3

I need to launch an elevated process in an interactive logon user session from my local service. For that I use the code very similar to this one.

But I'm not sure how to specify elevation in the user token returned by WTSQueryUserToken API, and to make it work on Windows XP and up?

Community
  • 1
  • 1
c00000fd
  • 20,994
  • 29
  • 177
  • 400
  • Might be a bit tricky to put everything together just right, but conceptually this is straightforward. GetTokenInformation can determine whether the user token is restricted and if so can also fetch the elevated token (via the TokenLinkedToken option). You'll first need to check whether you're on Vista or later, of course; if you're on XP, there is no UAC, so you need do nothing. – Harry Johnston Jul 18 '16 at 05:28
  • @HarryJohnston: Thanks, I did try calling `GetTokenInformation(TokenLinkedToken)` but I was getting `ERROR_NO_SUCH_LOGON_SESSION`. What am I supposed to do in that case? – c00000fd Jul 18 '16 at 05:33
  • Are you sure the token you're passing in really is a restricted token? What do other GetTokenInformation options return, e.g., TokenUser, TokenElevationType, TokenElevation? – Harry Johnston Jul 18 '16 at 05:45
  • @HarryJohnston: Oh, I guess I got [this situation](http://www.remkoweijnen.nl/blog/2011/08/11/gettokeninformation-with-tokenlinkedtoken-returns-error-1312/). So in case UAC is disabled, what do I need to do? – c00000fd Jul 18 '16 at 06:04
  • Your code should first check whether the token is a restricted token or not, probably via TokenElevationType. If it isn't restricted, there's nothing to do as far as elevation is concerned: either it is already an administrative token, or the user doesn't have administrative privilege. (Are you sure you don't want to run the new process with the same credentials as the service, just in the user's session?) – Harry Johnston Jul 18 '16 at 06:19
  • @HarryJohnston: Well, that's what I was originally doing (using the `SYSTEM` token from the service) but then I had security concerns about doing it. I'm actually composing a new question on this subject.... hang on. I'll link to it. – c00000fd Jul 18 '16 at 06:22
  • [Here's more details](http://stackoverflow.com/q/38429908/843732) – c00000fd Jul 18 '16 at 06:30
  • Why specifically does the process need to be elevated? (Does it actually need admin privilege or just to be running at a high integrity?) What needs to happen if the logged-on user doesn't actually have admin privilege, making elevation impossible? – Harry Johnston Jul 18 '16 at 06:40
  • @HarryJohnston: Yes, it has to be elevated. It's used to set a global hook via `SetWindowsHookEx` API. – c00000fd Jul 18 '16 at 06:46
  • I didn't *think* that required elevation? The documentation says nothing to that effect. Perhaps you only need to be elevated if you need to monitor input to elevated processes, in which case this approach should work perfectly well? – Harry Johnston Jul 18 '16 at 06:49
  • @HarryJohnston: Yes, I do. Forgot to mention. Sorry. – c00000fd Jul 18 '16 at 06:50
  • In that case, if there is no linked token, the token you've already got should work. I can't think of any exceptions offhand. – Harry Johnston Jul 18 '16 at 06:52
  • @HarryJohnston: Thanks for your help! – c00000fd Jul 18 '16 at 06:54

0 Answers0