Geek Answers Handbook

CreateProcessAsUser and LogonUser without password

Using WTSGetActiveConsoleSessionId and WTSQueryUserToken, I know that a service running as SYSTEM starts an application on the current desktop without using a password. Is running CreateProcessAsUser without the need for a password for LogonUser if the program starting the process has sufficient privileges?

EDIT 1 . The situation is vaguely similar to this instance , but I need to be able to start the process as a user, regardless of whether they are currently logged into the system.

+4
source share
3 answers

There is the possibility of using the undocumented NtCreateToken function; I think this sample project uses it. In addition, this is not possible.

+1
source

Depending on the token you are trying to fake, you will need certain privileges, in particular TCB. Services have this. An example is Nebett's Windows NT / 2000 API Reference.

However, services that create a process as SYSTEM on the current desktop are not so easy with Vista. Improved session separability is important here. However, you could impersonate the user at the other end of the pipe, and the current thread should be able to act as that user (e.g. SYSTEM).

0
source

Theoretically, at least you can implement your own authentication package and then use it to create a suitable token.

Another possible option, depending on your specific requirements, is to use the SidsToRestrict and PrivilegesToDelete option of the CreateRestrictedToken function along with SetTokenInformation to create a modified derivative of your own token.

However, I would not trust this approach if you intend to run untrusted code: I'm not quite sure that it would not be enough for a brilliant attacker to use such a token to attack the parent process or other privileged processes. (In particular, I'm not sure if you can create a new login session and assign it to a limited token, this may not be the only problem.)

0
source

More articles:


All Articles