4

Using WTSGetActiveConsoleSessionId and WTSQueryUserToken, I know it is possible for a service running as SYSTEM to launch an application onto the current desktop without using a password. Is to launch CreateProcessAsUser without needing a password for LogonUser provided the program launching the process has sufficient privileges?

EDIT 1: The situation is vaguely similar to this instance, but I need to be able to launch a process as a user regardless of whether or not they are logged on to the system at the time.

Community
  • 1
  • 1
Eric Pruitt
  • 1,825
  • 3
  • 21
  • 34

3 Answers3

1

There is the possibility of using the undocumented NtCreateToken function; I think this example project uses it. Short of that, it is not possible.

Luke
  • 11,211
  • 2
  • 27
  • 38
0

Theoretically, at least, you could implement your own authentication package and then use it to generate a suitable token.

Another possible option, depending on your exact requirements, is to use the SidsToRestrict and PrivilegesToDelete option of the CreateRestrictedToken function along with SetTokenInformation to create a suitably modified derivative of your own token.

However, I would not trust this approach if you're going to be running untrusted code: I'm not entirely certain that it wouldn't be possible for a sufficiently ingenious attacker to use such a token to attack the parent process or other privileged processes. (In particular I'm not sure whether you'd be able to create a new logon session and assign it to the restricted token; this might not be the only issue.)

Harry Johnston
  • 35,639
  • 6
  • 68
  • 158
0

Depending on the token you are trying to forge, you will require certain privileges, in particular the TCB one springs to mind. Services have that. The "Windows NT/2000 Native API Reference" by Nebett has an example.

However, services creating a process as SYSTEM on the current desktop is not as easy anymore since Vista. The improved session separation is the issue here. However, you could impersonate the user at the other end of a pipe and the current thread should be able to act as that user (e.g. SYSTEM).

0xC0000022L
  • 20,597
  • 9
  • 86
  • 152
  • SeTcbPrivilege is not sufficient. You need SeCreateTokenPrivilege which on newer windows versions is only held by lsass.exe. Nothing really prevents you from just copying the process token from lsass.exe if you are running in the right security context, e.g. from a service running as LocalSystem. – poizan42 Nov 13 '15 at 10:01