2

I am running a WindowsService on Windows Server 2012 and it needs to impersonate a domain admin user (who is also added to the local administrators group on the machine).

UAC is enabled on the system and Calling LogonUser using the credentials with a LogonType of LOGON32_LOGON_INTERACTIVE, seems to return a restricted token instead of a full token.

This is causing the administrative task i'm trying to do to fail.

What is the right way to call LogonUser in this situation so that a full token is returned instead of an restricted token?

PS: I came across a related question here How can I get elevated permissions (UAC) via impersonation under a non-interactive login? but it does not show the exact calls that need to be made to get the full token.

Community
  • 1
  • 1
Dev28
  • 497
  • 5
  • 16

1 Answers1

8

You can get an unfiltered token from LogonUser() by using the LOGON32_LOGON_BATCH option instead of the LOGON32_LOGON_INTERACTIVE option.

There is some sample code in this answer which shows the use of LOGON32_LOGON_BATCH and the LogonUser() function to obtain an administrative token.

Addendum:

If you have SeTcbPrivilege, you have another option: you can use LOGON32_LOGON_INTERACTIVE when calling LogonUser() and then use the TokenLinkedToken option in GetTokenInformation() to obtain a handle to the elevated token that is linked to the filtered token.

SeTcbPrivilege is also known as "Act as part of the operating system" and is usually only available when you are running in local system context.

If you do not have SeTcbPrivilege, you can still call GetTokenInformation() to fetch a copy of the linked token, but in this case you get an impersonation token at SecurityIdentification level so it is of no use if you are wanting to create a new process. (Credit to RbMm for pointing this out.)

Community
  • 1
  • 1
Harry Johnston
  • 35,639
  • 6
  • 68
  • 158
  • Will this be a primary token or an impersonated one? – Dev28 Sep 09 '16 at 03:30
  • 1
    Only `LOGON32_LOGON_NETWORK` produces an impersonation token. All other options, including `LOGON32_LOGON_BATCH`, produce a primary token. (Of course you can always convert an impersonation token to a primary token or vice versa.) – Harry Johnston Sep 09 '16 at 05:10
  • really first always created elevated token. then is system decide create filtered token - it create else one new token (but not duplicate it - this tokens have different *LogonId* ) and then filter it and split to elevated - look http://stackoverflow.com/a/43082015/6401656 – RbMm Mar 29 '17 at 00:13
  • 1
    only need clear understand one thing - we can get linked token, but it have [SecurityIdentification](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379572(v=vs.85).aspx) impersonation level - this mean if we impersonate this token - *every* security check is fail. we nothing can do with it (one exception wich i know - can query DosDevices ). if be we can use this elevated token - we easy can skip UAC - so this token almost for query only – RbMm Mar 29 '17 at 00:19
  • @RbMm, we've got admin privilege so it *ought* to give us a primary token, same as usual, or at least let us duplicate a primary token from it. Doesn't, though. I'm experimenting, but in the meantime I'm rolling back my edit. – Harry Johnston Mar 29 '17 at 00:53
  • `TokenLinkedToken` can returned to as elevated token (if our token have `TokenElevationTypeLimited` type) but this token have `SecurityIdentification` how i say. if you impersonate this token (or say try duplictae it and create process) - you fail on first security check – RbMm Mar 29 '17 at 00:57
  • `it works as desired when run as local system. Some privilege or other, presumably` - what you mean ? – RbMm Mar 29 '17 at 00:58
  • @RbMm, if the code is running as local system, you get a primary token rather than an impersonation token. Presumably, the change in behaviour depends on what privileges you've got, or perhaps what privileges are enabled, though it might instead be hard-coded to behave differently for the local system account. – Harry Johnston Mar 29 '17 at 01:00
  • we can got elevated (linked) token. but can not use it (except query). if this will be possible - skip UAC very easy - simply got this elevated token and impersonate with it.. but try say open any file - and you got - C00000A5 – RbMm Mar 29 '17 at 01:01
  • if the code is running as local system.. hm now check this – RbMm Mar 29 '17 at 01:02
  • wait, *localsystem* token have no linked token at all. if you call `GetTokenInformation(hToken, ::TokenLinkedToken,..)` you got 1312 - `A specified logon session does not exist. It may already have been terminated. ` – RbMm Mar 29 '17 at 01:07
  • 1
    @RbMm, I said when the *code* is running as local system, not when the token is for local system. My test code calls LogonUser to get a filtered token for a particular user account, then calls GetTokenInformation to get the linked token. The linked token is an impersonation token if the code is running as an administrator, but it is a primary token if the code is running as local system. – Harry Johnston Mar 29 '17 at 01:12
  • yes, you right - really when we run as local system linked token for LogonUser token is TokenPrimary – RbMm Mar 29 '17 at 01:23
  • 2
    @RbMm, specifically, you need to have SeTcbPrivilege ("Act as part of the operating system") enabled when you make the call to GetTokenInformation. – Harry Johnston Mar 29 '17 at 01:25
  • 1
    yes, so you edit was absolute correct - we can use `LOGON32_LOGON_INTERACTIVE` and then got LinkedToken - it will be primary and not filtered - can use it in `CreateProcessAsUser` – RbMm Mar 29 '17 at 01:27
  • and about `SeTcbPrivilege` you absolute correct - this is documented or you research this by self ? i view now this check in kernel – RbMm Mar 29 '17 at 01:31
  • @RbMm, it was an educated guess. – Harry Johnston Mar 29 '17 at 01:38
  • yes, you correct guess. I until now don't know that primary token can be returned when query for linked token. think that this is always impersonation token.. but look in kernel, after your note.. really this depended from *TCB* – RbMm Mar 29 '17 at 01:56