Pagedefrag requires the debug programs privilege

The article at www. While most systems uses the common values listed above, how can you determine the actual resolution of the clock on your computers? The answer lies in the GetSystemTimeAdjustment Win32 API, which tells you whether the system is applying a periodic adjustment to the time-of-day clock.

It just so happens that this API also returns the interval of the clock. If you are an administrator in charge of multiple servers you probably spend a significant amount of time popping open various information dialogs to remind yourself of the values of various system properties such as installed service pack version, IP addresses, computer name, memory size and processor speed.

Now you can have all this information in plain view on each server's desktop using the BgInfo utility that Bryce developed. When you run it, BgInfo creates a desktop background that automatically reports a variety of useful system characteristics. You can put BgInfo in your Start folder so that the information is available to you whenever you log in, and you can modify the data that BgInfo shows, even adding your own.

With BgInfo installed on your servers you'll save the time you spent repeatedly looking up easily forgotten information. The official book on the internals of Windows is now available!

This edition, coauthored by David Solomon www. It also includes a CD with several powerful tools, not available anywhere else, for investigating Windows internals. I don't have any new KB articles that reference Sysinternals to report, but Microsoft has added some pretty high-profile links to Sysinternals in the TechNet part of its site.

The first is in the "Ask Us About Security" column at www. The second reference is in the "Inside Microsoft" column at www. In the course of answering, where readers are pointed at HandleEx www. Even the Mole refers to Sysinternals from time to time What? You thought perhaps Mole keeps all this information in his head? Once again, this is where he going to send you. Unlike other debug output monitors, including dbmon, my DebugView debug-output monitor www. As a result, I've received dozens of e-mails from developers complaining that their management won't give them local administrator privileges, only the Debug privilege.

The argument goes that the Debug privilege is there for a reason, and its all application developers need to develop. These developers ask me to change DebugView so that it only installs the driver if the user has administrator privileges, and otherwise just collects Win32 debug output.

These requests always give me a chuckle, because what the management that makes the Debug-privilege argument fails to realize is that this privilege opens the door to local administrator privileges.

Using the Debug privilege a developer can have a debugger attach to the Local Security Authority process LSASS and manipulate it so as to give them local administrator privileges on their next login.

Or they can inject code into any process running in the System account that would add their account to the local administrators group. When I explain this to the complaining developers they sometimes respond that their management doesn't buy the argument. Until now, I haven't had anything for them to take back to their management to make their case, but a recent rash of such e-mails has prompted me to take action.

LogonEx, a utility you can download at www. In order to best show it off, create an account that is a normal user account except with the addition of the "Debug Programs" privilege. Log off and login under that account and run LogonEx. After LogonEx makes its patch you'll be able to login to the system using any account without specifying a password. Complete the demonstration by logging in as an administrator and adding the account you created to the local administrators group.

LogonEx is just one example of how the Debug privilege enables a developer to take control of a system, but there are plenty of others. Can anyone help? Let me know if you need more information. Thursday, December 31, PM. Hello Pug, To set the "Debug Programs" policy in other member servers in your domain, you need to assign a domain group policy to these servers.

While the new GPO is selected, click Edit. This starts the Group Policy Object Editor. Click the Advanced button. Click the find now button.

Select your user logon name and then click the ok button. Take our short survey. Stack Overflow for Teams — Collaborate and share knowledge with a private group.

Create a free Team What is Teams? Collectives on Stack Overflow. Learn more. How to detect if "Debug Programs" Windows privilege is set?

Ask Question. Asked 10 years, 11 months ago. Active 10 years, 11 months ago. Viewed 5k times. Improve this question. Mike Johnson Mike Johnson 4 4 silver badges 6 6 bronze badges. Add a comment.

Active Oldest Votes. Use GetTokenInformation to find out what privileges are enabled on this process already. If the process has the privilege enabled already, that means that the process is most likely being run under a debugger, and that the current logged-in user does have the privilege enabled. If the process doesn't have the privilege set, use the AdjustTokenPrivileges to attempt to set the privilege.

This is in our method AttemptToAddDebugPrivilegeToProcess below; we return true if the privilege can be set meaning the current logged-in user has the "debug programs" privilege enabled or false if it can't. Improve this answer. Privileges held by the user may or may not be disabled some are disabled by default From your question, I think what you really want is to check is if the user is an administrator.