6

My service is running under local system permissions, and needs to start an application with administrator permissions in the user session.

What I got is:

  1. WTSGetActiveConsoleSessionID()
  2. WTSQueryUserToken for session ID
  3. CreateProcessAsUser

The problem is I need to run the process (Step 3) as an administrator, without asking the user for the administrator's password.

On Linux systems I would simply do a "su ", but to achieve this on a Windows system?

Ajay
  • 18,086
  • 12
  • 59
  • 105
gorootde
  • 4,003
  • 4
  • 41
  • 83
  • Perhaps you don't understand `su`, but it cannot be used to gain root privileges without providing credentials at some point. Moving on, what do you propose to do if the logged in user is not an administrator? – David Heffernan Oct 19 '15 at 11:19
  • You have things backwards. Launch the application like any other application, and have it communicate with your service, if the application needs to request operations, that the user doesn't have sufficient privileges to perform. Don't waste time on implementing a well designed breach of security. – IInspectable Oct 19 '15 at 11:29
  • The Scenario is: 1) User needs to change something that requires administrative permissions, 2) User calls our helpdesk, 3) Helpdesk triggers the local service to execute our special tool as administrator – gorootde Oct 19 '15 at 11:29
  • Is the logged on user an administrator? – David Heffernan Oct 19 '15 at 11:33
  • No he is not, and thats the point. E.g. there are some winapi functions that to requrire administrative permissions. – gorootde Oct 19 '15 at 12:40
  • If the user is not an administrator, how will it help to call `CreateProcessAsUser` passing the token of a user that is not an administrator. I posit that you don't fully understand the Windows security model. – David Heffernan Oct 19 '15 at 12:43
  • I would also point out that `WTSQueryUserToken` does not return a session ID. It takes a session ID as input, and returns a user token. – David Heffernan Oct 19 '15 at 12:51
  • The local user is not an administrator, but he has to perform administrative tasks without requirering a password. Therefore the user launches his UI, which communicates with a system service. The system service should perform those tasks for the user. Problem: The service needs to call methods defined only in the user session. – gorootde Oct 19 '15 at 13:50
  • *The service needs to call methods defined only in the user session.* I don't really understand what that means. Methods don't belong to session, at least by any definition of method and session that I know. I think you need to face up to the fact that admin tasks require a user with admin rights. – David Heffernan Oct 19 '15 at 15:09
  • Possible duplicate of [Launching an administrative interactive process when a standard user is logged on](http://stackoverflow.com/questions/21098315/launching-an-administrative-interactive-process-when-a-standard-user-is-logged-o) – Harry Johnston Oct 20 '15 at 01:08

2 Answers2

3

I've finally found the solution to manage this: 

public void launchProcessInUserSession(String process) throws WindowsAPIException {

        final DWORD interactiveSessionId = kernel32.WTSGetActiveConsoleSessionId();
        final DWORD serviceSessionId = getCurrentSessionId();

        final HANDLEByReference pExecutionToken = new HANDLEByReference();

        final HANDLE currentProcessToken = getCurrentProcessToken();
        try {

            final HANDLE interactiveUserToken = getUserToken(interactiveSessionId);

            checkAPIError(advapi32.DuplicateTokenEx(currentProcessToken, WinNT.TOKEN_ALL_ACCESS, null, SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
                    WinNT.TOKEN_TYPE.TokenPrimary, pExecutionToken));
        } finally {
            kernel32.CloseHandle(currentProcessToken);
        }

        final HANDLE executionToken = pExecutionToken.getValue();
        try {
            checkAPIError(advapi32.SetTokenInformation(executionToken, TOKEN_INFORMATION_CLASS.TokenSessionId, new IntByReference(interactiveSessionId.intValue()), DWORD.SIZE));

            final WinBase.STARTUPINFO si = new WinBase.STARTUPINFO();
            final PROCESS_INFORMATION processInfo = new WinBase.PROCESS_INFORMATION();
            final int dwFlags = WinBase.DETACHED_PROCESS;

            checkAPIError(advapi32.CreateProcessAsUser(executionToken, null, process, null, null, false, dwFlags, null, null, si, processInfo));
            LOGGER.debug("Execution done. Process ID is {}", processInfo.dwProcessId);
        } finally {
            kernel32.CloseHandle(executionToken);
        }
    }
gorootde
  • 4,003
  • 4
  • 41
  • 83
1

I need to run the process (Step 3) as administrator, without asking the user for the administrator's password.

If it were possible for a low privileged user to execute code as a privileged user, then the system's security model would be broken. If you want to execute code with administrator privileges then you need to supply appropriate credentials, at some point.

Your proposed plan of action has you calling CreateProcessAsUser passing the user token for a low privileged user. This plan, as itemized in the question, cannot succeed. Since the user token you will provide is that of the low privileged user, the process will not be able to perform administrative tasks.

You will need to provide, one way or another, credentials for a user with administrative rights.

David Heffernan
  • 601,492
  • 42
  • 1,072
  • 1,490
  • As we are talking about the service, I need to get a token for an administrative account. How to do this? – gorootde Oct 19 '15 at 13:51
  • Why don't you configure your service to run under an admin user's account? – David Heffernan Oct 19 '15 at 13:58
  • 2
    You people are not experienced and thinking topic author asks stupid question. What he wants is all legit and possible. Lets say i create universal APP updater (system service) that monitors installed corporation apps and updates them, updates services and apps. After updating i need to re run app as user that is currently logged in, it may be any of xx users in system. Also many apps may require elevated rights. SO as system i should be able to do anything, so creating process as active user but with elevated rights. – Tommix May 09 '19 at 22:15