How to create an process with administrator privilege from service

Discussion:

(too old to reply)

lancer

2008-06-22 03:19:00 UTC

Now I need to create a process with administrator privilege from a service on
Vista.
By adjust the Integrity Level of the user token, the process becomes HIGH.
However it still has no administrator privileges.

I did it as the following：
1.Get the session if of the active console user （WTSGetActiveConsoleSessionId）
2.Get the user's token （WTSQueryUserToken）
3.duplicate the token (（DuplicateTokenEx)
4.Set the integrity level to be High. （SetTokenInformation)
//--------------------------------------------------------------------------
PTSTR szIntegritySid = "S-1-16-12288"; //high
PSID pIntegritySid = NULL;
TOKEN_MANDATORY_LABEL TIL = {0};

ConvertStringSidToSid(szIntegritySid, &pIntegritySid);
TIL.Label.Attributes = SE_GROUP_INTEGRITY;
TIL.Label.Sid = pIntegritySid;

AmSetTokenInformation(*hRunToken, TokenIntegrityLevel, &TIL,
sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid));
//------------------------------------------------------------------------
5. create the user process （createProcessAsUser）

Through process explorer, the process i created actually becomes high. But
have no admin rights.
Do I miss out any points?
Thans for your help

Mounir IDRASSI

2008-06-22 23:19:01 UTC

Permalink

Hi,

Does the user whose token is used in CreateProcessAsUser have administrative
rights? If no, then processes created with this function will never have
administrative rights, no matter what you do.

Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

to reach : mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)

Post by lancer
Now I need to create a process with administrator privilege from a service on
Vista.
By adjust the Integrity Level of the user token, the process becomes HIGH.
However it still has no administrator privileges.
I did it as the following：
1.Get the session if of the active console user （WTSGetActiveConsoleSessionId）
2.Get the user's token （WTSQueryUserToken）
3.duplicate the token (（DuplicateTokenEx)
4.Set the integrity level to be High. （SetTokenInformation)
//--------------------------------------------------------------------------
PTSTR szIntegritySid = "S-1-16-12288"; //high
PSID pIntegritySid = NULL;
TOKEN_MANDATORY_LABEL TIL = {0};
ConvertStringSidToSid(szIntegritySid, &pIntegritySid);
TIL.Label.Attributes = SE_GROUP_INTEGRITY;
TIL.Label.Sid = pIntegritySid;
AmSetTokenInformation(*hRunToken, TokenIntegrityLevel, &TIL,
sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid));
//------------------------------------------------------------------------
5. create the user process （createProcessAsUser）
Through process explorer, the process i created actually becomes high. But
have no admin rights.
Do I miss out any points?
Thans for your help

lancer

2008-06-24 08:21:01 UTC

Permalink

The program runs as a service, and with System rights.

Post by Mounir IDRASSI
Hi,
Does the user whose token is used in CreateProcessAsUser have administrative
rights? If no, then processes created with this function will never have
administrative rights, no matter what you do.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
to reach : mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)

Mounir IDRASSI

2008-06-24 08:38:00 UTC

Permalink

Hi,

I think you didn't understand my question/remark. I'm not talking about the
main process who executes the code you are describing. I'm talking about the
owner of the hToken parameter used in the call to the function
CreateProcessAsUser which will create the second process.
As MSDN says, this second process "runs in the security context of the user
represented by the specified token.". So, even if your program has system
rights, the process created with CreateProcessAsUser with inherit the rights
of the token's user. Thus, if the targeted user doesn't have administrative
rights, the created process will not have them neither.

Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

to reach : mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)

Post by lancer
The program runs as a service, and with System rights.

lancer

2008-06-25 11:55:01 UTC

Permalink

Thanks for your reply.
The owner of the hToken is a administrator.
But the process created does not have admin priviliege.
how can we get the admin token?

Post by Mounir IDRASSI
Hi,
I think you didn't understand my question/remark. I'm not talking about the
main process who executes the code you are describing. I'm talking about the
owner of the hToken parameter used in the call to the function
CreateProcessAsUser which will create the second process.
As MSDN says, this second process "runs in the security context of the user
represented by the specified token.". So, even if your program has system
rights, the process created with CreateProcessAsUser with inherit the rights
of the token's user. Thus, if the targeted user doesn't have administrative
rights, the created process will not have them neither.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
to reach : mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)

Post by lancer
The program runs as a service, and with System rights.

k***@gmail.com

2014-06-30 06:13:22 UTC

Permalink

Hi Lancer,

Is this problem been solved??

lancer於 2008年6月25日星期三UTC+8下午7時55分01秒寫道：

Post by lancer
Thanks for your reply.
The owner of the hToken is a administrator.
But the process created does not have admin priviliege.
how can we get the admin token?

Post by lancer
The program runs as a service, and with System rights.

Eric Boudrand

2008-06-23 08:35:08 UTC

Permalink

Hi,

Post by lancer
1.Get the session if of the active console user
(WTSGetActiveConsoleSessionId)
2.Get the user's token (WTSQueryUserToken)
3.duplicate the token ((DuplicateTokenEx)
4.Set the integrity level to be High. (SetTokenInformation)
//--------------------------------------------------------------------------
PTSTR szIntegritySid = "S-1-16-12288"; //high
PSID pIntegritySid = NULL;
TOKEN_MANDATORY_LABEL TIL = {0};
ConvertStringSidToSid(szIntegritySid, &pIntegritySid);
TIL.Label.Attributes = SE_GROUP_INTEGRITY;
TIL.Label.Sid = pIntegritySid;
AmSetTokenInformation(*hRunToken, TokenIntegrityLevel, &TIL,
sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid));
//------------------------------------------------------------------------

Do you use AdjustTokenPrivileges() ?

Regards.

Eric

Mounir IDRASSI

2008-06-23 10:03:01 UTC

Permalink

Hi,

MSDN says :
"The AdjustTokenPrivileges function cannot add new privileges to the access
token. It can only enable or disable the token's existing privileges. To
determine the token's privileges, call the GetTokenInformation function."
So, if the user's Token used in （CreateProcessAsUser doesn't have
administrative privileges, AdjustTokenPrivileges can't add it.

Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

to reach : mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)

Post by Eric Boudrand
Hi,

Do you use AdjustTokenPrivileges() ?
Regards.
Eric

Larry Futrell

2008-06-24 15:40:19 UTC

Permalink

Between steps 2 and 3, call GetTokenInformation() with TokenLinkedToken to
get the linked (elevated) token, and remove step 4. The code might be
similar to:

TOKEN_LINKED_TOKEN linkedToken = {0};
/* The token is not elevated, we will build an elevated token for the */
/* user. */
dwSize = sizeof linkedToken;
/* Get the linked token, which is the elevated version of the current */
/* token. */
if (GetTokenInformation(hToken,
TokenLinkedToken,
&linkedToken,
dwSize, &dwSize)) {
/* The linked token is not a primary token, so we create one from it. */
if (DuplicateTokenEx(linkedToken.LinkedToken,
MAXIMUM_ALLOWED,
NULL,
SecurityImpersonation,
TokenPrimary,
&hPrimaryToken)) {

--
Larry Futrell

lancer

2008-06-25 11:48:08 UTC

Permalink

Thanks, i use this way and get the amin token.
But is this way secure?
Is it sure to get admin token?
Can we set the linkedToken?

I find few documents about this area

Post by Larry Futrell

Between steps 2 and 3, call GetTokenInformation() with TokenLinkedToken to
get the linked (elevated) token, and remove step 4. The code might be
TOKEN_LINKED_TOKEN linkedToken = {0};
/* The token is not elevated, we will build an elevated token for the */
/* user. */
dwSize = sizeof linkedToken;
/* Get the linked token, which is the elevated version of the current */
/* token. */
if (GetTokenInformation(hToken,
TokenLinkedToken,
&linkedToken,
dwSize, &dwSize)) {
/* The linked token is not a primary token, so we create one from it. */
if (DuplicateTokenEx(linkedToken.LinkedToken,
MAXIMUM_ALLOWED,
NULL,
SecurityImpersonation,
TokenPrimary,
&hPrimaryToken)) {
--
Larry Futrell

Continue reading on narkive:

Search results for 'How to create an process with administrator privilege from service' (Questions and Answers)

replies

administrator (privalages) rights?

started 2007-08-10 13:12:22 UTC

computers & internet

replies

Im using windows 7 OS . I have only one user (i.e) Administrator account only.. Now i cant able to login?

started 2012-01-17 01:03:38 UTC

security

replies

What is the difference between windows xp service pack 2 and vista?