Create a regular process from the admin process

Question

Create a regular process from the admin process

Is there a way to start another normal rights process from a process running as an administrator? From an elevated process, I want to start a process with ordinary rights, such as it was launched from Explorer. I tried impersonation, but I did not work.

+2

winapi

Alex Feb 05 '10 at 10:57

source share

6 answers

Hans passant · Answer 1 · 2010-02-05T12:11:25+0000

Use CreateProcessAsUser () . See the related SDK docs for details.

Anders · Answer 2 · 2010-02-06T12:54:46+0000

No, this is not possible (There are several hacker ways to do this (Inject in explorer, task scheduler, SaferAPI + MediumIL, etc.), but none of them work in all scenarios)

Leo davidson · Answer 3 · 2010-02-24T12:03:39+0000

This seems like a good way to do this if you don't like situations where the shell is not running (for example, maybe some installations are only for Terminal Services, maybe although I'm not sure):

http://brandonlive.com/2008/04/27/getting-the-shell-to-run-an-application-for-you-part-2-how/

It receives an interface to Explorer.exe, which should work in the normal context of the user, and asks Explorer to execute a command on its behalf. This is done only using simple documented COM interfaces and without the need to tinker with process tokens or code / DLL injections.

Adrian mccarthy · Answer 4 · 2014-11-10T18:59:04+0000

The method I have used successfully is to use IShellDispatch2 :: ShellExecute to ask Explorer to start this process. Because Explorer usually works like regular integrity, this is effective. The trick is that it is a little work to get the IShellDispatch2 object. I followed the process described in this blog .

jojo · Answer 5 · 2010-02-05T11:22:55+0000

on linux you can use setuid to change the program user id

for windows you can look at it: https://serverfault.com/questions/16886/is-there-an-equivalent-of-su-for-windows

Harry johnston · Answer 6 · 2014-11-08T22:03:13+0000

If at all possible, use Larry Osterman's solution instead (in the comments on Anders' answer), i.e. the parent process that runs without promotion, and from there run both the elevated process and the non-extended process.

If this is not possible, there is an approach that should work in almost all cases, although this is usually more of a problem than it costs:

Install and run the system service configured to work as a local system. Give it the remote desktop session identifier, for example, using a command line argument or a registry setting, as well as the process identifier and command line that you want to run.
From the system service, use GetTokenInformation with TokenLinkedToken to get the associated token from the target process. You have to do this from the system service because you need SE_TCB_NAME to get the useful token. (This limitation does not seem to be documented, but is consistent with the behavior of tokens on Windows.)
Or, if there is no bound token, use WTSQueryUserToken to get a copy of the user's token. I believe this always gives you a limited token (if one exists), but if you want to be safe, you can check if it is a raised or limited token using GetTokenInformation and TokenElevationType; if it is an elevated token, you can use TokenLinkedToken to get limited.
If there is no associated token (TokenElevationTypeDefault), you should use the token as is. This can happen either because the user is not an administrator, or because the UAC is disabled, either globally, or because the user is logged in using the built-in administrator account. If the user is not an administrator, then the token is already suitable. If UAC is disabled, you must comply with the user's intent and use an administrative token.
You can then use CreateProcessAsUser or CreateProcessWithTokenW from the system service to start a new process.
Finally, the service must remove itself and stop.

There is at least one edge case: if your elevated process starts from the command line (or another process) that was started using runas and non-administrative credentials. In this case, there is no separation token, and the original token may already have been deleted, so if you didn’t capture the copy before the mark was made (Larry’s solution or its variants), there is no general way to start the child process in the same user context. from which the elevated process was originally launched. The best you can do is the context of the registered user (via WTSQueryUserToken, as described above), which may not correspond to the behavior that the end user expected. (This may, however, be an acceptable limitation, depending on the scenario.)

Create a regular process from the admin process

More articles: