Create non-elevated process from elevated process,...?
in [MFC]
|
From: Kerem Gümrükcü on 25 Feb 2010 01:09 Hi Joseph, thank you very much for the example. Borrowing the explorers token was not a good idea. Could you pleace send me the examples of the three things you found, that would be great. But i faced another interessting thing: When i start a explorer.exe with the code above and i want to run a executable that has a manifest asking for UAC,...the UAC does not come up and there ia also no shield overlay on the icon of the executable. How can this be explained or do you have an explanation for this,... K.
From: Stefan Kuhr on 25 Feb 2010 05:46 Hi Corinna, On 2/24/2010 6:39 PM, Corinna Vinschen wrote: > Stefan Kuhr wrote: >> Hi Kerem, >> >> On 2/24/2010 9:42 AM, Kerem Gümrükcü wrote: >>> Does someone have a good idea, possibly not >>> something with a second process runing non-elevated >>> and expecting some signal or antother IPC data to >>> spawn the non-elevated process, or like the example >>> above duplicating the token from a process,... >> >> I think the answer is given in the article you mentioned: Since you want >> the process to run under the same user account as the elevated process, >> but just run it without the elevation, then "launch the new process with >> that “dumbed down” token". >> >> Have you tried creating a restricted token from your elevated token and >> then use CreateProcessAsUser? I have never tried this but I assume this >> is the way to go. > > CreateRestrictedToken works fine, but there's a warning in MSDN that > CreateRestrictedToken is still a bit of a security problem: > > "Warning Applications that use restricted tokens should run the > restricted application on desktops other than the default desktop. > This is necessary to prevent an attack by a restricted application, > using SendMessage or PostMessage, to unrestricted applications on > the default desktop. If necessary, switch between desktops for your > application purposes." > > Other than that, I experimented a lot with GetTokenInformation info > class TokenLinkedToken, and as far as I remember, if you're running in > an elevated process, the linked token is the non-elevated token. > It definitely is worth a try for Kerem. My experience is that the linked token can only be used for the AccessCheck API and nothing else. However, since GetTokenInformation with TokenLinkedToken still seems to be officially undocumented (my Server 08 PlatSDK doesn't document it and on msdn online, TokenLinkedToken is also not mentioned as a valid parameter for GetTokenInformation), I wouldn't be surprised if it works accidentally but breaks with the next service pack. -- S
From: Corinna Vinschen on 25 Feb 2010 09:38 Hey Stefan, Stefan Kuhr wrote: > Hi Corinna, > > On 2/24/2010 6:39 PM, Corinna Vinschen wrote: >> Other than that, I experimented a lot with GetTokenInformation info >> class TokenLinkedToken, and as far as I remember, if you're running in >> an elevated process, the linked token is the non-elevated token. > > It definitely is worth a try for Kerem. My experience is that the linked > token can only be used for the AccessCheck API and nothing else. You are definitely right, if the process has no TCB privileges, and if the process token is the restricted token, not the elevated token. In this case the linked token is just an impersonation token and the call to DuplicateTokenEx(PrimaryToken) fails with "access denied". However, I know for a fact (since I'm using this capability in Cygwin) that the linked, elevated token is a primary token suitable for calls to CreateProcessAsUser, if the calling process has TCB privileges. Which makes a lot of sense to me, even if that is nowhere documented. And I seriously hope for Cygwin that this won't be changed in some future version of Windows. In Kerem's case I'm not sure. I never checked in the inverse case - calling TokenLinkedToken on the elevated token - and without TCB privileges, if the linked token is an impersonation token for which DuplicateTokenEx(PrimaryToken) fails. I made the suggestion nevertheless, because it can be very easily tested. > However, since GetTokenInformation with TokenLinkedToken still seems to > be officially undocumented (my Server 08 PlatSDK doesn't document it and > on msdn online, TokenLinkedToken is also not mentioned as a valid > parameter for GetTokenInformation), I wouldn't be surprised if it works > accidentally but breaks with the next service pack. It is documented as TOKEN_INFORMATION_CLASS member: http://msdn.microsoft.com/en-us/library/aa379626%28VS.85%29.aspx And the TOKEN_LINKED_TOKEN structure is documented as well: http://msdn.microsoft.com/en-us/library/bb530719%28VS.85%29.aspx It's only missing in the man pages for GetTokenInformation and SetTokenInformation. The fact that the TOKEN_LINKED_TOKEN man page refers to SetTokenInformation is interesting. I assume that you need TCB privileges as well to link a token to another token, but I never tried that. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat
From: Stefan Kuhr on 25 Feb 2010 10:58 Hi Corinna, On 2/25/2010 3:38 PM, Corinna Vinschen wrote: > <snip> > In Kerem's case I'm not sure. I never checked in the inverse case > - calling TokenLinkedToken on the elevated token - and without TCB > privileges, if the linked token is an impersonation token for which > DuplicateTokenEx(PrimaryToken) fails. I made the suggestion > nevertheless, because it can be very easily tested. > Were you thinking about something like the following code? When run under an elevated token, CPAU fails with 1314 (Privilige not held) and the linked token is an impersonation token, duplicating it to a primary token fails with 1346 (bad impersonation level): int _tmain(int argc, _TCHAR* argv[]) { TOKEN_LINKED_TOKEN tlt; HANDLE hProcessToken = NULL; if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hProcessToken)) { DWORD cbLength = 0L; if (GetTokenInformation(hProcessToken, TokenLinkedToken, &tlt,sizeof(tlt), &cbLength)) { TCHAR szCmdLine[] = _T("notepad"); STARTUPINFO si = {0}; si.dwFlags = STARTF_USESHOWWINDOW; si.wShowWindow = SW_SHOW; PROCESS_INFORMATION pi; if(CreateProcessAsUser(tlt.LinkedToken, _T("c:\\windows\\notepad.exe"), szCmdLine, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, NULL, NULL, &si, &pi)) { _tprintf(_T("It worked\n")); VERIFY(WAIT_OBJECT_0==WaitForSingleObject(pi.hProcess, INFINITE)); VERIFY(CloseHandle(pi.hProcess)); VERIFY(CloseHandle(pi.hThread)); } else { DWORD dwLastError = GetLastError(); _tprintf(_T("CPAU failed with %lu (0x%.8x)\n"), dwLastError, dwLastError); } TOKEN_TYPE tt; if (GetTokenInformation(tlt.LinkedToken, TokenType, &tt,sizeof(tt), &cbLength)) { _tprintf(_T("Token is of type %lu\n"), (DWORD) tt); if(TokenImpersonation==tt) { HANDLE hPrimary = NULL; if(!DuplicateTokenEx(tlt.LinkedToken, 0L, NULL, SecurityImpersonation, TokenPrimary, &hPrimary)) { DWORD dwLastError = GetLastError(); _tprintf(_T("DuplicateTokenEx failed with %lu (0x%.8x)\n"), dwLastError, dwLastError); } } } VERIFY(CloseHandle(tlt.LinkedToken)); } VERIFY(CloseHandle(hProcessToken)); } return 0; } Cheers, -- S
From: Joseph M. Newcomer on 25 Feb 2010 12:19 I found them a couple years ago using google. None of them was quite the best style of programming, so I rewrote them using the best examples from each plus avoiding sprintf. I have long since forgotten where I found them; one was a Microsoft blog site, but I don't remember the other two. The code I showed was the ultimately best-programming-style example. I have no idea how UAC and Explorer work together (or don't, as seems to be your case). My goal was to launch a non-elevated app from an elevated app, which was your original question. I have found that the further I stay away from the explorer, the happier I am. Having once tried to write an explorer extension, the most polite thing I can say is the whole thing is a confused mess. joe On Thu, 25 Feb 2010 07:09:01 +0100, Kerem G�mr�kc� <kareem114(a)hotmail.com> wrote: >Hi Joseph, > >thank you very much for the example. Borrowing >the explorers token was not a good idea. Could >you pleace send me the examples of the three >things you found, that would be great. But i faced >another interessting thing: When i start a explorer.exe >with the code above and i want to run a executable >that has a manifest asking for UAC,...the UAC does >not come up and there ia also no shield overlay >on the icon of the executable. How can this be >explained or do you have an explanation for this,... > >K. Joseph M. Newcomer [MVP] email: newcomer(a)flounder.com Web: http://www.flounder.com MVP Tips: http://www.flounder.com/mvp_tips.htm
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 Prev: Coding help for loading custom icons into toolbar Next: Interesting CreateEvent issue |