0

There is an MSI custom action that would launch an external process. However, on Windows 7 (maybe, Vista too) the custom action, which runs under the LocalSystem account, does NOT have SE_BACKUP_NAME privilege. The external process I am launching requires this privilege at some stage. However, it doesn't get the privilege as the parent (running MSI custom action) doesn't have it. This is a known issue on Vista/7 as Microsoft has removed this privilege on the msiexec.exe process if custom action (say MSI) runs as a Local System account. IMO, the question doesn't need more information around MSI.

I have tried combinations of LogonUser, SetTokenInformation (to add a new privilege), set and update linked token, DuplicateTokenEx, and eventually CreateProcessAsUser. However, the created process will never have the backup privilege enabled no matter how I try.

My simple question is:

  • How to run the external process with all the default privileges the Local System account would have?

Why does Windows sticks to the restricted token?

I got to know that once the token is created, no more privileges can be added. SetTokenInformation will fail. I wonder how to add the privilege to a token (which isn't used yet)!

Related:

Ajay
  • 18,086
  • 12
  • 59
  • 105
  • possible open token, which have backup/restore privileges and impersonated with it – RbMm May 13 '21 at 19:55
  • @RbMm, which token to open? Current process's token or its duplicate doesn't give the required privilege in it. – Ajay May 13 '21 at 20:04
  • 1
    some system process token. enumerate processes and look for token with privileges which you need. – RbMm May 13 '21 at 20:35
  • I will try that. However, I wonder how will that work if LogoUser doesn't give valid token. – Ajay May 13 '21 at 20:39
  • 1
    for what you need LogoUser ? simply use existing token. https://pastebin.com/Gm3dw7Zd – RbMm May 13 '21 at 20:57
  • I mostly got it, but how to launch the new process then? Using the `hNewToken` with CPAU? Or is the current thread already impersonated and then `CreateProcess` would work? – Ajay May 14 '21 at 07:53
  • for what you need launch the new process ? – RbMm May 14 '21 at 08:17
  • `ImpersonateLoggedOnUser` then `CreateProcess` or `CreateProcessAsUser`. It's alternative to `CreateProcessWithTokenW`. – YangXiaoPo-MSFT May 14 '21 at 08:20
  • @YangXiaoPo - `ImpersonateLoggedOnUser` - not have any effect for `CreateProcess` or `CreateProcessAsUser`. this is wrong. not say already about what sense in create new process – RbMm May 14 '21 at 08:25
  • @YangXiaoPo - `CreateProcess` inherit token of current process, not thread. as result `ImpersonateLoggedOnUser` (which simply set token for current thread) not affect this. in case `CreateProcessAsUser` we direct pass token as first argument. and it used. `ImpersonateLoggedOnUser` can have effect only in sense - are we will be have *SeAssignPrimaryTokenPrivilege*.. but main - not view sense start new process at all – RbMm May 14 '21 at 08:31
  • @RbMm Why new process? Because MSI custom actions, residing in a DLL, are run by separate *processes*, and my installer engine need to have full control on certain actions not handled by MSI. Consider it as backward-compat issue, but I do need the EXE, which will remain running till last custom action tells the EXE to exit. I did mention that in question correctly that I need to launch the process with SYSTEM's full rights (as custom action is already running under SYSTEM, but with restricted token) – Ajay May 14 '21 at 09:52
  • Does this [PrimaryTokenTheft](https://github.com/slyd0g/PrimaryTokenTheft#primarytokentheft) work for you ? – YangXiaoPo-MSFT May 17 '21 at 09:25
  • @RbMm Your solution has worked for all OSes except for Vista/2008, where it always fails to find the appropriate process with required privileges. Even if it finds a process, process creation fails with 5, 1314, 1349. So, I had to use a different technique in the target process itself to do the registry backup (instead of using `RegSaveKey`, which requires backup privilege). – Ajay May 19 '21 at 11:04
  • @YangXiaoPo, I stopped further research on this and used a different approach. Thanks! – Ajay May 19 '21 at 11:05
  • @Ajay - if i write code - it of course will be work on vista too. – RbMm May 19 '21 at 11:33
  • @rbmm, process enumeration worked, but on CPAU. I launched the process within GetToken function only. – Ajay May 19 '21 at 11:52
  • @Ajay - of course exist processes, which have backup-restore and possible use it token – RbMm May 19 '21 at 12:07

0 Answers0