Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Start process as a user under elevated rights for Windows

No description
by

Salsita Software

on 3 May 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Start process as a user under elevated rights for Windows

Salsita Start process as a user under
elevated rights (for Windows) Motivation - Installer do system things under elevated rights
- After installation installer should start
your application, but under user rights For what this complexity ?! Just call CreateProcess and relax! Ok lets' do it CreateProcessAsUser(HANDLE hToken,...) CreateProcessAsUser-1 Get "admin" token from "elevated" process CreateProcessAsUser-2 The same as CreateProcessAsUser-1 Copy "rights" from explorer.exe ShellExecuteEx ShellExecuteEx
via exlorer.exe What is the differences user vs admin ? Installer process (HIGH) Application (Medium) first run Install (High) App (High) HRESULT hr = ::CoCreateInstance(CLSID_MyUserClass,...)
hr == 0x80040154 Class not registered Application under elevated rights App creates (some) resources under elevated rights Can't access to COM interfaces created under user rights (HKCU) hToken ?? Where I can get it? Restriction with desktop interaction Welcome to Windows security Prepare user privileges for "user" process Start "user" process with user privileges WCHAR wszIntegritySid[20] = L"S-1-16-8192";
OpenProcessToken(GetCurrentProcess(),
TOKEN_DUPLICATE |
TOKEN_ADJUST_DEFAULT |
TOKEN_QUERY |
TOKEN_ASSIGN_PRIMARY,
&hToken);

DuplicateTokenEx(hToken,
TOKEN_ALL_ACCESS_P,
NULL,
SecurityImpersonation,
TokenPrimary,
&hNewToken);

ConvertStringSidToSid(wszIntegritySid, &pIntegritySid);

SetTokenInformation(hNewToken,
TokenIntegrityLevel,
&TIL,
sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid));

CreateProcessAsUser(hNewToken, Victory!!!! But, Class not registered ::CoCreateInstance(CLSID_MyUserClass,...)
hr == 0x80040154 Class not registered Get "admin" token Remove admin privileges (about COM) Start process with new privileges Setup user privileges Which privileges ? #define SE_CREATE_TOKEN_NAME TEXT("SeCreateTokenPrivilege")
#define SE_ASSIGNPRIMARYTOKEN_NAME TEXT("SeAssignPrimaryTokenPrivilege")
#define SE_LOCK_MEMORY_NAME TEXT("SeLockMemoryPrivilege")
#define SE_INCREASE_QUOTA_NAME TEXT("SeIncreaseQuotaPrivilege")
#define SE_UNSOLICITED_INPUT_NAME TEXT("SeUnsolicitedInputPrivilege")
#define SE_MACHINE_ACCOUNT_NAME TEXT("SeMachineAccountPrivilege")
#define SE_TCB_NAME TEXT("SeTcbPrivilege")
#define SE_SECURITY_NAME TEXT("SeSecurityPrivilege")
#define SE_TAKE_OWNERSHIP_NAME TEXT("SeTakeOwnershipPrivilege")
#define SE_LOAD_DRIVER_NAME TEXT("SeLoadDriverPrivilege")
#define SE_SYSTEM_PROFILE_NAME TEXT("SeSystemProfilePrivilege")
#define SE_SYSTEMTIME_NAME TEXT("SeSystemtimePrivilege")
#define SE_PROF_SINGLE_PROCESS_NAME TEXT("SeProfileSingleProcessPrivilege")
#define SE_INC_BASE_PRIORITY_NAME TEXT("SeIncreaseBasePriorityPrivilege")
#define SE_CREATE_PAGEFILE_NAME TEXT("SeCreatePagefilePrivilege")
#define SE_CREATE_PERMANENT_NAME TEXT("SeCreatePermanentPrivilege")
#define SE_BACKUP_NAME TEXT("SeBackupPrivilege")
#define SE_RESTORE_NAME TEXT("SeRestorePrivilege")
#define SE_SHUTDOWN_NAME TEXT("SeShutdownPrivilege")
#define SE_DEBUG_NAME TEXT("SeDebugPrivilege")
#define SE_AUDIT_NAME TEXT("SeAuditPrivilege")
#define SE_SYSTEM_ENVIRONMENT_NAME TEXT("SeSystemEnvironmentPrivilege")
#define SE_CHANGE_NOTIFY_NAME TEXT("SeChangeNotifyPrivilege")
#define SE_REMOTE_SHUTDOWN_NAME TEXT("SeRemoteShutdownPrivilege")
#define SE_UNDOCK_NAME TEXT("SeUndockPrivilege")
#define SE_SYNC_AGENT_NAME TEXT("SeSyncAgentPrivilege")
#define SE_ENABLE_DELEGATION_NAME TEXT("SeEnableDelegationPrivilege")
#define SE_MANAGE_VOLUME_NAME TEXT("SeManageVolumePrivilege")
#define SE_IMPERSONATE_NAME TEXT("SeImpersonatePrivilege")
#define SE_CREATE_GLOBAL_NAME TEXT("SeCreateGlobalPrivilege")
#define SE_TRUSTED_CREDMAN_ACCESS_NAME TEXT("SeTrustedCredManAccessPrivilege")
#define SE_RELABEL_NAME TEXT("SeRelabelPrivilege")
#define SE_INC_WORKING_SET_NAME TEXT("SeIncreaseWorkingSetPrivilege")
#define SE_TIME_ZONE_NAME TEXT("SeTimeZonePrivilege")
#define SE_CREATE_SYMBOLIC_LINK_NAME TEXT("SeCreateSymbolicLinkPrivilege") SetPrivilege(hToken, SE_CREATE_GLOBAL_NAME, SE_PRIVILEGE_REMOVED); SetPrivilege(hToken, SE_BACKUP_NAME, SE_PRIVILEGE_REMOVED); SetPrivilege(hToken, SE_CREATE_PAGEFILE_NAME, SE_PRIVILEGE_REMOVED); SetPrivilege(hToken, TEXT("SeCreateSymbolicLinkPrivilege"), SE_PRIVILEGE_REMOVED); SetPrivilege(hToken, SE_DEBUG_NAME, SE_PRIVILEGE_REMOVED); SetPrivilege(hToken, SE_IMPERSONATE_NAME, SE_PRIVILEGE_REMOVED); SetPrivilege(hToken, SE_INC_BASE_PRIORITY_NAME, SE_PRIVILEGE_REMOVED); SetPrivilege(hToken, SE_INCREASE_QUOTA_NAME, SE_PRIVILEGE_REMOVED); SetPrivilege(hToken, SE_LOAD_DRIVER_NAME, SE_PRIVILEGE_REMOVED); SetPrivilege(hToken, SE_MANAGE_VOLUME_NAME, SE_PRIVILEGE_REMOVED); SetPrivilege(hToken, SE_PROF_SINGLE_PROCESS_NAME, SE_PRIVILEGE_REMOVED); SetPrivilege(hToken, SE_REMOTE_SHUTDOWN_NAME, SE_PRIVILEGE_REMOVED); SetPrivilege(hToken, SE_RESTORE_NAME, SE_PRIVILEGE_REMOVED); SetPrivilege(hToken, SE_SECURITY_NAME, SE_PRIVILEGE_REMOVED); SetPrivilege(hToken, SE_SYSTEM_ENVIRONMENT_NAME, SE_PRIVILEGE_REMOVED); SetPrivilege(hToken, SE_SYSTEM_PROFILE_NAME, SE_PRIVILEGE_REMOVED); SetPrivilege(hToken, SE_SYSTEMTIME_NAME, SE_PRIVILEGE_REMOVED); SetPrivilege(hToken, SE_TAKE_OWNERSHIP_NAME, SE_PRIVILEGE_REMOVED); Does something change? 0x80004002 (No such interface supported) Error code changed! Short description CodeProject user's citation:

It is incredible that we have to write so much code because the <*!stupid!*> guys at Microsoft did
NOT IMPLEMENT a "runas CurrentUser" !!! http://www.codeproject.com/Articles/23090/Creating-a-process-with-Medium-Integration-Level-f Results "User" process started with MEDIUM integrity level "User" process CANNOT start sub-processes ::CoCreateInstance(CLSID_MyUserClass,...) ExecuteInfo.cbSize = sizeof(ExecuteInfo);
ExecuteInfo.fMask = 0;
ExecuteInfo.hwnd = 0;
ExecuteInfo.lpVerb = L"open"; // Operation to perform
ExecuteInfo.lpFile = szProcessName; // Application name
ExecuteInfo.lpParameters = 0; // Additional parameters
ExecuteInfo.lpDirectory = 0; // Default directory
ExecuteInfo.nShow = SW_HIDE;
ExecuteInfo.hInstApp = 0;

ShellExecuteEx(&ExecuteInfo); Process started with MEDIUM integrity level Failed to launch child process GetWindowsDirectory(windir, size-1);
std::wstring ex_dir = windir;
ex_dir += L"\\explorer.exe";

ExecuteInfo.cbSize = sizeof(ExecuteInfo);
ExecuteInfo.fMask = 0;
ExecuteInfo.hwnd = 0;
ExecuteInfo.lpVerb = L"open"; // Operation to perform
ExecuteInfo.lpFile = ex_dir.c_str(); // Application name
ExecuteInfo.lpParameters = szProcessName; // Additional parameters
ExecuteInfo.lpDirectory = 0; // Default directory
ExecuteInfo.nShow = SW_HIDE;
ExecuteInfo.hInstApp = 0;

ShellExecuteEx(&ExecuteInfo); "User" process started with MEDIUM integrity level "User" process CAN start sub-processes ::CoCreateInstance(CLSID_MyUserClass,...) returns S_OK ShellExecuteEx via exlorer.exe starts "user" sub-process from "elevated" process: DECLARE_CLASSFACTORY_EX(SingletonClassFactoryT)
DECLARE_NOT_AGGREGATABLE(Update3COMClassT)
DECLARE_PROTECT_FINAL_CONSTRUCT()

DECLARE_REGISTRY_RESOURCEID_EX(T::registry_res_id())

BEGIN_REGISTRY_MAP()
REGMAP_ENTRY(_T("HKROOT"), T::hk_root()) //HKLM or HKCU
REGMAP_EXE_MODULE(_T("MODULE"))
REGMAP_ENTRY(_T("VERSION"), _T("1.0"))
REGMAP_ENTRY(_T("PROGID"), T::prog_id())
REGMAP_ENTRY(_T("DESCRIPTION"), _T("Update3COMClass"))
REGMAP_UUID(_T("CLSID"), T::class_id())
END_REGISTRY_MAP() What it means user-registered COM object ?
Full transcript