Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to create an process with administrator privilege from service

3,873 views
Skip to first unread message

lancer

unread,
Jun 21, 2008, 11:19:00 PM6/21/08
to
Now I need to create a process with administrator privilege from a service on
Vista.
By adjust the Integrity Level of the user token, the process becomes HIGH.
However it still has no administrator privileges.

I did it as the following:
1.Get the session if of the active console user (WTSGetActiveConsoleSessionId)
2.Get the user's token (WTSQueryUserToken)
3.duplicate the token ((DuplicateTokenEx)
4.Set the integrity level to be High. (SetTokenInformation)
//--------------------------------------------------------------------------
PTSTR szIntegritySid = "S-1-16-12288"; //high
PSID pIntegritySid = NULL;
TOKEN_MANDATORY_LABEL TIL = {0};

ConvertStringSidToSid(szIntegritySid, &pIntegritySid);
TIL.Label.Attributes = SE_GROUP_INTEGRITY;
TIL.Label.Sid = pIntegritySid;

AmSetTokenInformation(*hRunToken, TokenIntegrityLevel, &TIL,
sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid));
//------------------------------------------------------------------------
5. create the user process (createProcessAsUser)

Through process explorer, the process i created actually becomes high. But
have no admin rights.
Do I miss out any points?
Thans for your help

Mounir IDRASSI

unread,
Jun 22, 2008, 7:19:01 PM6/22/08
to
Hi,

Does the user whose token is used in CreateProcessAsUser have administrative
rights? If no, then processes created with this function will never have
administrative rights, no matter what you do.

Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

to reach : mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)

Eric Boudrand

unread,
Jun 23, 2008, 4:35:08 AM6/23/08
to
Hi,

> I did it as the following:
> 1.Get the session if of the active console user

> (WTSGetActiveConsoleSessionId)
> 2.Get the user's token (WTSQueryUserToken)
> 3.duplicate the token ((DuplicateTokenEx)
> 4.Set the integrity level to be High. (SetTokenInformation)


> //--------------------------------------------------------------------------
> PTSTR szIntegritySid = "S-1-16-12288"; //high
> PSID pIntegritySid = NULL;
> TOKEN_MANDATORY_LABEL TIL = {0};
>
> ConvertStringSidToSid(szIntegritySid, &pIntegritySid);
> TIL.Label.Attributes = SE_GROUP_INTEGRITY;
> TIL.Label.Sid = pIntegritySid;
>
> AmSetTokenInformation(*hRunToken, TokenIntegrityLevel, &TIL,
> sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid));
> //------------------------------------------------------------------------

Do you use AdjustTokenPrivileges() ?

Regards.

Eric


Mounir IDRASSI

unread,
Jun 23, 2008, 6:03:01 AM6/23/08
to
Hi,

MSDN says :
"The AdjustTokenPrivileges function cannot add new privileges to the access
token. It can only enable or disable the token's existing privileges. To
determine the token's privileges, call the GetTokenInformation function."
So, if the user's Token used in (CreateProcessAsUser doesn't have
administrative privileges, AdjustTokenPrivileges can't add it.

Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

to reach : mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)

lancer

unread,
Jun 24, 2008, 4:21:01 AM6/24/08
to

The program runs as a service, and with System rights.

Mounir IDRASSI

unread,
Jun 24, 2008, 4:38:00 AM6/24/08
to
Hi,

I think you didn't understand my question/remark. I'm not talking about the
main process who executes the code you are describing. I'm talking about the
owner of the hToken parameter used in the call to the function
CreateProcessAsUser which will create the second process.
As MSDN says, this second process "runs in the security context of the user
represented by the specified token.". So, even if your program has system
rights, the process created with CreateProcessAsUser with inherit the rights
of the token's user. Thus, if the targeted user doesn't have administrative
rights, the created process will not have them neither.

Larry Futrell

unread,
Jun 24, 2008, 11:40:19 AM6/24/08
to
lancer wrote:
> Now I need to create a process with administrator privilege from a
> service on Vista.
> By adjust the Integrity Level of the user token, the process becomes HIGH.
> However it still has no administrator privileges.
>
> I did it as the following:
> 1.Get the session if of the active console user
> (WTSGetActiveConsoleSessionId)
> 2.Get the user's token (WTSQueryUserToken)
> 3.duplicate the token ((DuplicateTokenEx)
> 4.Set the integrity level to be High. (SetTokenInformation)

Between steps 2 and 3, call GetTokenInformation() with TokenLinkedToken to
get the linked (elevated) token, and remove step 4. The code might be
similar to:

TOKEN_LINKED_TOKEN linkedToken = {0};
/* The token is not elevated, we will build an elevated token for the */
/* user. */
dwSize = sizeof linkedToken;
/* Get the linked token, which is the elevated version of the current */
/* token. */
if (GetTokenInformation(hToken,
TokenLinkedToken,
&linkedToken,
dwSize, &dwSize)) {
/* The linked token is not a primary token, so we create one from it. */
if (DuplicateTokenEx(linkedToken.LinkedToken,
MAXIMUM_ALLOWED,
NULL,
SecurityImpersonation,
TokenPrimary,
&hPrimaryToken)) {

--
Larry Futrell


lancer

unread,
Jun 25, 2008, 7:48:08 AM6/25/08
to
Thanks, i use this way and get the amin token.
But is this way secure?
Is it sure to get admin token?
Can we set the linkedToken?

I find few documents about this area

lancer

unread,
Jun 25, 2008, 7:55:01 AM6/25/08
to

Thanks for your reply.
The owner of the hToken is a administrator.
But the process created does not have admin priviliege.
how can we get the admin token?

kaiwe...@gmail.com

unread,
Jun 30, 2014, 2:13:22 AM6/30/14
to
Hi Lancer,

Is this problem been solved??

lancer於 2008年6月25日星期三UTC+8下午7時55分01秒寫道:
0 new messages