dhcpcsvc relies on default security descriptor when creating its API pipe

(..\..\ntoskrnl\se\accesschk.c:253) HACK: RemainingAccess = 0x00000112  DesiredAccess = 0x0010019b

Break instruction exception - code 80000003 (first chance)

nt!SepAccessCheckEx+0x527:

80527757 cc              int     3

kd> kp

ChildEBP RetAddr  

f70a2020 80527903 nt!SepAccessCheckEx(void * SecurityDescriptor = 0xe1006218, struct _SECURITY_SUBJECT_CONTEXT * SubjectSecurityContext = 0xb4ae6494, unsigned long DesiredAccess = 0x10019b, struct _OBJECT_TYPE_LIST * ObjectTypeList = 0x00000000, unsigned long ObjectTypeListLength = 0, unsigned long PreviouslyGrantedAccess = 0x20000, struct _PRIVILEGE_SET ** Privileges = 0xf70a2100, struct _GENERIC_MAPPING * GenericMapping = 0x805c908c, char AccessMode = 0n1 '', unsigned long * GrantedAccessList = 0xf70a210c, long * AccessStatusList = 0xf70a20e0, unsigned char UseResultList = 0x00 '')+0x527 [c:\ros\reactos-clean\reactos\ntoskrnl\se\accesschk.c @ 254]

f70a2058 80527ad7 nt!SepAccessCheck(void * SecurityDescriptor = 0xe1006218, struct _SECURITY_SUBJECT_CONTEXT * SubjectSecurityContext = 0xb4ae6494, unsigned long DesiredAccess = 0x10019b, unsigned long PreviouslyGrantedAccess = 0x20000, struct _PRIVILEGE_SET ** Privileges = 0xf70a2100, struct _GENERIC_MAPPING * GenericMapping = 0x805c908c, char AccessMode = 0n1 '', unsigned long * GrantedAccess = 0xf70a210c, long * AccessStatus = 0xf70a20e0)+0x33 [c:\ros\reactos-clean\reactos\ntoskrnl\se\accesschk.c @ 312]

f70a2094 f7793a42 nt!SeAccessCheck(void * SecurityDescriptor = 0xe1006218, struct _SECURITY_SUBJECT_CONTEXT * SubjectSecurityContext = 0xb4ae6494, unsigned char SubjectContextLocked = 0x01 '', unsigned long DesiredAccess = 0x10019b, unsigned long PreviouslyGrantedAccess = 0x20000, struct _PRIVILEGE_SET ** Privileges = 0xf70a2100, struct _GENERIC_MAPPING * GenericMapping = 0x805c908c, char AccessMode = 0n1 '', unsigned long * GrantedAccess = 0xf70a210c, long * AccessStatus = 0xf70a20e0)+0x1c7 [c:\ros\reactos-clean\reactos\ntoskrnl\se\accesschk.c @ 445]

f70a211c f7794275 npfs!NpCreateClientEnd(struct _NP_FCB * Fcb = 0xe1520e78, struct _FILE_OBJECT * FileObject = 0xb4979888, unsigned long DesiredAccess = 0x12019f, struct _SECURITY_QUALITY_OF_SERVICE * SecurityQos = 0x00000000, struct _ACCESS_STATE * AccessState = 0xb4ae6478, char PreviousMode = 0n1 '', struct _ETHREAD * Thread = 0xb497e020, struct _LIST_ENTRY * List = 0xf70a2164 [ 0xf70a2164 - 0xf70a2164 ])+0x92 [c:\ros\reactos-clean\reactos\drivers\filesystems\npfs\create.c @ 142]

f70a21c0 804883a0 npfs!NpFsdCreate(struct _DEVICE_OBJECT * DeviceObject = 0xb4bae6c0, struct _IRP * Irp = 0xb49fda10)+0x295 [c:\ros\reactos-clean\reactos\drivers\filesystems\npfs\create.c @ 499]

f70a21e8 80477e84 nt!IofCallDriver(struct _DEVICE_OBJECT * DeviceObject = 0xb4bae6c0, struct _IRP * Irp = 0xb49fda10)+0xc0 [c:\ros\reactos-clean\reactos\ntoskrnl\io\iomgr\irp.c @ 1214]

f70a230c 8050b813 nt!IopParseDevice(void * ParseObject = 0xb4bae6c0, void * ObjectType = 0x00000000, struct _ACCESS_STATE * AccessState = 0xb4ae6478, char AccessMode = 0n1 '', unsigned long Attributes = 0x40, struct _UNICODE_STRING * CompleteName = 0xf70a242c "\Device\NamedPipe\dhcpclient", struct _UNICODE_STRING * RemainingName = 0xf70a23a4 "\dhcpclient", void * Context = 0xb49a1ba0, struct _SECURITY_QUALITY_OF_SERVICE * SecurityQos = 0x00000000, void ** Object = 0xf70a23c8)+0xd44 [c:\ros\reactos-clean\reactos\ntoskrnl\io\iomgr\file.c @ 858]

f70a23d0 80505298 nt!ObpLookupObjectName(void * RootHandle = 0x00000000, struct _UNICODE_STRING * ObjectName = 0xf70a242c "\Device\NamedPipe\dhcpclient", unsigned long Attributes = 0x40, struct _OBJECT_TYPE * ObjectType = 0x00000000, char AccessMode = 0n1 '', void * ParseContext = 0xb49a1ba0, struct _SECURITY_QUALITY_OF_SERVICE * SecurityQos = 0x00000000, void * InsertObject = 0x00000000, struct _ACCESS_STATE * AccessState = 0xb4ae6478, struct _OBP_LOOKUP_CONTEXT * LookupContext = 0xb4ae651c, void ** FoundObject = 0xf70a243c)+0x833 [c:\ros\reactos-clean\reactos\ntoskrnl\ob\obname.c @ 818]

f70a2444 8047aae5 nt!ObOpenObjectByName(struct _OBJECT_ATTRIBUTES * ObjectAttributes = 0x00b5ebb0, struct _OBJECT_TYPE * ObjectType = 0x00000000, char AccessMode = 0n1 '', struct _ACCESS_STATE * PassedAccessState = 0xb4ae6478, unsigned long DesiredAccess = 0xc0100080, void * ParseContext = 0xb49a1ba0, void ** Handle = 0xf70a24c4)+0x1b8 [c:\ros\reactos-clean\reactos\ntoskrnl\ob\obhandle.c @ 2514]

f70a24e8 8047bd9a nt!IoCreateFile(void ** FileHandle = 0x00b5eb80, unsigned long DesiredAccess = 0xc0100080, struct _OBJECT_ATTRIBUTES * ObjectAttributes = 0x00b5ebb0, struct _IO_STATUS_BLOCK * IoStatusBlock = 0x00b5eba0, union _LARGE_INTEGER * AllocationSize = 0x00000000, unsigned long FileAttributes = 0, unsigned long ShareAccess = 3, unsigned long Disposition = 1, unsigned long CreateOptions = 0x60, void * EaBuffer = 0x00000000, unsigned long EaLength = 0, _CREATE_FILE_TYPE CreateFileType = CreateFileTypeNone (0), void * ExtraCreateParameters = 0x00000000, unsigned long Options = 0)+0xa25 [c:\ros\reactos-clean\reactos\ntoskrnl\io\iomgr\file.c @ 2463]

f70a2528 80542689 nt!NtCreateFile(void ** FileHandle = 0x00b5eb80, unsigned long DesiredAccess = 0xc0100080, struct _OBJECT_ATTRIBUTES * ObjectAttributes = 0x00b5ebb0, struct _IO_STATUS_BLOCK * IoStatusBlock = 0x00b5eba0, union _LARGE_INTEGER * AllocateSize = 0x00000000, unsigned long FileAttributes = 0, unsigned long ShareAccess = 3, unsigned long CreateDisposition = 1, unsigned long CreateOptions = 0x60, void * EaBuffer = 0x00000000, unsigned long EaLength = 0)+0x3a [c:\ros\reactos-clean\reactos\ntoskrnl\io\iomgr\file.c @ 3228]

f70a2564 8054219d nt!KiSystemCallTrampoline(void * Handler = 0x8047bd60, void * Arguments = 0x00b5eb20, unsigned long StackBytes = 0x2c)+0x19 [c:\ros\reactos-clean\reactos\ntoskrnl\include\internal\i386\ke.h @ 725]

f70a25ac 80403e03 nt!KiSystemServiceHandler(struct _KTRAP_FRAME * TrapFrame = 0xf70a25b4, void * Arguments = 0x00b5eb20)+0x23d [c:\ros\reactos-clean\reactos\ntoskrnl\ke\i386\traphdlr.c @ 1717]

f70a25ac 7c92fb8e nt!KiFastCallEntry+0x8c

00b5eb14 7c95ab25 ntdll!KiFastSystemCallRet

00b5eb18 77db49ba ntdll!NtCreateFile+0xc

00b5ebcc 779db4eb kernel32!CreateFileW(wchar_t * lpFileName = 0x779e5930 "\\.\pipe\dhcpclient", unsigned long dwDesiredAccess = 0xc0100080, unsigned long dwShareMode = 3, struct _SECURITY_ATTRIBUTES * lpSecurityAttributes = 0x00000000, unsigned long dwCreationDisposition = 1, unsigned long dwFlagsAndAttributes = 0, void * hTemplateFile = 0x00000000)+0x46a [c:\ros\reactos-clean\reactos\dll\win32\kernel32\client\file\create.c @ 326]

00b5ebfc 779124ba dhcpcsvc!DhcpCApiInitialize(unsigned long * Version = 0x00b5ec10)+0x4b [c:\ros\reactos-clean\reactos\dll\win32\dhcpcsvc\dhcpcsvc.c @ 41]

00b5ec1c 779176c3 iphlpapi!getDhcpInfoForAdapter(unsigned long AdapterIndex = 1, int * DhcpEnabled = 0x00b5ecd0, unsigned long * DhcpServer = 0x00b5ecc4, long * LeaseObtained = 0x001430a0, long * LeaseExpires = 0x001430a4)+0x2a [c:\ros\reactos-clean\reactos\dll\win32\iphlpapi\dhcp_reactos.c @ 25]

00b5ecdc 71ea53df iphlpapi!GetAdaptersInfo(struct _IP_ADAPTER_INFO * pAdapterInfo = 0x00142e28, unsigned long * pOutBufLen = 0x00b5f444)+0x3c3 [c:\ros\reactos-clean\reactos\dll\win32\iphlpapi\iphlpapi_main.c @ 647]

00b5f450 71ea5a8c netshell!CNetConnectionManager::EnumerateINetConnections(void)+0x13f [c:\ros\reactos-clean\reactos\dll\shellext\netshell\connectmanager.cpp @ 547]

00b5f46c 71ea9cd0 netshell!INetConnectionManager_Constructor(struct IUnknown * pUnkOuter = 0x00000000, struct _GUID * riid = 0x71eb1198 {c08956a2-1cd3-11d1-b1c5-00805fc1270e}, void ** ppv = 0x00b5f4d0)+0xfc [c:\ros\reactos-clean\reactos\dll\shellext\netshell\connectmanager.cpp @ 689]

00b5f8a0 71eaa4a8 netshell!CLanStatus::InitializeNetTaskbarNotifications(void)+0x190 [c:\ros\reactos-clean\reactos\dll\shellext\netshell\lanstatusui.cpp @ 999]

00b5f8a8 00a11127 netshell!CLanStatus::Exec(struct _GUID * pguidCmdGroup = 0x00a1cebc {000214d2-0000-0000-c000-000000000046}, unsigned long nCmdID = 2, unsigned long nCmdexecopt = 0, struct tagVARIANT * pvaIn = 0x00000000, struct tagVARIANT * pvaOut = 0x00000000)+0x28 [c:\ros\reactos-clean\reactos\dll\shellext\netshell\lanstatusui.cpp @ 1190]

00b5f8d8 00a1127b stobject!CSysTray::InitNetShell(void)+0x77 [c:\ros\reactos-clean\reactos\dll\shellext\stobject\csystray.cpp @ 29]

00b5f8f0 00a11a85 stobject!CSysTray::InitIcons(void)+0xab [c:\ros\reactos-clean\reactos\dll\shellext\stobject\csystray.cpp @ 54]

00b5f904 00a126ba stobject!CSysTray::ProcessWindowMessage(struct HWND__ * hWnd = 0x000500c8, unsigned int uMsg = 1, unsigned int wParam = 0, long lParam = 0xb5faf0, long * lResult = 0x00b5f93c, unsigned long dwMsgMapID = 0)+0x55 [c:\ros\reactos-clean\reactos\dll\shellext\stobject\csystray.cpp @ 211]

00b5f970 77a844b7 stobject!ATL::CWindowImplBaseT<ATL::CWindow,ATL::CWinTraits<2252341248,392> >::WindowProc(struct HWND__ * hWnd = 0x000500c8, unsigned int uMsg = 1, unsigned int wParam = 0, long lParam = 0xb5faf0)+0x9a [c:\ros\reactos-clean\reactos\lib\atl\atlwin.h @ 479]

00b5fa2c 77a88303 user32!IntCallWindowProcW(int IsAnsiProc = 0, <function> * WndProc = 0x00a50000, struct _WND * pWnd = 0x003459d0, struct HWND__ * hWnd = 0x000500c8, unsigned int Msg = 1, unsigned int wParam = 0, long lParam = 0xb5faf0)+0x417 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 1490]

00b5fab8 7c92fae1 user32!User32CallWindowProcFromKernel(void * Arguments = 0x00b5fad0, unsigned long ArgumentLength = 0x56)+0x1f3 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 2920]

00b5fc4c 77a92228 ntdll!KiUserCallbackDispatcher+0x2e

00b5fce8 00a12962 user32!CreateWindowExW(unsigned long dwExStyle = 0x188, wchar_t * lpClassName = 0x0000c065 "--- memory read error at address 0x0000c065 ---", wchar_t * lpWindowName = 0x00000000 "", unsigned long dwStyle = 0x86400000, int x = 0x80000000, int y = 0x80000000, int nWidth = 0x80000000, int nHeight = 0x80000000, struct HWND__ * hWndParent = 0x00000000, struct HMENU__ * hMenu = 0x00000000, struct HINSTANCE__ * hInstance = 0x00a10000, void * lpParam = 0x00000000)+0x318 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\window.c @ 567]

00b5fd28 00a11efb stobject!ATL::CWindowImplBaseT<ATL::CWindow,ATL::CWinTraits<2252341248,392> >::Create(struct HWND__ * hWndParent = 0x00000000, class ATL::_U_RECT rect = class ATL::_U_RECT, wchar_t * szWindowName = 0x00000000 "", unsigned long dwStyle = 0x86400000, unsigned long dwExStyle = 0x188, class ATL::_U_MENUorID MenuOrID = class ATL::_U_MENUorID, unsigned short atom = 0xc065, void * lpCreateParam = 0x00000000)+0xd2 [c:\ros\reactos-clean\reactos\lib\atl\atlwin.h @ 528]

00b5fd60 00a1181a stobject!ATL::CWindowImpl<CSysTray,ATL::CWindow,ATL::CWinTraits<2252341248,392> >::Create(struct HWND__ * hWndParent = 0x00000000, class ATL::_U_RECT rect = class ATL::_U_RECT, wchar_t * szWindowName = 0x00000000 "", unsigned long dwStyle = 0x86400000, unsigned long dwExStyle = 0x188, class ATL::_U_MENUorID MenuOrID = class ATL::_U_MENUorID, void * lpCreateParam = 0x00000000)+0xab [c:\ros\reactos-clean\reactos\lib\atl\atlwin.h @ 565]

00b5ffac 00a116f9 stobject!CSysTray::SysTrayThreadProc(void)+0x7a [c:\ros\reactos-clean\reactos\dll\shellext\stobject\csystray.cpp @ 153]

00b5ffb8 77da2c0d stobject!CSysTray::s_SysTrayThreadProc(void * param = 0x00140908)+0x19 [c:\ros\reactos-clean\reactos\dll\shellext\stobject\csystray.cpp @ 124]

00b5ffec 00000000 kernel32!BaseThreadStartup(<function> * lpStartAddress = 0x00a116e0, void * lpParameter = 0x00140908)+0x5d [c:\ros\reactos-clean\reactos\dll\win32\kernel32\client\thread.c @ 69]