3

I'm getting an error with my CreateProcessAsUser function. It says "The requested operation requires elevation. " I thought i had given it the highest privilege i could. Anyone help? thanks

My code is as follows:

            activeSessionId = WTSGetActiveConsoleSessionId();//get the currently logged on user's active session id
            hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );//take snapshot of all processes in The system

            pe32.dwSize = sizeof(PROCESSENTRY32);
            Process32First(hProcessSnap, &pe32)

            do//iterate through all processes
            {   
                if(_wcsicmp(pe32.szExeFile, L"winlogon.exe") == 0)//narrow down to process called "winlogon.exe"
                {
                    if (ProcessIdToSessionId(pe32.th32ProcessID, &peSessionID)
                    && peSessionID == activeSessionId)//compare the sessionID of each winlog process to the active console session id
                    {
                        winlogonPID = pe32.th32ProcessID;
                        break;
                    }
                }
            }while( Process32Next( hProcessSnap, &pe32 ) );

            dwCreationFlags = (NORMAL_PRIORITY_CLASS|CREATE_NEW_CONSOLE);

            hProcess = OpenProcess(PROCESS_ALL_ACCESS,false,winlogonPID);//return handle to winlogon process

            OpenProcessToken(hProcess,TOKEN_ALL_ACCESS,&hPToken)//opens the access token
            LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid)//get the locally unique identifier(luid)


            //creates a new access token and duplicates winlogon token of the active user
            DuplicateTokenEx(hPToken,MAXIMUM_ALLOWED,NULL,SecurityIdentification,TokenPrimary,&hUserTokenDup)

            }

            SetTokenInformation(hUserTokenDup,TokenSessionId,(void*)&activeSessionId,sizeof(DWORD))//sets info for duplicated token

            //adjust the privileges of the duplicated token
            tp.PrivilegeCount = 1;
            tp.Privileges[0].Luid = luid;
            tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

            AdjustTokenPrivileges(hUserTokenDup, FALSE, &tp, sizeof(TOKEN_PRIVILEGES),(PTOKEN_PRIVILEGES)NULL,NULL)


            pEnv = NULL;
            if(CreateEnvironmentBlock(&pEnv,hUserTokenDup,TRUE))//retrieve environment variables for the user
            {
                dwCreationFlags|=CREATE_UNICODE_ENVIRONMENT;
            }
            else pEnv = NULL;

            ZeroMemory( &si, sizeof(si) );//set parameters to 0
            si.cb = sizeof(si);//the size of si
            si.lpDesktop = L"WinSta0\\Default";//window station and desktop of interactive user
            ZeroMemory( &pi, sizeof(pi) );//set parameters to 0

            //launch the process in active logged in user's session
            CreateProcessAsUser
                (
                hUserTokenDup,  
                NULL,
                Path,
                NULL,
                NULL,
                FALSE,
                dwCreationFlags,
                pEnv,
                NULL,
                &si,
                &pi
                )
              )


              //Destroy the Environment block
                      (DestroyEnvironmentBlock(pEnv)


              CloseHandle(hProcess)
              CloseHandle(hUserToken)
              CloseHandle(hUserTokenDup)
              CloseHandle(hPToken)

        }
user966890
  • 205
  • 1
  • 7
  • 15
  • "It says The requested operation requires elevation." What exactly says that? – David Heffernan Dec 05 '12 at 14:30
  • in my program i log GetLastError() to a file. should have said that sorry – user966890 Dec 05 '12 at 15:06
  • 1
    You call about 20 different API functions here. Which one fails? – David Heffernan Dec 05 '12 at 15:08
  • The CreateProcessAsUser function. None of the other functions return an error – user966890 Dec 05 '12 at 16:15
  • Have you figured out how to accomplish this? I want to launch a process into the user's session with the highest elevated privileges set. However, it seems there's no way to do that. I don't want to duplicate the `winlogon` token because the process should run in the user's context, not `SYSTEM` context. – JobaDiniz Nov 13 '18 at 13:14

1 Answers1

4

What user account is your calling code running under? Does that account have permissions to run processes as other users?

My code that uses CreateProcessAsUser() runs in a service under the SYSTEM account. The following approach works fine for me, without having to enumerate processes at all:

// error handling omitted for brevity...

DWORD dwSessionId = WTSGetActiveConsoleSessionId();
HANDLE hProcessToken = NULL;
HANDLE hUserToken = NULL;

TOKEN_PRIVILEGES TokenPriv, OldTokenPriv;
DWORD OldSize = 0;
OpenProcess(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hProcessToken);
LookupPrivilegeValue(NULL, SE_TCB_NAME, &TokenPriv.Privileges[0].Luid);
TokenPriv.PrivilegeCount = 1;
TokenPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hProcessToken, FALSE, &TokenPriv, sizeof(TokenPriv), &OldTokenPriv, &OldSize);

HANDLE hToken = NULL;
WTSQueryUserToken(dwSessionId, &hToken);
DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hUserToken);
CloseHandle(hToken);

LPVOID pEnv = NULL;
CreateEnvironmentBlock(&pEnv, hUserToken, FALSE);

STARTUPINFO si = {0};
si.cb = sizeof(si);
si.lpDesktop = TEXT("WinSta0\\Default");
//...

PROCESS_INFORMATION pi = {0};

//launch the process in active logged in user's session
CreateProcessAsUser(
    hUserToken,  
    NULL,
    Path,
    NULL,
    NULL,
    FALSE,
    NORMAL_PRIORITY_CLASS | CREATE_UNICODE_ENVIRONMENT | ...,
    pEnv,
    NULL,
    &si,
    &pi
);

CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
DestroyEnvironmentBlock(pEnv);
CloseHandle(hUserToken);

AdjustTokenPrivileges(hProcessToken, FALSE, &OldTokenPriv, sizeof(OldTokenPriv), NULL, NULL);
CloseHandle(hProcessToken);
Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
  • 1
    i believe its running under SYSTEM as i can call notepad or calc but when i try to run a custom exe that requires the highest privileges it get the "requires elevated privileges" error. ill try your way and see if it makes any difference. Thanks – user966890 Dec 06 '12 at 09:16
  • It is SYSTEM as its using the winlogon.exe token which runs under SYSTEM but in a sessionID greater than 0 depending on how many users are logged into the computer – user966890 Dec 06 '12 at 09:25
  • Have a look at this article: [Vista UAC: The Definitive Guide](http://www.codeproject.com/Articles/19165/Vista-UAC-The-Definitive-Guide). It implements a custom `CreateProcessAsUserElevated()` function (amongst others). – Remy Lebeau Dec 07 '12 at 01:02