Is it a bird? Is it a plane? No! It's SuperUser
-
I've been wrestling with this one for four days now. Time to ask the experts...
I'm trying to run an application as Administrator... My app is supposed to have the functionality of Linux' SU...
Im trying to do this with CreateProcessAsUser, which spits out error 1314, meaning something like "missing client privilige."
I believe those privileges refer to those of the calling process, whose lacking SE_ASSIGNPRIMARYTOKEN_NAME privilege. When I try to assign that one, using a method that uses AdjustTokenPrivileges, that one spits out error 1300, "haven't assigned your privilege". Errors 1300 and 1314 are the only errors spit out.Some other notes:
Theassuremethod is a debug routine, it does not interfere anywhere...
That's not really my admin password, mine is trice as long and quadruple complex
Besides SetPrivilege and CreateProcessAsUser no functions called return an error...
What's going wrong? What should I change? Comments, suggestions, questions and URL's are welcome...
BTW, I've got working SU code using the largely undocumented CreateProcessWithLogon fucntion, but this one doesn't work in NT 4.0, which is where this code should work...The code:
STARTUPINFO *si = (STARTUPINFO *)allocm(sizeof(STARTUPINFO)); PROCESS_INFORMATION *pi = (PROCESS_INFORMATION *)allocm(sizeof(PROCESS_INFORMATION)); si->cb = sizeof(STARTUPINFO); LogonUser( "Administrator", ".", "09nnj!ty&56t", LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hToken ); assure("LogonUser"); OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken2); assure("OpenProcessToken"); DuplicateTokenEx( hToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hToken3 ); assure("DuplicateToken"); ImpersonateLoggedOnUser(hToken3); assure("ImpersonateLoggedOnUser"); SetPrivilege(hToken2,SE_INCREASE_QUOTA_NAME,true); assure(SE_INCREASE_QUOTA_NAME); SetPrivilege(hToken2,SE_ASSIGNPRIMARYTOKEN_NAME,true); assure(SE_ASSIGNPRIMARYTOKEN_NAME); CreateProcessAsUser( hToken3, NULL, "Taskmgr", NULL, NULL, 0, CREATE_DEFAULT_ERROR_MODE | NORMAL_PRIORITY_CLASS, NULL, NULL, si, pi ); assure("CreateProcessAsUser");Regards, Georg Haan (.NL) -
I've been wrestling with this one for four days now. Time to ask the experts...
I'm trying to run an application as Administrator... My app is supposed to have the functionality of Linux' SU...
Im trying to do this with CreateProcessAsUser, which spits out error 1314, meaning something like "missing client privilige."
I believe those privileges refer to those of the calling process, whose lacking SE_ASSIGNPRIMARYTOKEN_NAME privilege. When I try to assign that one, using a method that uses AdjustTokenPrivileges, that one spits out error 1300, "haven't assigned your privilege". Errors 1300 and 1314 are the only errors spit out.Some other notes:
Theassuremethod is a debug routine, it does not interfere anywhere...
That's not really my admin password, mine is trice as long and quadruple complex
Besides SetPrivilege and CreateProcessAsUser no functions called return an error...
What's going wrong? What should I change? Comments, suggestions, questions and URL's are welcome...
BTW, I've got working SU code using the largely undocumented CreateProcessWithLogon fucntion, but this one doesn't work in NT 4.0, which is where this code should work...The code:
STARTUPINFO *si = (STARTUPINFO *)allocm(sizeof(STARTUPINFO)); PROCESS_INFORMATION *pi = (PROCESS_INFORMATION *)allocm(sizeof(PROCESS_INFORMATION)); si->cb = sizeof(STARTUPINFO); LogonUser( "Administrator", ".", "09nnj!ty&56t", LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hToken ); assure("LogonUser"); OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken2); assure("OpenProcessToken"); DuplicateTokenEx( hToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hToken3 ); assure("DuplicateToken"); ImpersonateLoggedOnUser(hToken3); assure("ImpersonateLoggedOnUser"); SetPrivilege(hToken2,SE_INCREASE_QUOTA_NAME,true); assure(SE_INCREASE_QUOTA_NAME); SetPrivilege(hToken2,SE_ASSIGNPRIMARYTOKEN_NAME,true); assure(SE_ASSIGNPRIMARYTOKEN_NAME); CreateProcessAsUser( hToken3, NULL, "Taskmgr", NULL, NULL, 0, CREATE_DEFAULT_ERROR_MODE | NORMAL_PRIORITY_CLASS, NULL, NULL, si, pi ); assure("CreateProcessAsUser");Regards, Georg Haan (.NL)This is quite fuzzy in my memory now, but I remember reading somewhere about some kind of restrictions on Administrator accounts: IIRC, all the impersonation features by default are restricted to LocalSystem account, meaning to be used on services. My latest articles: XOR tricks for RAID data protection Win32 process suspend/resume tool
-
I've been wrestling with this one for four days now. Time to ask the experts...
I'm trying to run an application as Administrator... My app is supposed to have the functionality of Linux' SU...
Im trying to do this with CreateProcessAsUser, which spits out error 1314, meaning something like "missing client privilige."
I believe those privileges refer to those of the calling process, whose lacking SE_ASSIGNPRIMARYTOKEN_NAME privilege. When I try to assign that one, using a method that uses AdjustTokenPrivileges, that one spits out error 1300, "haven't assigned your privilege". Errors 1300 and 1314 are the only errors spit out.Some other notes:
Theassuremethod is a debug routine, it does not interfere anywhere...
That's not really my admin password, mine is trice as long and quadruple complex
Besides SetPrivilege and CreateProcessAsUser no functions called return an error...
What's going wrong? What should I change? Comments, suggestions, questions and URL's are welcome...
BTW, I've got working SU code using the largely undocumented CreateProcessWithLogon fucntion, but this one doesn't work in NT 4.0, which is where this code should work...The code:
STARTUPINFO *si = (STARTUPINFO *)allocm(sizeof(STARTUPINFO)); PROCESS_INFORMATION *pi = (PROCESS_INFORMATION *)allocm(sizeof(PROCESS_INFORMATION)); si->cb = sizeof(STARTUPINFO); LogonUser( "Administrator", ".", "09nnj!ty&56t", LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hToken ); assure("LogonUser"); OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken2); assure("OpenProcessToken"); DuplicateTokenEx( hToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hToken3 ); assure("DuplicateToken"); ImpersonateLoggedOnUser(hToken3); assure("ImpersonateLoggedOnUser"); SetPrivilege(hToken2,SE_INCREASE_QUOTA_NAME,true); assure(SE_INCREASE_QUOTA_NAME); SetPrivilege(hToken2,SE_ASSIGNPRIMARYTOKEN_NAME,true); assure(SE_ASSIGNPRIMARYTOKEN_NAME); CreateProcessAsUser( hToken3, NULL, "Taskmgr", NULL, NULL, 0, CREATE_DEFAULT_ERROR_MODE | NORMAL_PRIORITY_CLASS, NULL, NULL, si, pi ); assure("CreateProcessAsUser");Regards, Georg Haan (.NL)The RCMD sample from the SDK shows how to do it:
// // obtain the impersonation token from the current thread // if(!OpenThreadToken( GetCurrentThread(), TOKEN\_DUPLICATE, TRUE, &hImpersonationToken )) { DisplayLastError("OpenThreadToken"); goto cleanup; } // // duplicate the impersonation token to primary // since we are impersonating the client, the token will get the // default Dacl of the client // if(!DuplicateTokenEx( hImpersonationToken, TOKEN\_IMPERSONATE | TOKEN\_READ | TOKEN\_ASSIGN\_PRIMARY | TOKEN\_DUPLICATE, NULL, SecurityImpersonation, TokenPrimary, &hPrimaryToken )) { DisplayLastError("DuplicateTokenEx"); goto cleanup; } RevertToSelf(); CloseHandle(hImpersonationToken); if(!CreateProcessAsUser( hPrimaryToken, NULL, COMMANDLINE, // commandline to execute NULL, // process sa NULL, // thread sa TRUE, // inherit handles? 0, // process creation flags (inherit existing console) NULL, // environment NULL, // current directory &si, // startupinfo &pi // processinfo )) { DisplayLastError("CreateProcessAsUser"); goto cleanup; }Take a look at the flags passed to DuplicateTokenEx() and OpenThreadToken(); ...if you're under 8 or younger. Chris Maunder, the Lounge
-
This is quite fuzzy in my memory now, but I remember reading somewhere about some kind of restrictions on Administrator accounts: IIRC, all the impersonation features by default are restricted to LocalSystem account, meaning to be used on services. My latest articles: XOR tricks for RAID data protection Win32 process suspend/resume tool
Thanks for your comment, but there must be a way to use impersonation functions without upgrading to a (local) service? ImpersonateLoggedOnUser works fine by the way, and the RCMD example Mr. Saurwein refers (see next message) to doesn't upgrade itself to service neiter... Regards, Georg Haan(.NL)
-
The RCMD sample from the SDK shows how to do it:
// // obtain the impersonation token from the current thread // if(!OpenThreadToken( GetCurrentThread(), TOKEN\_DUPLICATE, TRUE, &hImpersonationToken )) { DisplayLastError("OpenThreadToken"); goto cleanup; } // // duplicate the impersonation token to primary // since we are impersonating the client, the token will get the // default Dacl of the client // if(!DuplicateTokenEx( hImpersonationToken, TOKEN\_IMPERSONATE | TOKEN\_READ | TOKEN\_ASSIGN\_PRIMARY | TOKEN\_DUPLICATE, NULL, SecurityImpersonation, TokenPrimary, &hPrimaryToken )) { DisplayLastError("DuplicateTokenEx"); goto cleanup; } RevertToSelf(); CloseHandle(hImpersonationToken); if(!CreateProcessAsUser( hPrimaryToken, NULL, COMMANDLINE, // commandline to execute NULL, // process sa NULL, // thread sa TRUE, // inherit handles? 0, // process creation flags (inherit existing console) NULL, // environment NULL, // current directory &si, // startupinfo &pi // processinfo )) { DisplayLastError("CreateProcessAsUser"); goto cleanup; }Take a look at the flags passed to DuplicateTokenEx() and OpenThreadToken(); ...if you're under 8 or younger. Chris Maunder, the Lounge
Again, thanks for your comment too. I have tried the server.c you refer to already, it gives errors opening the threadtoken. A peculiar error that is, it says, "The specified token doesn't exist". The general problem can't be due to flags, because the ALL_ACCESS flag used, symbolizes complete access including all possible flags. I use it to be sure I don't miss one... Regards, Georg Haan(.NL)
-
Again, thanks for your comment too. I have tried the server.c you refer to already, it gives errors opening the threadtoken. A peculiar error that is, it says, "The specified token doesn't exist". The general problem can't be due to flags, because the ALL_ACCESS flag used, symbolizes complete access including all possible flags. I use it to be sure I don't miss one... Regards, Georg Haan(.NL)
Georg Haan wrote: I have tried the server.c you refer to already, it gives errors opening the threadtoken. A peculiar error that is, it says, "The specified token doesn't exist". Which is pretty strange as the current threads token just HAS to exist. Georg Haan wrote: The general problem can't be due to flags, because the ALL_ACCESS flag used, symbolizes complete access including all possible flags. I use it to be sure I don't miss one... Exactly this may be a reason for failures. Sometimes functions may fails because you are requesting more than you are privileged to do. Always follow the principle of the least privileges. Never ask more than you need. If you open a file for reading for which you have only read privileges, requesting all access, the function will fail although you really would have access to read it. But, greedy as you are, you are asking for more. ...if you're under 8 or younger. Chris Maunder, the Lounge
-
Georg Haan wrote: I have tried the server.c you refer to already, it gives errors opening the threadtoken. A peculiar error that is, it says, "The specified token doesn't exist". Which is pretty strange as the current threads token just HAS to exist. Georg Haan wrote: The general problem can't be due to flags, because the ALL_ACCESS flag used, symbolizes complete access including all possible flags. I use it to be sure I don't miss one... Exactly this may be a reason for failures. Sometimes functions may fails because you are requesting more than you are privileged to do. Always follow the principle of the least privileges. Never ask more than you need. If you open a file for reading for which you have only read privileges, requesting all access, the function will fail although you really would have access to read it. But, greedy as you are, you are asking for more. ...if you're under 8 or younger. Chris Maunder, the Lounge
Again, thanks for your quick response... Andreas Saurwein wrote: Which is pretty strange as the current threads token just HAS to exist. Peculiar is another way of saying pretty strange... The peculiarity of the error is why I posted my message on CodeProject... Andreas Saurwein wrote: Exactly this may be a reason for failures. Sometimes functions may fails because you are requesting more than you are privileged to do. You are right. But the functions in which I request ALL_ACCESS do not generate an error, therefore I must be being granted full access... The trouble starts when some functions (CreateProcessAsUser, AdjustTokenPrivileges) imply I have too little access... Andreas Saurwein wrote: But, greedy as you are, you are asking for more. A friendly word of advice: Don't be too quick on judgements like that, nor too generous with such statements... Regards, Georg Haan(.NL)
-
Again, thanks for your quick response... Andreas Saurwein wrote: Which is pretty strange as the current threads token just HAS to exist. Peculiar is another way of saying pretty strange... The peculiarity of the error is why I posted my message on CodeProject... Andreas Saurwein wrote: Exactly this may be a reason for failures. Sometimes functions may fails because you are requesting more than you are privileged to do. You are right. But the functions in which I request ALL_ACCESS do not generate an error, therefore I must be being granted full access... The trouble starts when some functions (CreateProcessAsUser, AdjustTokenPrivileges) imply I have too little access... Andreas Saurwein wrote: But, greedy as you are, you are asking for more. A friendly word of advice: Don't be too quick on judgements like that, nor too generous with such statements... Regards, Georg Haan(.NL)
Georg Haan wrote: A friendly word of advice: Don't be too quick on judgements like that, nor too generous with such statements... Sorry, I didnt mean this as insult but rather jokingly on the ALL_ACCESS thing. ...if you're under 8 or younger. Chris Maunder, the Lounge