使用CreateProcessWithTokenW()从管理员帐户以非提升模式启动进程
[英]Launching process in non-elevated mode from an admin account using CreateProcessWithTokenW()
问题描述
I followed Frank K.'s proposed solution for launching a normal user process from an elevated user process. 
我遵循了Frank K. 提出的从提升的用户流程启动普通用户流程的解决方案 。 I have however some difficulties on getting the proposed solution working (Win 7 x64 Professional; the "normal user" process is launched from a domain account having administrative rights). 但是,在使建议的解决方案正常工作方面我遇到了一些困难(Win 7 x64 Professional;从具有管理权限的域帐户启动“普通用户”过程)。 The process creation code looks like this: 流程创建代码如下所示:
HANDLE processHandle = getProcessHandle("explorer.exe");
if (OpenProcessToken(processHandle, MAXIMUM_ALLOWED, &hToken))
{
if (DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL,
SecurityImpersonation, TokenPrimary, &hNewToken))
{
LPWSTR pointer = const_cast<LPWSTR>(commandLine.c_str());
bRet = CreateProcessWithTokenW(hNewToken,
0, // logon flags
0, // application name
pointer, // command-line
0, // creation flags
NULL, // environment - inherit from parent
NULL, // current directory
&StartupInfo,
&ProcInfo);
...
}
}
Now the process gets created after the CreateProcessWithTokenW, but my method for checking if the process has administrative rights (see below) says the process has admin rights (as well as ProcessExplorer, which lists in the process properties Security tab: Group: BUILTIN\\Administrators --> Flags: Owner). 现在,该流程是在CreateProcessWithTokenW之后创建的,但是我检查该流程是否具有管理权限的方法(请参见下文)说该流程具有管理员权限(以及ProcessExplorer,它在流程属性“安全性”选项卡中列出:组:BUILTIN \\ Administrators ->标志:所有者)。
BOOL hasAdministratorRights()
{
SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
PSID AdministratorsGroup;
BOOL b = AllocateAndInitializeSid(
&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&AdministratorsGroup);
if (b)
{
if (!CheckTokenMembership(NULL, AdministratorsGroup, &b))
{
b = FALSE;
}
FreeSid(AdministratorsGroup);
}
return b;
}
Note: if I am calling hasAdministratorRights() above in a process/app started through runAs Windows command (and a given existing local "user" account), it will return false (so it confirms that the process has user rights only, which is what I was expecting). 注意:如果我在通过runAs Windows命令(和给定的现有本地“用户”帐户)启动的进程/应用中调用上面的hasAdministratorRights(),它将返回false(因此它确认该进程仅具有用户权限,即我所期待的)。 But it is returning true when called in the process created with CreateProcessWithTokenW() above. 但是,在上述由CreateProcessWithTokenW()创建的进程中调用时,它返回的是true。
Any ideas what I might be doing wrong and why my user process will not get created correctly using CreateProcessWithTokenW? 有什么想法我可能做错了,为什么不能使用CreateProcessWithTokenW正确创建我的用户进程?
In Frank K.'s proposed solution, are there differences in behavior of CreateProcessWithTokenW() (and the other APIs) when calling them from a local admin account or from a domain account with admin privileges? 在Frank K.提出的解决方案中,当从本地管理员帐户或具有管理员特权的域帐户调用它们时,CreateProcessWithTokenW()(和其他API)的行为是否存在差异?
Best regards, Marius 最好的问候,马吕斯
1 个解决方案
解决方案1
1 已采纳 2014-06-27 01:16:05
The problem was that UAC was disabled on the machine in question, so no split token was created and the Explorer process had full administrator privilege. 问题是,有问题的计算机上禁用了UAC,因此未创建拆分令牌,并且Explorer进程具有完整的管理员特权。
In principle, you could work around this using CreateRestrictedToken() , but if UAC is disabled you should probably assume that this was deliberate, which would usually make the default behaviour, ie, giving the new process admin privilege, the most sensible choice. 原则上,您可以使用CreateRestrictedToken()解决此问题,但是如果禁用了UAC,则您可能应该认为这是故意的,这通常会成为默认行为,即,给新进程admin特权是最明智的选择。
If you need to confirm that the reason a particular token has administrative privilege is because UAC is disabled (including the case where the user is the local Administrator account) you can use GetTokenInformation() with the TokenLinkedToken option . 如果您需要确认特定令牌具有管理特权的原因是由于禁用了UAC(包括用户是本地Administrator帐户的情况),则可以将GetTokenInformation()与TokenLinkedToken选项一起使用 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.