July 25, 2006, 1:38 am
Please log in for more thread options
Thanks for the reply, Svyatoslav!

I tried granting a user both the "increase scheduling priority" and "debug
programs" "right" under Security Settings, Local Policies, User Rights
Assignment (in Computer Configuration) via GPO to a specific domain user,
but that user still could not add a check mark to the "Show processes from
all users" check box in Task Manager.

I verified using gpresult /v that the settings in the GPO had been applied
to the computer.

Any other ideas come to mind?

It may well be that there is no specific right or permission that grants
this - this ability may be built-in to the Administrators group inherent
rights (unfortunately!) but it would be nice to know definitively.

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



> Interesting question... That might be a matter of changing one of the user
> rights in the local security policy. Which one? I'd say "Increase
> scheduling priority" or "debug programs".
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
>> In Windows 2003 Enterprise Server, is there a user right or group policy
>> setting (or other means) to allow someone to view and end processes from
>> any (all) users (e.g. in Task Manager - "Show processes from all users")
>> without making that someone's user account a member of the Administrators
>> group?
>>
>> --
>> Bruce Sanderson MVP
>> http://members.shaw.ca/bsanders/
>> It's perfectly useless to know the right answer to the wrong question.
>>
>>
>>
>
>



Posted by Roger Abell [MVP] on July 25, 2006, 9:45 am
Please log in for more thread options
Bruce,
We need to factor apart what you appear after.
One is to use task manager to view all processes. This appears to be
something hardcoded into task manager as allowed only to admins.
However, if you are willing to use other tools, for example fromt the
PStools suite from www.sysinternals.com (now part of Microsoft)
then you will find that they do not have this restirction.
You also seemed to what to grant the ability for a non-admin account
to access/kill arbitrary processes. I do not believe that there is a
specific user right for that tightly defined purpose. I would also try
debug priv, possibly with load/unload drivers, and if those are not
sufficient then act as part of OS. Any one of these is an unsafe grant
that would allow the account with them to elevate they privs to full
admin, to destabalize the OS, to install code of choice, etc..

Roger
> Thanks for the reply, Svyatoslav!
>
> I tried granting a user both the "increase scheduling priority" and "debug
> programs" "right" under Security Settings, Local Policies, User Rights
> Assignment (in Computer Configuration) via GPO to a specific domain user,
> but that user still could not add a check mark to the "Show processes from
> all users" check box in Task Manager.
>
> I verified using gpresult /v that the settings in the GPO had been
> applied to the computer.
>
> Any other ideas come to mind?
>
> It may well be that there is no specific right or permission that grants
> this - this ability may be built-in to the Administrators group inherent
> rights (unfortunately!) but it would be nice to know definitively.
>
> --
> Bruce Sanderson MVP Printing
> http://members.shaw.ca/bsanders
>
> It is perfectly useless to know the right answer to the wrong question.
>
>
>
>> Interesting question... That might be a matter of changing one of the
>> user rights in the local security policy. Which one? I'd say "Increase
>> scheduling priority" or "debug programs".
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>>> In Windows 2003 Enterprise Server, is there a user right or group policy
>>> setting (or other means) to allow someone to view and end processes from
>>> any (all) users (e.g. in Task Manager - "Show processes from all users")
>>> without making that someone's user account a member of the
>>> Administrators group?
>>>
>>> --
>>> Bruce Sanderson MVP
>>> http://members.shaw.ca/bsanders/
>>> It's perfectly useless to know the right answer to the wrong question.
>>>
>>>
>>>
>>
>>
>
>



Similar ThreadsPosted
Allow power users to "Show Processes From All Users" in Task Manager May 25, 2007, 6:38 pm
Granting Rights to Processes in Task Manager May 3, 2006, 8:15 am
Weird Processes on my Windows 2003 Servers July 16, 2006, 9:43 am
Security event view April 20, 2006, 1:04 pm
View effective permissions June 22, 2006, 4:19 am
Where to View Machine Certificate? November 1, 2006, 2:25 am
Not able to view secondary hard drive January 11, 2006, 9:53 am
Permission to View Event Viewer June 6, 2008, 9:11 am
unable to view configuration from Local Security Policy June 21, 2005, 10:07 pm
certificateauthority.view issues-automating cert revokecation June 21, 2007, 10:41 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap