Sign in to follow this  
Followers 0
WATERSTORMms

Problem with _Security_OpenProcessToken as systemuser

1 post in this topic

#1 ·  Posted (edited)

Hallo Community,

I have the following Script:

#include <ProcessConstants.au3>
#include <StructureConstants.au3>
#include <SecurityConstants.au3>
#include <Security.au3>
#include <WinAPI.au3>

ConsoleWrite(_runAsUser("C:myfoldertestapplication.exe", "C:myfoldertest" & @CRLF)

Func _runAsUser($sCommandLine = "", $sProcessDir = "")
Local $tSTARTUPINFO = DllStructCreate($tagSTARTUPINFO)
Local $tPROCESS_INFORMATION = DllStructCreate($tagPROCESS_INFORMATION)

Local $hProcess = _WinAPI_OpenProcess($PROCESS_ALL_ACCESS, 0, ProcessExists("explorer.exe"))

If $hProcess Then
     Local $hTokOriginal = _Security__OpenProcessToken($hProcess, $TOKEN_ALL_ACCESS)

     _WinAPI_CloseHandle($hProcess)
     If $hTokOriginal Then
         Local $hTokDuplicate = _Security__DuplicateTokenEx($hTokOriginal, $TOKEN_ALL_ACCESS, $SECURITYIMPERSONATION, $TOKENPRIMARY)

         _WinAPI_CloseHandle($hTokOriginal)

         If $hTokDuplicate Then
             _Security__CreateProcessWithToken($hTokDuplicate, 0, $sCommandLine, 0, $sProcessDir, $tSTARTUPINFO, $tPROCESS_INFORMATION)

             _WinAPI_CloseHandle($hTokDuplicate)
             _WinAPI_CloseHandle(DllStructGetData($tPROCESS_INFORMATION, "hProcess"))
             _WinAPI_CloseHandle(DllStructGetData($tPROCESS_INFORMATION, "hThread"))
             Return DllStructGetData($tPROCESS_INFORMATION, "ProcessID")
         EndIf
     EndIf
EndIf
EndFunc

The Script works well. I can compile an EXE and run it with other credentials, but the script is running under the logged in user. And that's all what i want.

BUT:

If i run the same function as SYSTEM user, respectively as Service (with url='), the Function returns a PID though the process doesn't exist after half a second.

I tried it directly with "DllCall" too:

DllCall("advapi32.dll", "bool", "CreateProcessWithTokenW", "handle", $hTokDuplicate, "dword", 0, "ptr", 0, "wstr", $sCommandLine, "dword", 0, "ptr", "username_ohne_domain", "wstr", $sDir, "struct*", $tSTARTUPINFO, "struct*", $tPROCESS_INFORMATION)

Same result.

I hope you can help me.

Regards

WATERSTORMms

Edited by WATERSTORMms

Share this post


Link to post
Share on other sites



Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0