All geek questions in one place

Win32: UAC bypass using user / password

I am looking for a way to increase the privileges of a thread or process without popping up a UAC. The user who runs this process is admin, and I have his username and password.

I need to do this in order to do some administrative things, such as restarting the service and writing files to system directories. My application starts remotely and there is no interactive user to confirm the UAC dialog. Disabling UAC is not an option.

I tried to intercept LogonUser() , ImpersonateLoggedOnUser() , CreateProcessAsUser() and DuplicateTokenEx() for most or two days, but could not figure out the right combination, and if at all possible.

In particular, I tried this:

 HANDLE token = 0; LogonUserA(user, NULL, pass, LOGON32_LOGON_NETWORK_CLEARTEXT, LOGON32_PROVIDER_DEFAULT, &token); HANDLE impToken = 0; DuplicateToken(token, SecurityImpersonation, &impToken); ImpersonateLoggedOnUser(impToken); CreateFileA("C:\\windows\\blabla.dll", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);

the last call fails with the error GetLastError() = 1346: "Either the required impersonation level was not provided, or the provided impersonation level is invalid."

What am I doing wrong?
Note. This runs on Win2008 R2

+4
source share
4 answers

You won’t go anywhere, try to log in to this or that user. The problem is not with the user, but in the context when you request an administrative privilege. Even administrators must accept UAC invitations.

If you asked, perhaps this will completely defeat the KLA concept. As long as the session is interactive (and in Win7 the program is not on the Windows list, such as the Services applet), you cannot bypass the prompt.

As others have said, the usual solution is to record the service and access an interactive application with the service using a standard IPC mechanism, such as named pipes. Beware, however, of the security descriptors required when creating your IPC object at both ends: User contexts vary in service and in interactive application.

+4
source

A commonly suggested solution in which you need to bypass UAC is to write a service. The service will run with full privileges, and your applications will be asked to perform actions.

+2
source

I believe you can use the task scheduler to get around the UAC prompt. Found a set of instructions here: http://www.vikitech.com/253/create-shortcuts-for-trusted-programs-to-bypass-windows-7-uac-check

It will be some kind of work, but it can certainly be achieved with code.

+1
source

The problem is that you specified an invalid impersonation level value (SecurityImpersonation variable). It must be a "magic number" 2

+1
source

Source: https://habr.com/ru/post/1396676/

More articles:


All Articles