Login/Register
Launching an administrative interactive process when a standard user is logged on
Asked Answered
Solved windowswinapiadministratorelevated-privilegescreateprocessasuser
T

1

2

I have a system service which creates a helper interactive process as administrator so that it can access some desktop-related resources, including the BlockInput() function and NVIDIA's NVAPI functions, which cannot be run from a service. When the logged on user was a member of Administrators, the following worked:

  1. Set privilege levels, including SE_TCB_NAME
  2. Get active session ID with WTSGetActiveConsoleSessionId()
  3. Get logged on user from session ID with WTSQueryUserToken()
  4. GetTokenInformation() with TokenLinkedToken
  5. DuplicateTokenEx() with SecurityImpersonation
  6. Launch process with CreateProcessAsUser()

However, when I have the current logged on session be a standard user instead of one in Administrators, step 4. fails, presumably because the standard user doesn't have an administrative level token linked with it. What's the solution here? I assume I need to get the token of one of the administrator users, but how do I do that? And if that user is not the logged on one, can it still access functionality interactive with the current desktop?

Teletypewriter answered 13/1, 2014 at 18:9 Comment(11)
Have you tried duplicating the NT Authority\SYSTEM user token from the csrss instance in the target user session? This should work on XP/7, but I haven't tried it on 8 yet.Peignoir
Can I duplicate the token of a known administrators-member user? I noticed that when UAC is invoked for that user during interactive use of the desktop from the standard user account, I get asked to provide the password for the known administrator-level account, which makes me hopeful that account can interact with the desktop even though the logged in user is the standard user.Teletypewriter
@DisplayName: you can't duplicate a token without having a token to duplicate. Unless an administrator is logged in, there won't be one. But whatever you do, it's going to be risky ... BlockInput doesn't require admin access, do the NVAPI functions?Couperin
It should be possible to duplicate your own token, then change the session on the duplicated token to put it into the interactive session. I think that SYSTEM has sufficient privileges by default to run in the interactive session, so hopefully you wouldn't need to mess with the window station or desktop permissions.Couperin
@hyru: I don't think it should be necessary to go searching for the right csrss process, you should be able to duplicate your own token and then change the session on the duplicate.Couperin
I thought I've read that running as SYSTEM in an interactive session is discouraged, and for the same reason, services are not normally interactive. In any case, how do I change the session on the duplicate?Teletypewriter
Use SetTokenInformation to change the session id.Peignoir
Thanks. I'd still like to know how to get the token of the other user, which is in administrators. Any suggestion? By the way, when I try BlockInput() from non-administrator, it runs but doesn't actually block input, at least on my system (Win7 x64).Teletypewriter
If I call LogonUser() with that an administrator's credentials, would that actually log in the admin user into the current session?Teletypewriter
I tried LogonUser(), which doesn't fail and gives me a token, which I can use in CreateProcessAsUser(), like before. However, something is seriously wrong. I didn't change any of the parameters of CreateProcessAsUser() from what I was doing before with the linked elevated token of an admin user, but now as soon as the created process tries to access the lpCmdLine parameter of its WinMain(), it immediately crashes--even when I'm only trying to check if it's null. I can't begin to guess what's going on...Teletypewriter
Found the solution in 1.B. at blogs.msdn.com/b/winsdk/archive/2009/07/14/… but ended up just adjusting the session ID of a token duplicated from the service's own because the alternative is quite a bit more involved. If either Harry or hyru post as an answer to this question, I'll mark it as an answer.Teletypewriter
C
3

You can duplicate your own token, then change the session on the duplicated token using the SetTokenInformation function to put it into the interactive session.

As you note, running as SYSTEM in an interactive session is discouraged because it gives the interactive user openings to attack your process, potentially gaining elevated privileges. (Search for "shatter attack" for more information.) However, this concern applies equally well to a process running as an administrative user in a non-administrative user's session.

Ideally, you should use a non-administrative process in the interactive session, to perform functions which require an interactive session, while using the service to perform functions which require administrative privilege. There shouldn't be any functions that require both, but if NVAPI breaks this rule, there's not much you can do about it.

Consider launching the process into a specially created (and appropriately secured) workstation in the interactive user's session in order to minimize this risk.

Couperin answered 15/1, 2014 at 1:21 Comment(1)
Thanks. I've used CreateDesktop() to avoid shatter attacks (that also seems to not run from the service, so offloaded to this helper process). The helper process doesn't present any interface to the user, so it seems to be safe. The user-facing process is sandboxed and on another desktop.Teletypewriter

© 2022 - 2024 — McMap. All rights reserved.