feat: enable SeDebugPrivilege for SYSTEM processes

Author: mokurin000

Cargo.toml

@@ -16,8 +16,12 @@ tokio = { version = "1.44.2", default-features = false, features = [
 ] }
 win32-ecoqos = "0.5.0"
 windows = { version = "0.61", features = [
-    "Win32_UI_WindowsAndMessaging",
+    # UI event hook
     "Win32_UI_Accessibility",
+    # foreground event id, enter event loop
+    "Win32_UI_WindowsAndMessaging",
+    # enable SeDebugPrivilege for SYSTEM processes
+    "Win32_Security",
 ] }
 
 [build-dependencies]

README.md

@@ -14,6 +14,7 @@ EnergyStar alernative in Rust.
   - [x] Ctrl-C handle
   - [ ] windows terminate handle
 - [x] Support UWP applications
+- [x] Support `SYSTEM` privileged processes
 - [ ] Configurable whitelist and blacklist
 
 ## Non-goals (for now)

src/lib.rs

@@ -6,6 +6,7 @@ use kanal::Sender;
 pub mod bypass;
 pub mod events;
 pub mod logging;
+pub mod privilege;
 pub mod utils;
 
 pub static PID_SENDER: OnceLock<Sender<u32>> = OnceLock::new();

src/main.rs

@@ -2,7 +2,8 @@ use std::error::Error;
 use std::ffi::OsString;
 
 use ahash::AHashSet;
-use spdlog::{Level, LevelFilter, debug, info};
+use rustystar::privilege::try_enable_se_debug_privilege;
+use spdlog::{Level, LevelFilter, debug, info, warn};
 use win32_ecoqos::process::toggle_efficiency_mode;
 
 use rustystar::bypass::should_bypass;
@@ -17,20 +18,44 @@ async fn main() -> Result<(), Box<dyn Error + Send + Sync>> {
 
     let _ = WHITELIST.set(AHashSet::from_iter(
         [
+            // ourself
+            "RustyStar.exe",
             // System processes
             "explorer.exe",
+            // Windows Manager of Windows
             "dwm.exe",
+            // CSRSS core process
             "csrss.exe",
+            // Windows services process
             "svchost.exe",
+            // Task Manager
             "Taskmgr.exe",
+            // Session Manager Subsystem
             "smss.exe",
+            // Chinese input method
             "ChsIME.exe",
+            // Speech-To-Text, Screen keyboard, handwrite input, e.g.
             "ctfmon.exe",
+            // Windows User Mode Driver Framework
             "WUDFRd.exe",
+            "WUDFHost.exe",
             // Edge is energy aware
             "msedge.exe",
             // UWP special handle
             "ApplicationFrameHost.exe",
+            // system itself
+            "[System Process]",
+            "System",
+            "Registry",
+            // parent of "services.exe"
+            "wininit.exe",
+            // parent of "svchost.exe", "wudfhost.exe", e.g.
+            "services.exe",
+            // Local Security Authority Subsystem Service
+            "lsass.exe",
+            // part of the Windows Security Center,
+            // responsible for monitoring and reporting the security status of your system
+            "SecurityHealthService.exe",
         ]
         .map(OsString::from),
     ));
@@ -41,6 +66,15 @@ async fn main() -> Result<(), Box<dyn Error + Send + Sync>> {
         std::process::exit(0);
     })?;
 
+    match try_enable_se_debug_privilege() {
+        Ok(_) => {
+            info!("SeDebugPriviledge enabled!");
+        }
+        Err(e) => {
+            warn!("SeDebugPriviledge enable failed: {e}");
+        }
+    }
+
     info!("throtting all processes...");
     tokio::task::spawn_blocking(|| toggle_all(Some(true))).await??;
 

src/privilege/mod.rs

@@ -0,0 +1,48 @@
+use spdlog::warn;
+use win32_ecoqos::windows_result;
+use windows::Win32::{
+    Foundation::{HANDLE, LUID},
+    Security::{
+        AdjustTokenPrivileges, LUID_AND_ATTRIBUTES, LookupPrivilegeValueW, SE_DEBUG_NAME,
+        SE_PRIVILEGE_ENABLED, TOKEN_ADJUST_PRIVILEGES, TOKEN_PRIVILEGES,
+    },
+    System::Threading::{GetCurrentProcess, OpenProcessToken},
+};
+
+pub fn try_enable_se_debug_privilege() -> windows_result::Result<()> {
+    unsafe {
+        let processhandle = GetCurrentProcess();
+        let mut tokenhandle = HANDLE(std::ptr::null_mut());
+        let desiredaccess = TOKEN_ADJUST_PRIVILEGES;
+        OpenProcessToken(processhandle, desiredaccess, &mut tokenhandle as _)?;
+
+        if tokenhandle.is_invalid() {
+            warn!("failed to open access token!");
+        }
+
+        let mut luid = LUID::default();
+        let lpname = SE_DEBUG_NAME;
+        LookupPrivilegeValueW(None, Some(&lpname), &mut luid)?;
+
+        let attributes = SE_PRIVILEGE_ENABLED;
+        let privilege = LUID_AND_ATTRIBUTES {
+            Luid: luid,
+            Attributes: attributes,
+        };
+
+        let disableallprivileges = false;
+        let newstate = TOKEN_PRIVILEGES {
+            PrivilegeCount: 1,
+            Privileges: [privilege],
+        };
+        AdjustTokenPrivileges(
+            tokenhandle,
+            disableallprivileges,
+            Some(&newstate),
+            0,
+            None,
+            None,
+        )?;
+    }
+    Ok(())
+}