narkive is for sale. Interested? (dismiss)
Discussion:
How to create an process with administrator privilege from service
(too old to reply)
lancer
2008-06-22 03:19:00 UTC
Permalink
Now I need to create a process with administrator privilege from a service on
Vista.
By adjust the Integrity Level of the user token, the process becomes HIGH.
However it still has no administrator privileges.

I did it as the following:
1.Get the session if of the active console user (WTSGetActiveConsoleSessionId)
2.Get the user's token (WTSQueryUserToken)
3.duplicate the token ((DuplicateTokenEx)
4.Set the integrity level to be High. (SetTokenInformation)
//--------------------------------------------------------------------------
PTSTR szIntegritySid = "S-1-16-12288"; //high
PSID pIntegritySid = NULL;
TOKEN_MANDATORY_LABEL TIL = {0};

ConvertStringSidToSid(szIntegritySid, &pIntegritySid);
TIL.Label.Attributes = SE_GROUP_INTEGRITY;
TIL.Label.Sid = pIntegritySid;

AmSetTokenInformation(*hRunToken, TokenIntegrityLevel, &TIL,
sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid));
//------------------------------------------------------------------------
5. create the user process (createProcessAsUser)

Through process explorer, the process i created actually becomes high. But
have no admin rights.
Do I miss out any points?
Thans for your help
Mounir IDRASSI
2008-06-22 23:19:01 UTC
Permalink
Hi,

Does the user whose token is used in CreateProcessAsUser have administrative
rights? If no, then processes created with this function will never have
administrative rights, no matter what you do.

Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

to reach : mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)
Post by lancer
Now I need to create a process with administrator privilege from a service on
Vista.
By adjust the Integrity Level of the user token, the process becomes HIGH.
However it still has no administrator privileges.
I did it as the following:
1.Get the session if of the active console user (WTSGetActiveConsoleSessionId)
2.Get the user's token (WTSQueryUserToken)
3.duplicate the token ((DuplicateTokenEx)
4.Set the integrity level to be High. (SetTokenInformation)
//--------------------------------------------------------------------------
PTSTR szIntegritySid = "S-1-16-12288"; //high
PSID pIntegritySid = NULL;
TOKEN_MANDATORY_LABEL TIL = {0};
ConvertStringSidToSid(szIntegritySid, &pIntegritySid);
TIL.Label.Attributes = SE_GROUP_INTEGRITY;
TIL.Label.Sid = pIntegritySid;
AmSetTokenInformation(*hRunToken, TokenIntegrityLevel, &TIL,
sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid));
//------------------------------------------------------------------------
5. create the user process (createProcessAsUser)
Through process explorer, the process i created actually becomes high. But
have no admin rights.
Do I miss out any points?
Thans for your help
lancer
2008-06-24 08:21:01 UTC
Permalink
The program runs as a service, and with System rights.
Post by Mounir IDRASSI
Hi,
Does the user whose token is used in CreateProcessAsUser have administrative
rights? If no, then processes created with this function will never have
administrative rights, no matter what you do.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
to reach : mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)
Post by lancer
Now I need to create a process with administrator privilege from a service on
Vista.
By adjust the Integrity Level of the user token, the process becomes HIGH.
However it still has no administrator privileges.
I did it as the following:
1.Get the session if of the active console user (WTSGetActiveConsoleSessionId)
2.Get the user's token (WTSQueryUserToken)
3.duplicate the token ((DuplicateTokenEx)
4.Set the integrity level to be High. (SetTokenInformation)
//--------------------------------------------------------------------------
PTSTR szIntegritySid = "S-1-16-12288"; //high
PSID pIntegritySid = NULL;
TOKEN_MANDATORY_LABEL TIL = {0};
ConvertStringSidToSid(szIntegritySid, &pIntegritySid);
TIL.Label.Attributes = SE_GROUP_INTEGRITY;
TIL.Label.Sid = pIntegritySid;
AmSetTokenInformation(*hRunToken, TokenIntegrityLevel, &TIL,
sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid));
//------------------------------------------------------------------------
5. create the user process (createProcessAsUser)
Through process explorer, the process i created actually becomes high. But
have no admin rights.
Do I miss out any points?
Thans for your help
Mounir IDRASSI
2008-06-24 08:38:00 UTC
Permalink
Hi,

I think you didn't understand my question/remark. I'm not talking about the
main process who executes the code you are describing. I'm talking about the
owner of the hToken parameter used in the call to the function
CreateProcessAsUser which will create the second process.
As MSDN says, this second process "runs in the security context of the user
represented by the specified token.". So, even if your program has system
rights, the process created with CreateProcessAsUser with inherit the rights
of the token's user. Thus, if the targeted user doesn't have administrative
rights, the created process will not have them neither.

Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

to reach : mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)
Post by lancer
The program runs as a service, and with System rights.
Post by Mounir IDRASSI
Hi,
Does the user whose token is used in CreateProcessAsUser have administrative
rights? If no, then processes created with this function will never have
administrative rights, no matter what you do.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
to reach : mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)
lancer
2008-06-25 11:55:01 UTC
Permalink
Thanks for your reply.
The owner of the hToken is a administrator.
But the process created does not have admin priviliege.
how can we get the admin token?
Post by Mounir IDRASSI
Hi,
I think you didn't understand my question/remark. I'm not talking about the
main process who executes the code you are describing. I'm talking about the
owner of the hToken parameter used in the call to the function
CreateProcessAsUser which will create the second process.
As MSDN says, this second process "runs in the security context of the user
represented by the specified token.". So, even if your program has system
rights, the process created with CreateProcessAsUser with inherit the rights
of the token's user. Thus, if the targeted user doesn't have administrative
rights, the created process will not have them neither.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
to reach : mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)
Post by lancer
The program runs as a service, and with System rights.
Post by Mounir IDRASSI
Hi,
Does the user whose token is used in CreateProcessAsUser have administrative
rights? If no, then processes created with this function will never have
administrative rights, no matter what you do.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
to reach : mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)
k***@gmail.com
2014-06-30 06:13:22 UTC
Permalink
Hi Lancer,

Is this problem been solved??

lancer於 2008年6月25日星期三UTC+8下午7時55分01秒寫道:
Post by lancer
Thanks for your reply.
The owner of the hToken is a administrator.
But the process created does not have admin priviliege.
how can we get the admin token?
Post by Mounir IDRASSI
Hi,
I think you didn't understand my question/remark. I'm not talking about the
main process who executes the code you are describing. I'm talking about the
owner of the hToken parameter used in the call to the function
CreateProcessAsUser which will create the second process.
As MSDN says, this second process "runs in the security context of the user
represented by the specified token.". So, even if your program has system
rights, the process created with CreateProcessAsUser with inherit the rights
of the token's user. Thus, if the targeted user doesn't have administrative
rights, the created process will not have them neither.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
to reach : mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)
Post by lancer
The program runs as a service, and with System rights.
Post by Mounir IDRASSI
Hi,
Does the user whose token is used in CreateProcessAsUser have administrative
rights? If no, then processes created with this function will never have
administrative rights, no matter what you do.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
to reach : mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)
Eric Boudrand
2008-06-23 08:35:08 UTC
Permalink
Hi,
Post by lancer
1.Get the session if of the active console user
(WTSGetActiveConsoleSessionId)
2.Get the user's token (WTSQueryUserToken)
3.duplicate the token ((DuplicateTokenEx)
4.Set the integrity level to be High. (SetTokenInformation)
//--------------------------------------------------------------------------
PTSTR szIntegritySid = "S-1-16-12288"; //high
PSID pIntegritySid = NULL;
TOKEN_MANDATORY_LABEL TIL = {0};
ConvertStringSidToSid(szIntegritySid, &pIntegritySid);
TIL.Label.Attributes = SE_GROUP_INTEGRITY;
TIL.Label.Sid = pIntegritySid;
AmSetTokenInformation(*hRunToken, TokenIntegrityLevel, &TIL,
sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid));
//------------------------------------------------------------------------
Do you use AdjustTokenPrivileges() ?

Regards.

Eric
Mounir IDRASSI
2008-06-23 10:03:01 UTC
Permalink
Hi,

MSDN says :
"The AdjustTokenPrivileges function cannot add new privileges to the access
token. It can only enable or disable the token's existing privileges. To
determine the token's privileges, call the GetTokenInformation function."
So, if the user's Token used in (CreateProcessAsUser doesn't have
administrative privileges, AdjustTokenPrivileges can't add it.

Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

to reach : mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)
Post by Eric Boudrand
Hi,
Post by lancer
1.Get the session if of the active console user
(WTSGetActiveConsoleSessionId)
2.Get the user's token (WTSQueryUserToken)
3.duplicate the token ((DuplicateTokenEx)
4.Set the integrity level to be High. (SetTokenInformation)
//--------------------------------------------------------------------------
PTSTR szIntegritySid = "S-1-16-12288"; //high
PSID pIntegritySid = NULL;
TOKEN_MANDATORY_LABEL TIL = {0};
ConvertStringSidToSid(szIntegritySid, &pIntegritySid);
TIL.Label.Attributes = SE_GROUP_INTEGRITY;
TIL.Label.Sid = pIntegritySid;
AmSetTokenInformation(*hRunToken, TokenIntegrityLevel, &TIL,
sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid));
//------------------------------------------------------------------------
Do you use AdjustTokenPrivileges() ?
Regards.
Eric
Larry Futrell
2008-06-24 15:40:19 UTC
Permalink
Post by lancer
Now I need to create a process with administrator privilege from a
service on Vista.
By adjust the Integrity Level of the user token, the process becomes HIGH.
However it still has no administrator privileges.
1.Get the session if of the active console user
(WTSGetActiveConsoleSessionId)
2.Get the user's token (WTSQueryUserToken)
3.duplicate the token ((DuplicateTokenEx)
4.Set the integrity level to be High. (SetTokenInformation)
Between steps 2 and 3, call GetTokenInformation() with TokenLinkedToken to
get the linked (elevated) token, and remove step 4. The code might be
similar to:

TOKEN_LINKED_TOKEN linkedToken = {0};
/* The token is not elevated, we will build an elevated token for the */
/* user. */
dwSize = sizeof linkedToken;
/* Get the linked token, which is the elevated version of the current */
/* token. */
if (GetTokenInformation(hToken,
TokenLinkedToken,
&linkedToken,
dwSize, &dwSize)) {
/* The linked token is not a primary token, so we create one from it. */
if (DuplicateTokenEx(linkedToken.LinkedToken,
MAXIMUM_ALLOWED,
NULL,
SecurityImpersonation,
TokenPrimary,
&hPrimaryToken)) {
--
Larry Futrell
lancer
2008-06-25 11:48:08 UTC
Permalink
Thanks, i use this way and get the amin token.
But is this way secure?
Is it sure to get admin token?
Can we set the linkedToken?

I find few documents about this area
Post by Larry Futrell
Post by lancer
Now I need to create a process with administrator privilege from a
service on Vista.
By adjust the Integrity Level of the user token, the process becomes HIGH.
However it still has no administrator privileges.
1.Get the session if of the active console user
(WTSGetActiveConsoleSessionId)
2.Get the user's token (WTSQueryUserToken)
3.duplicate the token ((DuplicateTokenEx)
4.Set the integrity level to be High. (SetTokenInformation)
Between steps 2 and 3, call GetTokenInformation() with TokenLinkedToken to
get the linked (elevated) token, and remove step 4. The code might be
TOKEN_LINKED_TOKEN linkedToken = {0};
/* The token is not elevated, we will build an elevated token for the */
/* user. */
dwSize = sizeof linkedToken;
/* Get the linked token, which is the elevated version of the current */
/* token. */
if (GetTokenInformation(hToken,
TokenLinkedToken,
&linkedToken,
dwSize, &dwSize)) {
/* The linked token is not a primary token, so we create one from it. */
if (DuplicateTokenEx(linkedToken.LinkedToken,
MAXIMUM_ALLOWED,
NULL,
SecurityImpersonation,
TokenPrimary,
&hPrimaryToken)) {
--
Larry Futrell
Loading...