0

I want to know how the system() function can give me more privilege to execute a program under system32, but the CreateProcessA() function doesn't?

The code I tested:

int main()
{   
    STARTUPINFOA si;
    PROCESS_INFORMATION pi;

    memset(&si, 0, sizeof(STARTUPINFOA));
    memset(&pi, 0, sizeof(PROCESS_INFORMATION));
    si.cb = sizeof(si);

    std::string path = "C:\\Windows\\System32\\ComputerDefaults.exe";

    system(("start " + path).c_str());

    if (CreateProcessA(path.c_str(), NULL, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, NULL, NULL, &si, &pi) != 0)
    {
        CloseHandle(pi.hThread);
        CloseHandle(pi.hProcess);
        return 0;
    }

    std::cout << "CreateProcessA() Failed. Error code #" << GetLastError() << "\n";

    return 0;   
}

CreateProcessA() Failed. Error code #740

Error lookup value 740:

The requested operation requires elevation.

When the system() function executes the ComputerDefaults.exe, it is running successfully.

Why is it happening?

Programmer
  • 69
  • 1
  • 7
  • [How User Account Control works](https://learn.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) – Andreas Wenzel Sep 21 '21 at 00:29
  • Note: you are not initializing the `STARTUPINFO::cb` field before calling `CreateProcessA()` – Remy Lebeau Sep 21 '21 at 01:50
  • The `CreateProcess` error is telling you that `ComputerDefaults.exe` requires elevated rights, but your calling program does not have them. Your `system()` call is executing `cmd.exe /C start ComputerDefaults.exe`. which knows how to run an elevated process. You can replace `CreateProcess()` with `ShellExecute/Ex()` specifying the `"runas"` verb to run an elevated process from an unelevated process. – Remy Lebeau Sep 21 '21 at 01:59

0 Answers0