0

There are some registry keys that are owned by System, and I can't edit them unless I run as System. I want to be able to edit these keys from my VB application. Any tutorials I've found suggest using PSTools, the now deprecated At command, or schtasks. PSTools seems great, but its license seems to restrictive (about redistributing). At and schtasks are too messy, and require scheduling delays.

This is related to my previous question. I want to take what I discovered, and implement it via VB.

Modify audit policy (group policy)

I also found this, but am getting error 1314. I realized despite running VS2010 "requireAdministrator", and even Running my EXE as Administrator, it still says my username in Task Manager (running as me, not Administrator). I logged in as Administrator, and got Error 5 instead. Even after ensuring I had the rights set, as suggested by this post (CreateProcessAsUser error 1314), it still gave me Error 5.

Using a vb.net application running as SYSTEM, how do I start a detached process for each logged on user?

I changed the example to "TokenAccessLevels.Read and Duplicate" rather than MaximumAllowed.

 If Not DuplicateTokenEx(hToken.DangerousGetHandle,
            TokenAccessLevels.Read & TokenAccessLevels.Duplicate,
            Nothing,
            SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
            TOKEN_TYPE.TokenPrimary,
            phNewToken) Then

I get Error 5 from CreateProcessAsUser. This is while running VS2010 as Administrator.

Community
  • 1
  • 1
Tyler Montney
  • 1,402
  • 1
  • 17
  • 25

1 Answers1

1

http://forum.sysinternals.com/tip-run-process-in-system-account-scexe_topic16714.html

This post was the best I could do. Basically, install a service, run it, then delete it. According to the OP, this is his explanation.

So how does it work?

  1. The & symbol tells cmd.exe to parse treat the text that follows as if it were a new line in a batch file (It basically is a new line delimiter which allows multiple commands to be combined into 1 line)

To break it down: Create Service - sc create -- binPath= "cmd /c start calc" type= own type= interact Start Service net start -- (This could also be done with: sc start --) Delete Service sc delete --

  1. Variables
    • Service Name: --
    • App to run: calc

Variables:

  1. How it works:

cmd /c - allows us to pass in parameters to cmd (Without this initial part, it will work if you copy & paste in cmd.exe, but not in the Run Dialog. So this fixes it) sc create binPath= - Since cmd.exe does not respond to service commands, when the SCM runs the app in binPath (Reg = ImagePath) then it will terminate it, when not responding in a timely fasion, therefore cmd.exe cannot be used. It has to call something else which in this case is calc.exe sc create type= This one took a while to figure out. The inital problem is the Window Station in which cmd.exe is launched in (which in turn is inherited by calc.exe (its child process)). Luckily after reading Mark's Windows Internals e4, I was able to solve it by specifying the service as being Interactive. (Experimenting, it actually has to be BOTH interactive(256) and own(16) (256|16 = 272) . Basically what this allows is for the windows to run in \WinSta0\Default (The current user's desktop, allowing the window to be displayed.) After some research from being frustrated that sc would not accept type =own|interact, I found out that it allows us to specify it again, and instead of overwriting Type (dword) it bitwise-ORs it (Adds it). Problems Solved! net start - start the service (probably calls StartService) cmd.exe runs with the command line (CL) of start [File] in which start probably calls ShellExecute (Its ashame that MS didn't allow start to specify a SW_* commands (like hide). Although it does allowing us to min/max windows. cmd.exe opens the app/file, the SCM terminates cmd.exe for not responding in a timely fashion to its commands, and the window is now shown to the user. sc delete - Finally we clean up our path by removing the service

For me, this worked.

cmd /c sc create -- binPath= "cmd /c start app.exe" type= own type= interact & net start -- & sc delete --

Now, I had trouble with getting absolute paths to work. I had to put my .EXE in System32 and SysWOW64, so I didn't have to use an absolute path. According to the site, this is supposed to allow absolute paths to work.

cmd /c sc create -- binPath= "cmd /c start  \"\"  \"C:\windows\regedit.exe\" " type= own type= interact & net start -- & sc delete --

It never worked for me, as it would hang for some time and never start the app. It should almost instantly complete.

Tyler Montney
  • 1,402
  • 1
  • 17
  • 25