Question about tokenvator HOT 3 CLOSED

Hi @sommmen during my research I was exploring a problem similar to what you are describing. Per your question I have some bad news, but also some good.

For some background, in Windows, to access a process that your current user does not own, your process or rather you're processes primary token needs to have SeDebugPrivilege enabled. This privilege allows your process to call OpenProcess on any non protected process. This privilege, due to the the access rights that it allows is by default restricted to administrative user due to security concerns. That said, if a non privileged user is somehow able to get access to a privileged token and attempts to impersonate it, Windows has a second layer of defense mechanisms. It will downgrade the token from being able to impersonate the user to only being able to identify the user (source). Any attempt to create a process with an identification token will create the process under your original context, i.e. not impersonated.

Okay good news time, what you are attempt to do can be done, albeit in a different way. The most straightforward solution I have seen implemented was by creating a service that runs as an administrator or SYSTEM that handles the privileged operations. The service can then be set to start automatically and handle any operations from there. As SYSTEM the service should be able to accomplish most privileged tasks without issue.

How I learned about Windows authentication? I spend A LOT of time trying to make Windows do things that are not intended functionality and seeing what works and doesn't through trial and error. The reference guide that I have that is the most comprehensive are the Microsoft books, Windows Internals Part 1 and Part 2. Thanks for the blog suggestion, I'll look at making one on impersonation levels.

from tokenvator.

As I slightly expected, starting a process whilst impersonating an admin did not give me elevated status.

private static void Test3()
        {
            printWindowsUser();
            var ui = new ImpersonateUser();
            var userName = "Admin"; //a local admin
            ui.Impersonate("localhost", userName, PwString);

            printWindowsUser();

            var proc = new System.Diagnostics.Process();
            proc.StartInfo.UseShellExecute = false;
            proc.StartInfo.FileName = "cmd.exe";
            proc.StartInfo.Verb = "runas";
            proc.Start();
            proc.WaitForExit();

            ui.Undo();

from tokenvator.

Thanks for taking time out of your day to respond, it is much appreciated.

I already suspected I would need a service to solve this properly. I assume that upon restart this does not prompt for elevation - because that would break the solution as well.

Right now i made some code that works, although it spawns 3 different processes;

1. The exe opens under a local user
2. The exe runs the exe as a different user
3. the exe runs the exe (for testing it is with 'runas' to elevate

The built-in Administrator account has to be reactivated, because this silently bypasses UAC.

This is however a) super dirty - spawning 2 unnecessary processes and b) a security concern, since i need the builtin Administrator account (disabled by default) and I need to store the login information on the computer for this account. The lock screen also displays this account by default and there is no way to hide this simply (you can only turn off seeing all accounts - not a particular one).

I tried this before taking the service approach as a partner claimed that the service control manager runs a tight ship and that it would mean some difficulties. Also debugging seems harder and i would need some killer error handling - handling exceptions in services seems tricky as well. And i would of course need an UI app that communicates with the service as you described.

from tokenvator.