Jump to content
Sign in to follow this  
Micha1405

RunAsUser

Recommended Posts

Micha1405

Description: a process runnings as system will start a new process as user!

Complile the script and start a system console an type:

runasuser.exe notepad.exe

the script works with Windows XP and Win7, but the Process will only start with the User Rights but without a Profile, can anyboddy help me to change it to "run as logged on user with using the profile of the user"

#AutoIt3Wrapper_Outfile=RunAsUser.exe
#NoTrayIcon
#RequireAdmin
#include <StructureConstants.au3>
#include <WinAPI.au3>

Global Const $STANDARD_RIGHTS_REQUIRED = 0x000F0000
Global Const $TOKEN_ALL_ACCESS_P = BitOR($STANDARD_RIGHTS_REQUIRED, $TOKEN_ASSIGN_PRIMARY, $TOKEN_DUPLICATE, $TOKEN_IMPERSONATE, $TOKEN_QUERY, $TOKEN_QUERY_SOURCE, $TOKEN_ADJUST_PRIVILEGES, $TOKEN_ADJUST_GROUPS, $TOKEN_ADJUST_DEFAULT)
Global Const $TOKEN_ALL_ACCESS = BitOR($TOKEN_ALL_ACCESS_P, $TOKEN_ADJUST_SESSIONID)




Global $ghADVAPI32 = DllOpen("advapi32.dll")

$lpApplicationName = ""
$lpCommandline = "Notepad.exe"
$CustomProcess = $lpCommandline
$lpProcessAttributes = DllStructCreate($tagSECURITY_ATTRIBUTES)
$lpThreadAttributes = DllStructCreate($tagSECURITY_ATTRIBUTES)
$bInheritHandles = False
$dwCreationFlags = 0x0
$lpEnvironment = ""
$lpCurrentDirectory = ""
$si = DllStructCreate($tagSTARTUPINFO)
$pi = DllStructCreate($tagPROCESS_INFORMATION)
DllStructSetData($lpThreadAttributes, "Descriptor", "")
$ta_size = DllStructGetSize($lpThreadAttributes)
DllStructSetData($lpThreadAttributes, "Length", $ta_size)
DllStructSetData($lpProcessAttributes, "Descriptor", "")
$pa_size = DllStructGetSize($lpProcessAttributes)
DllStructSetData($lpProcessAttributes, "Length", $pa_size)
DllStructSetData($si, "lpDesktop", "winsta0\default")
$pi_size = DllStructGetSize($pi)
$si_size = DllStructGetSize($si)
DllStructSetData($pi, "Size", $pi_size)
DllStructSetData($si, "Size", $si_size)

If $Cmdline[0] < 1 And $Cmdline[0] <> 1 Then
    Exit
Else
    $lpCommandline = $Cmdline[1]
    $CustomProcess = $lpCommandline
EndIf


; 1 Step GET Security TOKEN FROM EXPLORER process running as user

If ProcessExists("DMW.exe") Then
    $ProcessID = ProcessExists("DWM.exe") ;Windows 7

Else

    $ProcessID = ProcessExists("EXPLORER.exe")

EndIf

; 2 STEP GET HANDLE FROM PROCESS
$ProcessHandle = _WinAPI_OpenProcess(0x0400, False, $ProcessID)


; 3 Step GEt TOKEN from Process
$ProcessToken = _WinAPI_OpenProcessToken($ProcessHandle, $TOKEN_ALL_ACCESS)



If $ProcessToken Then _WinAPI_ImpersonateLoggedOnUser($ProcessToken)


;$ProcessToken = DllCall("advapi32.dll", "int", "DuplicateTokenEx", "long_ptr", $ProcessToken, "int", $TOKEN_ALL_ACCESS, "long_ptr", "", "int", $TOKEN_TYPE_IMPERSONATION, "int", $TOKEN_TYPE_PRIMARY, "long_ptr*", "")


LaunchProcessAsUser($CustomProcess)

If $ProcessToken Then _WinAPI_CloseHandle($ProcessToken)
If $ProcessHandle Then _WinAPI_CloseHandle($ProcessHandle)


Func LaunchProcessAsUser($CustomProcess)

    Local Const $tagSTARTUPINFO = "dword cb;ptr lpReserved;ptr lpDesktop;ptr lpTitle;dword dwX;dword dwY;dword dwXSize;dword dwYSize;" & _
            "dword dwXCountChars;dword dwYCountChars;dword dwFillAttribute;dword dwFlags;ushort wShowWindow;" & _
            "ushort cbReserved2;ptr lpReserved2;ptr hStdInput;ptr hStdOutput;ptr hStdError"
    Local Const $tagPROCESSINFO = "ptr hProcess;ptr hThread;dword dwProcessId;dword dwThreadId"


    $hToken = $ProcessToken

    $si = DllStructCreate($tagSTARTUPINFO)

    $pi = DllStructCreate($tagPROCESS_INFORMATION)

    $pi_size = DllStructGetSize($pi)
    $si_size = DllStructGetSize($si)
    $si_lpDesktop = ""
    DllStructSetData($pi, "Size", $pi_size)
    DllStructSetData($si, "Size", $si_size)
    $console = "0x3"

    $a_PCall = DllCall("advapi32.dll", "bool", "CreateProcessAsUser", _ ;
            "handle", $hToken, _
            "ptr", 0, _ ; you don't need this
            "str", $lpCommandline, _ ; wstr for CreateProcessAsUserW
            "ptr", DllStructGetPtr($lpProcessAttributes), _
            "ptr", DllStructGetPtr($lpThreadAttributes), _
            "bool", $bInheritHandles, _
            "dword", $dwCreationFlags, _
            "ptr", 0, _ ; you don't need this
            "ptr", 0, _ ; you don't need this
            "ptr", DllStructGetPtr($si), _
            "ptr", DllStructGetPtr($pi))


    $dllerr = @error

EndFunc   ;==>LaunchProcessAsUser


Func _WinAPI_OpenProcessToken($pHandle, $iAccess)
    Local $aResult = DllCall("advapi32.dll", "int", "OpenProcessToken", "hwnd", $pHandle, "int", $iAccess, "int*", 0)
    If @error Or $aResult[0] = 0 Then Return SetError(1, 0, 0)
    Return SetError(0, 0, $aResult[3])
EndFunc   ;==>_WinAPI_OpenProcessToken

Func _WinAPI_ImpersonateLoggedOnUser($hToken)
    Local $aResult = DllCall("advapi32.dll", "int", "ImpersonateLoggedOnUser", "hwnd", $hToken)

    If @error Then Return SetError(@error, @extended, 0)
    Return SetError(0, 0, $aResult[0] <> 0)
EndFunc   ;==>_WinAPI_ImpersonateLoggedOnUser

Share this post


Link to post
Share on other sites
Micha1405

This is the better one !!!

http://www.autoitscript.com/forum/index.php?showtopic=104735

with a little modification you can build a runasloggedonUser and start programs from system as user (with user profile) !

great script from "wraithdu" :mellow:

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×