Comments (3)
Hi @sommmen during my research I was exploring a problem similar to what you are describing. Per your question I have some bad news, but also some good.
For some background, in Windows, to access a process that your current user does not own, your process or rather you're processes primary token needs to have SeDebugPrivilege enabled. This privilege allows your process to call OpenProcess on any non protected process. This privilege, due to the the access rights that it allows is by default restricted to administrative user due to security concerns. That said, if a non privileged user is somehow able to get access to a privileged token and attempts to impersonate it, Windows has a second layer of defense mechanisms. It will downgrade the token from being able to impersonate the user to only being able to identify the user (source). Any attempt to create a process with an identification token will create the process under your original context, i.e. not impersonated.
Okay good news time, what you are attempt to do can be done, albeit in a different way. The most straightforward solution I have seen implemented was by creating a service that runs as an administrator or SYSTEM that handles the privileged operations. The service can then be set to start automatically and handle any operations from there. As SYSTEM the service should be able to accomplish most privileged tasks without issue.
How I learned about Windows authentication? I spend A LOT of time trying to make Windows do things that are not intended functionality and seeing what works and doesn't through trial and error. The reference guide that I have that is the most comprehensive are the Microsoft books, Windows Internals Part 1 and Part 2. Thanks for the blog suggestion, I'll look at making one on impersonation levels.
from tokenvator.
As I slightly expected, starting a process whilst impersonating an admin did not give me elevated status.
private static void Test3()
{
printWindowsUser();
var ui = new ImpersonateUser();
var userName = "Admin"; //a local admin
ui.Impersonate("localhost", userName, PwString);
printWindowsUser();
var proc = new System.Diagnostics.Process();
proc.StartInfo.UseShellExecute = false;
proc.StartInfo.FileName = "cmd.exe";
proc.StartInfo.Verb = "runas";
proc.Start();
proc.WaitForExit();
ui.Undo();
from tokenvator.
Thanks for taking time out of your day to respond, it is much appreciated.
I already suspected I would need a service to solve this properly. I assume that upon restart this does not prompt for elevation - because that would break the solution as well.
Right now i made some code that works, although it spawns 3 different processes;
- The exe opens under a local user
- The exe runs the exe as a different user
- the exe runs the exe (for testing it is with 'runas' to elevate
The built-in Administrator account has to be reactivated, because this silently bypasses UAC.
This is however a) super dirty - spawning 2 unnecessary processes and b) a security concern, since i need the builtin Administrator account (disabled by default) and I need to store the login information on the computer for this account. The lock screen also displays this account by default and there is no way to hide this simply (you can only turn off seeing all accounts - not a particular one).
I tried this before taking the service approach as a partner claimed that the service control manager runs a tight ship and that it would mean some difficulties. Also debugging seems harder and i would need some killer error handling - handling exceptions in services seems tricky as well. And i would of course need an UI app that communicates with the service as you described.
from tokenvator.
Related Issues (14)
- Backspace triggers System.ArgumentOutOfRangeException HOT 3
- build problem HOT 10
- How can I restore removed privileges for a process? HOT 1
- System.FormatException stacktrace
- Permissions are too strict
- TrustedInstaller? HOT 1
- BypassUAC File Not Found Error HOT 4
- Are this tool can gain SeDebugPrivilege on non-admin user?
- Run ByPassUAC command with arguments HOT 1
- sgkey.snk missing?
- sgKey.snk file missing HOT 2
- BypassUAC fails on windows 10 1703 HOT 2
- Retarget to Framework 3.5 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tokenvator.