Sign in to follow this  
Followers 0
cypher175

How to check if a process is running as User or System..?

14 posts in this topic

Is there any Code/Function to check if a specific process is running under User or System Privileges..??

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

Is there any Code/Function to check if a specific process is running under User or System Privileges..??

You can try a WMI query. I believe the container you are interested in is Win32_Process, and you'll need to call the getuser() getowner() method. This example can be tailored to your needs.

_ProcessRetrieve()

Func _ProcessRetrieve($host = @ComputerName,$usr=0)
    $objWMIService = ObjGet("winmgmts:{impersonationLevel=impersonate}!\\" & $host & "\root\cimv2")
    If not IsObj($objWMIService) Then Return 0

    $colItems = $objWMIService.ExecQuery ("SELECT * FROM Win32_Process")
    For $objItem in $colItems
        $objItem.GetOwner($usr)
        ConsoleWrite($objItem.Name & ":" & $objItem.ProcessId & @TAB)
        ConsoleWrite($usr & @CRLF)
    Next
    
    Return 1
EndFunc
Edited by spudw2k

Share this post


Link to post
Share on other sites

Alternatively try:

OpenProcessToken

GetTokenInformation

LookupAccountSid

All in Advapi32.dll I think (being lazy and not checking).

WBD

Share this post


Link to post
Share on other sites

Alternatively try:

OpenProcessToken

GetTokenInformation

LookupAccountSid

All in Advapi32.dll I think (being lazy and not checking).

WBD

are those Autoit UDF's or something else..?? How would i use those functions that you listed..??

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

using DllCall

Edit:

I took some time to dig in how those functions works, and found that all of the functions needed are actually included as UDF's in autoit:

#include <Security.au3>
#include <Constants.au3>

ConsoleWrite("Process explorer.exe is running under user: " & _ProcessGetOwner("explorer.exe") & @LF)


Func _ProcessGetOwner($ivPID)
    $ivPID = ProcessExists($ivPID)
    If Not $ivPID Then Return(SetError(1, 0, 0))
    Local Const $TOKEN_READ = 0x00020000+0x0008; STANDARD_RIGHTS_READ+TOKEN_QUERY
    Local $hvProcess = _WinAPI_OpenProcess($PROCESS_QUERY_INFORMATION, False, $ivPID, False)
    Local $hvToken = _Security__OpenProcessToken($hvProcess, $TOKEN_READ)
    Local $bvSID = _Security__GetTokenInformation($hvToken, $TOKENOWNER)
    Local $avRet = DllStructCreate("ulong", DllStructGetPtr($bvSID))
    $avRet = _Security__SidToStringSid(DllStructGetData($avRet, 1))
    $avRet = _Security__LookupAccountSid($avRet)
    _WinAPI_CloseHandle($hvProcess)
    _WinAPI_CloseHandle($hvToken)
    If Not IsArray($avRet) Then Return(SetError(1, 0, ""))
    Return(SetError(0, $avRet[2], $avRet[0]))
EndFunc
Edited by FreeFry

Share this post


Link to post
Share on other sites

would there be anyway using those same or other functions to check the CPU% Usage of a Specified Process..??

Share this post


Link to post
Share on other sites

where is this processlistproperties udf at..?? i cant seem to locate it in the AutoIt Install directory..??

Share this post


Link to post
Share on other sites

using DllCall

Edit:

I took some time to dig in how those functions works, and found that all of the functions needed are actually included as UDF's in autoit:

#include <Security.au3>
 #include <Constants.au3>
 
 ConsoleWrite("Process explorer.exe is running under user: " & _ProcessGetOwner("explorer.exe") & @LF)
 
 
 Func _ProcessGetOwner($ivPID)
     $ivPID = ProcessExists($ivPID)
     If Not $ivPID Then Return(SetError(1, 0, 0))
     Local Const $TOKEN_READ = 0x00020000+0x0008; STANDARD_RIGHTS_READ+TOKEN_QUERY
     Local $hvProcess = _WinAPI_OpenProcess($PROCESS_QUERY_INFORMATION, False, $ivPID, False)
     Local $hvToken = _Security__OpenProcessToken($hvProcess, $TOKEN_READ)
     Local $bvSID = _Security__GetTokenInformation($hvToken, $TOKENOWNER)
     Local $avRet = DllStructCreate("ulong", DllStructGetPtr($bvSID))
     $avRet = _Security__SidToStringSid(DllStructGetData($avRet, 1))
     $avRet = _Security__LookupAccountSid($avRet)
     _WinAPI_CloseHandle($hvProcess)
     _WinAPI_CloseHandle($hvToken)
     If Not IsArray($avRet) Then Return(SetError(1, 0, ""))
     Return(SetError(0, $avRet[2], $avRet[0]))
 EndFunc
Hi FreeFry,

what value has $TOKENOWNER? I looked at MSDN. Is it 1?

greetz

Sundance

Share this post


Link to post
Share on other sites

Ah, thx !

Share this post


Link to post
Share on other sites

Ah, thx !

Lol

After 6 month i had not written down your answer and i can't see your post here .. :-)

What was the value of $Tokenonwner again?

thx

Sundance

Share this post


Link to post
Share on other sites

Lol

After 6 month i had not written down your answer and i can't see your post here .. :-)

What was the value of $Tokenonwner again?

thx

Sundance

Hello,

the value is known to the AutoIt script, so it must be defined somewhere. Probably in the includes, because it's not in the main script.

With this information, we go to: C:\Program Files\AutoIt3\Include\SecurityConstants.au3 (it was not in Security.au3)

We find this value:

Global Const $TOKENOWNER = 4

Your answer is 4. You could have seen it all by yourself, very easily.

Share this post


Link to post
Share on other sites

#14 ·  Posted (edited)

Hello,

the value is known to the AutoIt script, so it must be defined somewhere. Probably in the includes, because it's not in the main script.

With this information, we go to: C:\Program Files\AutoIt3\Include\SecurityConstants.au3 (it was not in Security.au3)

We find this value:

Global Const $TOKENOWNER = 4

Your answer is 4. You could have seen it all by yourself, very easily.

Thx Manadar,

i looked at the Security.au3 and wondered where it could be defined. You are right, i should have been iritated why AutoIt knows about $TokenOwner....

Thx for your quick reply

Sundance

Edited by Sundance

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0