1

Is there a way to detach a process, from a JobObject? My problem is, that if i create a new process with RunAs, like cmd.exe, then it will be assigned to a JobObject automatically. And if I want to run my application from this cmd it will also be assigned to this jobobject. The problem starts here, because my application would create a new jobobject and create a new process and then assign it to my new JobObject, but it can't associate, because the first cmd started with runas, is already assigned to a jobobject, and so the new process what I created is also assigned to this jobobject.

So my question is, how can I detach the first cmd from the jobobject which will be automatically created, or how else can I solve this problem?

Chris Seymour
  • 83,387
  • 30
  • 160
  • 202
kampi
  • 2,362
  • 12
  • 52
  • 91
  • Check out `CREATE_BREAKAWAY_FROM_JOB` flag (http://msdn.microsoft.com/en-us/library/windows/desktop/ms684863%28v=vs.85%29.aspx). But I don't know whether RunAs uses job object as a security measure. If it does, it will have `JOB_OBJECT_LIMIT_BREAKAWAY_OK` disabled and the flag won't work. – atzz Nov 20 '12 at 13:44
  • Also, Windows 8 seems to support nested jobs (http://msdn.microsoft.com/en-us/library/windows/desktop/hh448388%28v=vs.85%29.aspx), so if you can have your app "Windows 8 only"... :) – atzz Nov 20 '12 at 13:49
  • @atzz: Unfortunately, my app has to run under XP and Windows 7 too, so Windows 8 is not option :) – kampi Nov 20 '12 at 14:31
  • @atzz: I think RunAs uses a job object, because if you open a cmd with runas, it is already associated to a job. And this is my problem :( – kampi Nov 20 '12 at 14:32
  • You cannot disassociate an existing process from a job. But if `CREATE_BREAKAWAY_FROM_JOB` flag works under RunAs, you can create a child process with this flag, and the child will be free from the job. The question is whether RunAs allows the use of this flag. If it doesn't set `JOB_OBJECT_LIMIT_BREAKAWAY_OK` when starting `cmd`, the flag won't work. – atzz Nov 20 '12 at 14:36
  • I try to start a new process from cmd which i opened with runas, but i always get access denied. CreateProcessW( NULL, CommandLine, NULL, NULL, FALSE, CREATE_BREAKAWAY_FROM_JOB, NULL, NULL, &StartupInfo, &ProcessInformation ) I have to search a little, what could be the problem – kampi Nov 20 '12 at 14:55

1 Answers1

1

Instead of using runas, consider running the parent application as the standard user and using CreateProcessWithLogonW to elevate.

Alternatively, you could use psexec which, although designed for executing commands remotely, can often be useful to escape your current context on the local computer. You could either use psexec as an alternative to runas:

psexec -i \\%COMPUTERNAME% -u adminuser cmd.exe

(you will be prompted for the password) or you could use runas and then

psexec -s -i \\%COMPUTERNAME% parent.exe

to run parent.exe in local system context. This will escape the existing job object, because the new process is launched from a system service.

Note that using psexec with the -i flag is trickier in Vista and later because it uses multiple terminal server sessions more extensively; in that scenario you're probably better off sticking with runas. Luckily your problem only applies to XP. :-)

Harry Johnston
  • 35,639
  • 6
  • 68
  • 158
  • Future readers should also see this question, which offers another approach: http://stackoverflow.com/questions/13490055/how-to-get-a-handle-to-a-jobobject-without-knowing-its-name – Harry Johnston Nov 21 '12 at 21:33