Run As Local Service

[LarryDalooza]

I don't really have a question or a need... but I would like to give the unchallenged something to focus on. This seems a good place for it because most of the other forum categories tend to be cesspools of unfiltered thoughts.

I have this little bit of code that I use to test launching processes as "Local Service" context...

$process = @scriptdir & "setup.exe"

$process = FileGetShortName($process)

RunWait("sc create testsvc binpath= ""cmd /K start " & $process & """ type= own","",@SW_HIDE) ; sometimes type= interact

RunWait("sc start testsvc","",@SW_HIDE)

RunWait("sc delete testsvc","",@SW_HIDE)

I would like a function using LogonUser API or some other API to launch a process as "Local Network", "Local Service", or "Local System"...

I hope that keeps someone busy who is otherwise unemployed.

Lar.

[Valik]

Larry, I'm pretty sure you can't. The trick you are using (which doesn't work on Vista, at least for me) is how I run a process as SYSTEM. I did some looking around when I was working on RunAs()/RunAsWait() and the only way I found to run as any of the system accounts was to do exactly what you are doing.

There's some problems. First, even if you could use LogonUser() to get a token to one of the system accounts, you couldn't use it. CreateProcessAsUser() requires more privileges than the Administrator's group has (by default). In order to use CreateProcessAsUser() you have to already be a system account.

The second problem, the system accounts either don't have a password or the system just treats those accounts differently and won't let you log on to them. The net result in either case is that you can't get the token you would need to create a process.

[LarryDalooza]

Thanks for the thought cycles... I am curious now about the Vista thing ... I have a Vista project that would require me to test processes as "SYSTEM" ... maybe using PSEXEC to push local...

Lar.

[Paulchen]

under Vista, I use psexec -s cmd.exe to run some scripts under System Accounts

[evilertoaster]

Something about it here-

http://www.codeproject.com/KB/vista-securi...taSessions.aspx

I'd assume you could do the same idea on 'Local Network' and other accounts so long as you have a proccess to copy the token from...

[Valik]

The general idea of that article is, you write the service, install it once with fully elevated administrator rights (You go through a UAC prompt) and then from there, any non-elevated process can send a message to the service to start a process. That's the Secondary Logon Service in a nut-shell. Obviously a custom service can do more or less than the Secondary Logon Service. However, the core problem remains: You must install a service. I gather from Larry's original post that he doesn't want to install a service to do this.

The RunAs command line program forwards information to the Secondary Logon Service. So does the Windows API function CreateProcessWithLogonW(). Psexec installs a service, runs the program and removes the service. No matter how you go about it, somewhere along the line, a service is going to be involved.

[tonedeaf]

Larry,

If you don't want to install a service (using sc or psexec), how about using an existing service of windows to launch your process under SYSTEM account?

The Schedule service exists in all windows versions and runs a process under SYSTEM account.

Use the command line interface (AT.EXE) of Schedule service to run a process interactively or in background with SYSTEM priviledges.

Just schedule a command to run one-minute ahead of the current time (in 24-hr format) eg.

AT 17:10 /interactive "NOTEPAD.EXE"

and the process gets launched at the scheduled time with SYSTEM priviledges.

Surprisingly, I've seen many 2000/XP system guest accounts having access to the AT command.

[SlimShady]

Be sure the Scehduler service is enabled&started.

[daslick]

If running windows Vista, in order to start the service as interactive you will need to use schtasks.exe