Jump to content

Problem with _Security_OpenProcessToken as systemuser

WATERSTORMms
 Share

Recommended Posts

WATERSTORMms Seeker

WATERSTORMms

Posted
Posted (edited)

Hallo Community,

I have the following Script:

#include <ProcessConstants.au3>
#include <StructureConstants.au3>
#include <SecurityConstants.au3>
#include <Security.au3>
#include <WinAPI.au3>

ConsoleWrite(_runAsUser("C:myfoldertestapplication.exe", "C:myfoldertest" & @CRLF)

Func _runAsUser($sCommandLine = "", $sProcessDir = "")
Local $tSTARTUPINFO = DllStructCreate($tagSTARTUPINFO)
Local $tPROCESS_INFORMATION = DllStructCreate($tagPROCESS_INFORMATION)

Local $hProcess = _WinAPI_OpenProcess($PROCESS_ALL_ACCESS, 0, ProcessExists("explorer.exe"))

If $hProcess Then
     Local $hTokOriginal = _Security__OpenProcessToken($hProcess, $TOKEN_ALL_ACCESS)

     _WinAPI_CloseHandle($hProcess)
     If $hTokOriginal Then
         Local $hTokDuplicate = _Security__DuplicateTokenEx($hTokOriginal, $TOKEN_ALL_ACCESS, $SECURITYIMPERSONATION, $TOKENPRIMARY)

         _WinAPI_CloseHandle($hTokOriginal)

         If $hTokDuplicate Then
             _Security__CreateProcessWithToken($hTokDuplicate, 0, $sCommandLine, 0, $sProcessDir, $tSTARTUPINFO, $tPROCESS_INFORMATION)

             _WinAPI_CloseHandle($hTokDuplicate)
             _WinAPI_CloseHandle(DllStructGetData($tPROCESS_INFORMATION, "hProcess"))
             _WinAPI_CloseHandle(DllStructGetData($tPROCESS_INFORMATION, "hThread"))
             Return DllStructGetData($tPROCESS_INFORMATION, "ProcessID")
         EndIf
     EndIf
EndIf
EndFunc

The Script works well. I can compile an EXE and run it with other credentials, but the script is running under the logged in user. And that's all what i want.

BUT:

If i run the same function as SYSTEM user, respectively as Service (with url='), the Function returns a PID though the process doesn't exist after half a second.

I tried it directly with "DllCall" too:

DllCall("advapi32.dll", "bool", "CreateProcessWithTokenW", "handle", $hTokDuplicate, "dword", 0, "ptr", 0, "wstr", $sCommandLine, "dword", 0, "ptr", "username_ohne_domain", "wstr", $sDir, "struct*", $tSTARTUPINFO, "struct*", $tPROCESS_INFORMATION)

Same result.

I hope you can help me.

Regards

WATERSTORMms

Edited by WATERSTORMms

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...