If it's not still here on the first page, this is a link to the post explaining my current situation (wouldn't fit here): http://trackmyhack504.blogspot.com/2013/01/my-current-situation.html?m=0 System info basics are in some of the first few posts I made. And I apoligize, since most of this blog is posted via android I'm guessing there will plenty of typos (thumb typing is slow going).
Monday, March 25, 2013
USER AUTH pt 3
http://msdn.microsoft.com/en-us/library/bb545671(v=vs.85).aspx
Account Rights Constants
4 out of 8 rated this helpful - Rate this topicAccount rights determine the type of logon that a user account can perform. An administrator assigns account rights to user and group accounts. Each user's account rights include those granted to the user and to the groups to which the user belongs.A system administrator can use the Local Security Authority(LSA) functions to work with account rights. The LsaAddAccountRights and LsaRemoveAccountRightsfunctions add or remove account rights from an account. The LsaEnumerateAccountRights function enumerates the account rights held by a specified account. The LsaEnumerateAccountsWithUserRight function enumerates the accounts that hold a specified account right.The following account right constants are used to control the logon ability of an account. The LogonUser or LsaLogonUser functions fail if the account being logged on does not have the account rights required for the type of logon being performed.Constant/valueDescriptionSE_BATCH_LOGON_NAMETEXT("SeBatchLogonRight")Required for an account to log on using the batch logon type.SE_DENY_BATCH_LOGON_NAMETEXT("SeDenyBatchLogonRight")Explicitly denies an account the right to log on using the batch logon type.SE_DENY_INTERACTIVE_LOGON_NAMETEXT("SeDenyInteractiveLogonRight")Explicitly denies an account the right to log on using the interactive logon type.SE_DENY_NETWORK_LOGON_NAMETEXT("SeDenyNetworkLogonRight")Explicitly denies an account the right to log on using the network logon type.SE_DENY_REMOTE_INTERACTIVE_LOGON_NAMETEXT("SeDenyRemoteInteractiveLogonRight")Explicitly denies an account the right to log on remotely using the interactive logon type.SE_DENY_SERVICE_LOGON_NAMETEXT("SeDenyServiceLogonRight")Explicitly denies an account the right to log on using the service logon type.SE_INTERACTIVE_LOGON_NAMETEXT("SeInteractiveLogonRight")Required for an account to log on using the interactive logon type.SE_NETWORK_LOGON_NAMETEXT("SeNetworkLogonRight")Required for an account to log on using the network logon type.SE_REMOTE_INTERACTIVE_LOGON_NAMETEXT("SeRemoteInteractiveLogonRight")Required for an account to log on remotely using the interactive logon type.SE_SERVICE_LOGON_NAMETEXT("SeServiceLogonRight")Required for an account to log on using the service logon type.
Remarks
The SE_DENY rights override the corresponding account rights. An administrator can assign an SE_DENY right to an account to override any logon rights that an account might have as a result of a group membership. For example, you could assign the SE_NETWORK_LOGON_NAME right to Everyone but assign the SE_DENY_NETWORK_LOGON_NAME right to Administrators to prevent remote administration of computers.All of the LSA functions mentioned in the introduction above support both account rights and privileges. Unlike privileges, however, account rights are not supported by theLookupPrivilegeValue and LookupPrivilegeName functions. The GetTokenInformation function will obtain information on account rights if TokenGroups, and not TokenPrivileges, is specified as the value of the TokenInformationClassparameter.The preceding account right constants are defined as strings in Ntsecapi.h. For example, the SE_INTERACTIVE_LOGON_NAME constant is defined as "SeInteractiveLogonRight".
Requirements
Minimum supported clientWindows XP [desktop apps only]Minimum supported serverWindows Server 2003 [desktop apps only]HeaderNtsecapi.h
http://msdn.microsoft.com/en-us/library/aa446671(v=vs.85).aspx
GetTokenInformation function
3 out of 4 rated this helpful - Rate this topicThe GetTokenInformation function retrieves a specified type of information about an access token. The calling process must have appropriate access rights to obtain the information.To determine if a user is a member of a specific group, use the CheckTokenMembership function. To determine group membership for app container tokens, use the CheckTokenMembershipEx function.
Syntax
C++ BOOL WINAPI GetTokenInformation( _In_ HANDLE TokenHandle, _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, _Out_opt_ LPVOID TokenInformation, _In_ DWORD TokenInformationLength, _Out_ PDWORD ReturnLength );
Parameters
TokenHandle [in]A handle to an access token from which information is retrieved. If TokenInformationClass specifies TokenSource, the handle must have TOKEN_QUERY_SOURCE access. For all other TokenInformationClass values, the handle must have TOKEN_QUERY access.TokenInformationClass [in]Specifies a value from theTOKEN_INFORMATION_CLASS enumerated type to identify the type of information the function retrieves. Any callers who check the TokenIsAppContainer and have it return 0 should also verify that the caller token is not an identify level impersonation token. If the current token is not an app container but is an identity level token, you should return AccessDenied.TokenInformation [out, optional]A pointer to a buffer the function fills with the requested information. The structure put into this buffer depends upon the type of information specified by the TokenInformationClass parameter.TokenInformationLength [in]Specifies the size, in bytes, of the buffer pointed to by the TokenInformation parameter. If TokenInformationis NULL, this parameter must be zero.ReturnLength [out]A pointer to a variable that receives the number of bytes needed for the buffer pointed to by the TokenInformation parameter. If this value is larger than the value specified in the TokenInformationLength parameter, the function fails and stores no data in the buffer.If the value of the TokenInformationClass parameter is TokenDefaultDacl and the token has no default DACL, the function sets the variable pointed to by ReturnLength to sizeof(TOKEN_DEFAULT_DACL)and sets the DefaultDacl member of the TOKEN_DEFAULT_DACL structure to NULL.
Return value
If the function succeeds, the return value is nonzero.If the function fails, the return value is zero. To get extended error information, call GetLastError.
Examples
For an example that uses this function, see Getting the Logon SID or Searching for a SID in an Access Token.
Requirements
Minimum supported clientWindows XP [desktop apps only]Minimum supported serverWindows Server 2003 [desktop apps only]HeaderWinbase.h (include Windows.h)LibraryAdvapi32.libDLLAdvapi32.dll
See also
Access Control OverviewBasic Access Control FunctionsAdjustTokenGroupsAdjustTokenPrivilegesCheckTokenMembershipOpenProcessTokenOpenThreadTokenSECURITY_IMPERSONATION_LEVELSetTokenInformationTOKEN_DEFAULT_DACLTOKEN_GROUPSTOKEN_GROUPS_AND_PRIVILEGESTOKEN_INFORMATION_CLASSTOKEN_OWNERTOKEN_PRIMARY_GROUPTOKEN_PRIVILEGESTOKEN_SOURCETOKEN_STATISTICSTOKEN_TYPETOKEN_USER
http://msdn.microsoft.com/en-us/library/aa446671(v=vs.85).aspx
DuplicateToken function
0 out of 1 rated this helpful - Rate this topicThe DuplicateToken function creates a new access tokenthat duplicates one already in existence.
Syntax
C++ BOOL WINAPI DuplicateToken( _In_ HANDLE ExistingTokenHandle, _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, _Out_ PHANDLE DuplicateTokenHandle );
Parameters
ExistingTokenHandle [in]A handle to an access token opened with TOKEN_DUPLICATE access.ImpersonationLevel [in]Specifies a SECURITY_IMPERSONATION_LEVELenumerated type that supplies the impersonation level of the new token.DuplicateTokenHandle [out]A pointer to a variable that receives a handle to the duplicate token. This handle has TOKEN_IMPERSONATE and TOKEN_QUERY access to the new token.When you have finished using the new token, call the CloseHandle function to close the token handle.
Return value
If the function succeeds, the return value is nonzero.If the function fails, the return value is zero. To get extended error information, call GetLastError.
Remarks
The DuplicateToken function creates an impersonation token, which you can use in functions such as SetThreadToken and ImpersonateLoggedOnUser. The token created by DuplicateToken cannot be used in the CreateProcessAsUser function, which requires a primary token. To create a token that you can pass to CreateProcessAsUser, use the DuplicateTokenEx function.
Requirements
Minimum supported clientWindows XP [desktop apps only]Minimum supported serverWindows Server 2003 [desktop apps only]HeaderWinbase.h (include Windows.h)LibraryAdvapi32.libDLLAdvapi32.dll
See also
http://msdn.microsoft.com/en-us/library/aa446616(v=vs.85).aspx
DuplicateTokenEx function
1 out of 3 rated this helpful - Rate this topicThe DuplicateTokenEx function creates a new access tokenthat duplicates an existing token. This function can create either a primary token or an impersonation token.
Syntax
C++ BOOL WINAPI DuplicateTokenEx( _In_ HANDLE hExistingToken, _In_ DWORD dwDesiredAccess, _In_opt_ LPSECURITY_ATTRIBUTES lpTokenAttributes, _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, _In_ TOKEN_TYPE TokenType, _Out_ PHANDLE phNewToken );
Parameters
hExistingToken [in]A handle to an access token opened with TOKEN_DUPLICATE access.dwDesiredAccess [in]Specifies the requested access rights for the new token. The DuplicateTokenEx function compares the requested access rights with the existing token's discretionary access control list (DACL) to determine which rights are granted or denied. To request the same access rights as the existing token, specify zero. To request all access rights that are valid for the caller, specify MAXIMUM_ALLOWED.For a list of access rights for access tokens, seeAccess Rights for Access-Token Objects.lpTokenAttributes [in, optional]A pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor for the new token and determines whether child processes can inherit the token. If lpTokenAttributes is NULL, the token gets a default security descriptor and the handle cannot be inherited. If the security descriptor contains a system access control list (SACL), the token gets ACCESS_SYSTEM_SECURITY access right, even if it was not requested in dwDesiredAccess.To set the owner in the security descriptor for the new token, the caller's process token must have the SE_RESTORE_NAME privilege set.ImpersonationLevel [in]Specifies a value from theSECURITY_IMPERSONATION_LEVEL enumeration that indicates the impersonation level of the new token.TokenType [in]Specifies one of the following values from the TOKEN_TYPE enumeration.ValueMeaningTokenPrimaryThe new token is a primary token that you can use in the CreateProcessAsUserfunction.TokenImpersonationThe new token is an impersonation token. phNewToken [out]A pointer to a HANDLE variable that receives the new token.When you have finished using the new token, call the CloseHandle function to close the token handle.
Return value
If the function succeeds, the function returns a nonzero value.If the function fails, it returns zero. To get extended error information, call GetLastError.
Remarks
The DuplicateTokenEx function allows you to create a primary token that you can use in the CreateProcessAsUserfunction. This allows a server application that is impersonating a client to create a process that has the security context of the client. Note that the DuplicateTokenfunction can create only impersonation tokens, which are not valid for CreateProcessAsUser.The following is a typical scenario for using DuplicateTokenEx to create a primary token. A server application creates a thread that calls one of the impersonation functions, such asImpersonateNamedPipeClient, to impersonate a client. The impersonating thread then calls the OpenThreadTokenfunction to get its own token, which is an impersonation token that has the security context of the client. The thread specifies this impersonation token in a call to DuplicateTokenEx, specifying the TokenPrimary flag. The DuplicateTokenEx function creates a primary token that has the security context of the client.
Requirements
Minimum supported clientWindows XP [desktop apps only]Minimum supported serverWindows Server 2003 [desktop apps only]HeaderWinbase.h (include Windows.h)LibraryAdvapi32.libDLLAdvapi32.dll
See also
Access Control
Syntax
C++ BOOL WINAPI DuplicateTokenEx( _In_ HANDLE hExistingToken, _In_ DWORD dwDesiredAccess, _In_opt_ LPSECURITY_ATTRIBUTES lpTokenAttributes, _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, _In_ TOKEN_TYPE TokenType, _Out_ PHANDLE phNewToken );
CreateProcessAsUser function
14 out of 34 rated this helpful - Rate this topicCreates a new process and its primary thread. The new process runs in the security context of the user represented by the specified token.Typically, the process that calls the CreateProcessAsUserfunction must have the SE_INCREASE_QUOTA_NAMEprivilege and may require the SE_ASSIGNPRIMARYTOKEN_NAME privilege if the token is not assignable. If this function fails with ERROR_PRIVILEGE_NOT_HELD (1314), use the CreateProcessWithLogonW function instead. CreateProcessWithLogonW requires no special privileges, but the specified user account must be allowed to log on interactively. Generally, it is best to use CreateProcessWithLogonW to create a process with alternate credentials.
Syntax
C++ BOOL WINAPI CreateProcessAsUser( _In_opt_ HANDLE hToken, _In_opt_ LPCTSTR lpApplicationName, _Inout_opt_ LPTSTR lpCommandLine, _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, _In_ BOOL bInheritHandles, _In_ DWORD dwCreationFlags, _In_opt_ LPVOID lpEnvironment, _In_opt_ LPCTSTR lpCurrentDirectory, _In_ LPSTARTUPINFO lpStartupInfo, _Out_ LPPROCESS_INFORMATION lpProcessInformation );
Parameters
hToken [in, optional]A handle to the primary token that represents a user. The handle must have the TOKEN_QUERY, TOKEN_DUPLICATE, and TOKEN_ASSIGN_PRIMARYaccess rights. For more information, see Access Rights for Access-Token Objects. The user represented by the token must have read and execute access to the application specified by the lpApplicationName or the lpCommandLineparameter.To get a primary token that represents the specified user, call the LogonUser function. Alternatively, you can call the DuplicateTokenEx function to convert an impersonation token into a primary token. This allows a server application that is impersonating a client to create a process that has the security context of the client.If hToken is a restricted version of the caller's primary token, the SE_ASSIGNPRIMARYTOKEN_NAME privilege is not required. If the necessary privileges are not already enabled, CreateProcessAsUser enables them for the duration of the call. For more information, seeRunning with Special Privileges.Terminal Services: The process is run in the session specified in the token. By default, this is the same session that called LogonUser. To change the session, use the SetTokenInformationfunction.lpApplicationName [in, optional]The name of the module to be executed. This module can be a Windows-based application. It can be some other type of module (for example, MS-DOS or OS/2) if the appropriate subsystem is available on the local computer.The string can specify the full path and file name of the module to execute or it can specify a partial name. In the case of a partial name, the function uses the current drive and current directory to complete the specification. The function will not use the search path. This parameter must include the file name extension; no default extension is assumed.The lpApplicationName parameter can be NULL. In that case, the module name must be the first white space–delimited token in the lpCommandLine string. If you are using a long file name that contains a space, use quoted strings to indicate where the file name ends and the arguments begin; otherwise, the file name is ambiguous. For example, consider the string "c:\program files\sub dir\program name". This string can be interpreted in a number of ways. The system tries to interpret the possibilities in the following order:c:\program.exe files\sub dir\program namec:\program files\sub.exe dir\program namec:\program files\sub dir\program.exe namec:\program files\sub dir\program name.exeIf the executable module is a 16-bit application, lpApplicationName should be NULL, and the string pointed to by lpCommandLine should specify the executable module as well as its arguments. By default, all 16-bit Windows-based applications created by CreateProcessAsUser are run in a separate VDM (equivalent to CREATE_SEPARATE_WOW_VDM in CreateProcess).lpCommandLine [in, out, optional]The command line to be executed. The maximum length of this string is 32K characters. If lpApplicationName is NULL, the module name portion of lpCommandLine is limited to MAX_PATHcharacters.The Unicode version of this function, CreateProcessAsUserW, can modify the contents of this string. Therefore, this parameter cannot be a pointer to read-only memory (such as a constvariable or a literal string). If this parameter is a constant string, the function may cause an access violation.The lpCommandLine parameter can be NULL. In that case, the function uses the string pointed to by lpApplicationName as the command line.If both lpApplicationName and lpCommandLine are non-NULL, *lpApplicationName specifies the module to execute, and *lpCommandLine specifies the command line. The new process can useGetCommandLine to retrieve the entire command line. Console processes written in C can use the argcand argv arguments to parse the command line. Because argv[0] is the module name, C programmers generally repeat the module name as the first token in the command line.If lpApplicationName is NULL, the first white space–delimited token of the command line specifies the module name. If you are using a long file name that contains a space, use quoted strings to indicate where the file name ends and the arguments begin (see the explanation for the lpApplicationNameparameter). If the file name does not contain an extension, .exe is appended. Therefore, if the file name extension is .com, this parameter must include the .com extension. If the file name ends in a period (.) with no extension, or if the file name contains a path, .exe is not appended. If the file name does not contain a directory path, the system searches for the executable file in the following sequence:The directory from which the application loaded.The current directory for the parent process.The 32-bit Windows system directory. Use the GetSystemDirectory function to get the path of this directory.The 16-bit Windows system directory. There is no function that obtains the path of this directory, but it is searched.The Windows directory. Use theGetWindowsDirectory function to get the path of this directory.The directories that are listed in the PATH environment variable. Note that this function does not search the per-application path specified by the App Paths registry key. To include this per-application path in the search sequence, use the ShellExecute function.The system adds a null character to the command line string to separate the file name from the arguments. This divides the original string into two strings for internal processing.lpProcessAttributes [in, optional]A pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor for the new process object and determines whether child processes can inherit the returned handle to the process. If lpProcessAttributes is NULL or lpSecurityDescriptoris NULL, the process gets a default security descriptor and the handle cannot be inherited. The default security descriptor is that of the user referenced in the hToken parameter. This security descriptor may not allow access for the caller, in which case the process may not be opened again after it is run. The process handle is valid and will continue to have full access rights.lpThreadAttributes [in, optional]A pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor for the new thread object and determines whether child processes can inherit the returned handle to the thread. If lpThreadAttributes is NULL or lpSecurityDescriptor isNULL, the thread gets a default security descriptor and the handle cannot be inherited. The default security descriptor is that of the user referenced in the hToken parameter. This security descriptor may not allow access for the caller.bInheritHandles [in]If this parameter is TRUE, each inheritable handle in the calling process is inherited by the new process. If the parameter is FALSE, the handles are not inherited. Note that inherited handles have the same value and access rights as the original handles.Terminal Services: You cannot inherit handles across sessions. Additionally, if this parameter is TRUE, you must create the process in the same session as the caller.dwCreationFlags [in]The flags that control the priority class and the creation of the process. For a list of values, seeProcess Creation Flags.This parameter also controls the new process's priority class, which is used to determine the scheduling priorities of the process's threads. For a list of values, see GetPriorityClass. If none of the priority class flags is specified, the priority class defaults to NORMAL_PRIORITY_CLASS unless the priority class of the creating process is IDLE_PRIORITY_CLASS or BELOW_NORMAL_PRIORITY_CLASS. In this case, the child process receives the default priority class of the calling process.lpEnvironment [in, optional]A pointer to an environment block for the new process. If this parameter is NULL, the new process uses the environment of the calling process.An environment block consists of a null-terminated block of null-terminated strings. Each string is in the following form:name=value\0Because the equal sign is used as a separator, it must not be used in the name of an environment variable.An environment block can contain either Unicode or ANSI characters. If the environment block pointed to by lpEnvironment contains Unicode characters, be sure that dwCreationFlags includes CREATE_UNICODE_ENVIRONMENT. If this parameter is NULL and the environment block of the parent process contains Unicode characters, you must also ensure that dwCreationFlags includes CREATE_UNICODE_ENVIRONMENT.The ANSI version of this function, CreateProcessAsUserA fails if the total size of the environment block for the process exceeds 32,767 characters.Note that an ANSI environment block is terminated by two zero bytes: one for the last string, one more to terminate the block. A Unicode environment block is terminated by four zero bytes: two for the last string, two more to terminate the block.Windows Server 2003 and Windows XP: If the size of the combined user and system environment variable exceeds 8192 bytes, the process created by CreateProcessAsUser no longer runs with the environment block passed to the function by the parent process. Instead, the child process runs with the environment block returned by the CreateEnvironmentBlock function.To retrieve a copy of the environment block for a given user, use the CreateEnvironmentBlock function.lpCurrentDirectory [in, optional]The full path to the current directory for the process. The string can also specify a UNC path.If this parameter is NULL, the new process will have the same current drive and directory as the calling process. (This feature is provided primarily for shells that need to start an application and specify its initial drive and working directory.)lpStartupInfo [in]A pointer to a STARTUPINFO or STARTUPINFOEXstructure.The user must have full access to both the specified window station and desktop. If you want the process to be interactive, specify winsta0\default. If the lpDesktop member is NULL, the new process inherits the desktop and window station of its parent process. If this member is an empty string, "", the new process connects to a window station using the rules described in Process Connection to a Window Station.To set extended attributes, use a STARTUPINFOEXstructure and specify EXTENDED_STARTUPINFO_PRESENT in the dwCreationFlags parameter.Handles in STARTUPINFO or STARTUPINFOEX must be closed with CloseHandle when they are no longer needed.Important The caller is responsible for ensuring that the standard handle fields in STARTUPINFO contain valid handle values. These fields are copied unchanged to the child process without validation, even when the dwFlags member specifies STARTF_USESTDHANDLES. Incorrect values can cause the child process to misbehave or crash. Use the Application Verifier runtime verification tool to detect invalid handles.lpProcessInformation [out]A pointer to a PROCESS_INFORMATION structure that receives identification information about the new process.Handles in PROCESS_INFORMATION must be closed with CloseHandle when they are no longer needed.
Return value
If the function succeeds, the return value is nonzero.If the function fails, the return value is zero. To get extended error information, call GetLastError.Note that the function returns before the process has finished initialization. If a required DLL cannot be located or fails to initialize, the process is terminated. To get the termination status of a process, call GetExitCodeProcess.
Remarks
CreateProcessAsUser must be able to open the primary token of the calling process with the TOKEN_DUPLICATEand TOKEN_IMPERSONATE access rights.By default, CreateProcessAsUser creates the new process on a noninteractive window station with a desktop that is not visible and cannot receive user input. To enable user interaction with the new process, you must specify the name of the default interactive window station and desktop, "winsta0\default", in the lpDesktop member of theSTARTUPINFO structure. In addition, before callingCreateProcessAsUser, you must change the discretionary access control list (DACL) of both the default interactive window station and the default desktop. The DACLs for the window station and desktop must grant access to the user or the logon session represented by the hToken parameter.CreateProcessAsUser does not load the specified user's profile into the HKEY_USERS registry key. Therefore, to access the information in the HKEY_CURRENT_USERregistry key, you must load the user's profile information into HKEY_USERS with the LoadUserProfile function before calling CreateProcessAsUser. Be sure to call UnloadUserProfile after the new process exits.If the lpEnvironment parameter is NULL, the new process inherits the environment of the calling process.CreateProcessAsUser does not automatically modify the environment block to include environment variables specific to the user represented by hToken. For example, the USERNAME and USERDOMAIN variables are inherited from the calling process if lpEnvironment is NULL. It is your responsibility to prepare the environment block for the new process and specify it in lpEnvironment.The CreateProcessWithLogonW and CreateProcessWithTokenW functions are similar toCreateProcessAsUser, except that the caller does not need to call the LogonUser function to authenticate the user and get a token.CreateProcessAsUser allows you to access the specified directory and executable image in the security context of the caller or the target user. By default,CreateProcessAsUser accesses the directory and executable image in the security context of the caller. In this case, if the caller does not have access to the directory and executable image, the function fails. To access the directory and executable image using the security context of the target user, specify hToken in a call to theImpersonateLoggedOnUser function before callingCreateProcessAsUser.The process is assigned a process identifier. The identifier is valid until the process terminates. It can be used to identify the process, or specified in the OpenProcessfunction to open a handle to the process. The initial thread in the process is also assigned a thread identifier. It can be specified in the OpenThread function to open a handle to the thread. The identifier is valid until the thread terminates and can be used to uniquely identify the thread within the system. These identifiers are returned in thePROCESS_INFORMATION structure.The calling thread can use the WaitForInputIdle function to wait until the new process has finished its initialization and is waiting for user input with no input pending. This can be useful for synchronization between parent and child processes, because CreateProcessAsUser returns without waiting for the new process to finish its initialization. For example, the creating process would use WaitForInputIdlebefore trying to find a window associated with the new process.The preferred way to shut down a process is by using theExitProcess function, because this function sends notification of approaching termination to all DLLs attached to the process. Other means of shutting down a process do not notify the attached DLLs. Note that when a thread callsExitProcess, other threads of the process are terminated without an opportunity to execute any additional code (including the thread termination code of attached DLLs). For more information, see Terminating a Process.
Security Remarks
The lpApplicationName parameter can be NULL, in which case the executable name must be the first white space–delimited string in lpCommandLine. If the executable or path name has a space in it, there is a risk that a different executable could be run because of the way the function parses spaces. The following example is dangerous because the function will attempt to run "Program.exe", if it exists, instead of "MyApp.exe". LPTSTR szCmdline[] = _tcsdup(TEXT("C:\\Program Files\\MyApp")); CreateProcessAsUser(hToken, NULL, szCmdline, /*...*/ ); If a malicious user were to create an application called "Program.exe" on a system, any program that incorrectly calls CreateProcessAsUser using the Program Files directory will run this application instead of the intended application.To avoid this problem, do not pass NULL for lpApplicationName. If you do pass NULL for lpApplicationName, use quotation marks around the executable path in lpCommandLine, as shown in the example below. LPTSTR szCmdline[] = _tcsdup(TEXT("\"C:\\Program Files\\MyApp\"")); CreateProcessAsUser(hToken, NULL, szCmdline, /*...*/); PowerShell: When the CreateProcessAsUserfunction is used to implement a cmdlet in PowerShell version 2.0, the cmdlet operates correctly for both fan-in and fan-out remote sessions. Because of certain security scenarios, however, a cmdlet implemented with CreateProcessAsUser only operates correctly in PowerShell version 3.0 for fan-in remote sessions; fan-out remote sessions will fail because of insufficient client security privileges. To implement a cmdlet that works for both fan-in and fan-out remote sessions in PowerShell version 3.0, use the CreateProcessfunction.
Examples
For an example, see Starting an Interactive Client Process.
Requirements
Minimum supported clientWindows XP [desktop apps only]Minimum supported serverWindows Server 2003 [desktop apps only]HeaderWinBase.h (include Windows.h)LibraryAdvapi32.libDLLAdvapi32.dllUnicode and ANSI namesCreateProcessAsUserW (Unicode) and CreateProcessAsUserA (ANSI)
See also
Syntax
C++ BOOL WINAPI CreateProcessAsUser( _In_opt_ HANDLE hToken, _In_opt_ LPCTSTR lpApplicationName, _Inout_opt_ LPTSTR lpCommandLine, _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, _In_ BOOL bInheritHandles, _In_ DWORD dwCreationFlags, _In_opt_ LPVOID lpEnvironment, _In_opt_ LPCTSTR lpCurrentDirectory, _In_ LPSTARTUPINFO lpStartupInfo, _Out_ LPPROCESS_INFORMATION lpProcessInformation );
-----
AuthorizationAuthorization ReferenceAuthorization FunctionsAccessCheckAccessCheckAndAuditAlarmAccessCheckByTypeAccessCheckByTypeAndAuditAlarmAccessCheckByTypeResultListAccessCheckByTypeResultListAndAuditAlarmAccessCheckByTypeResultListAndAuditAlarmByHandleAddAccessAllowedAceAddAccessAllowedAceExAddAccessAllowedObjectAceAddAccessDeniedAceAddAccessDeniedAceExAddAccessDeniedObjectAceAddAceAddAuditAccessAceAddAuditAccessAceExAddAuditAccessObjectAceAddConditionalAceAddMandatoryAceAddResourceAttributeAceAddScopedPolicyIDAceAdjustTokenGroupsAdjustTokenPrivilegesAllocateAndInitializeSidAllocateLocallyUniqueIdAreAllAccessesGrantedAreAnyAccessesGrantedAuditComputeEffectivePolicyBySidAuditComputeEffectivePolicyByTokenAuditEnumerateCategoriesAuditEnumeratePerUserPolicyAuditEnumerateSubCategoriesAuditFreeAuditLookupCategoryGuidFromCategoryIdAuditLookupCategoryIdFromCategoryGuidAuditLookupCategoryNameAuditLookupSubCategoryNameAuditQueryGlobalSaclAuditQueryPerUserPolicyAuditQuerySecurityAuditQuerySystemPolicyAuditSetGlobalSaclAuditSetPerUserPolicyAuditSetSecurityAuditSetSystemPolicyAuthzAccessCheckAuthzAccessCheckCallbackAuthzAddSidsToContextAuthzCachedAccessCheckAuthzComputeGroupsCallbackAuthzEnumerateSecurityEventSourcesAuthzFreeAuditEventAuthzFreeCentralAccessPolicyCacheAuthzFreeCentralAccessPolicyCallbackAuthzFreeContextAuthzFreeGroupsCallbackAuthzFreeHandleAuthzFreeResourceManagerAuthzGetCentralAccessPolicyCallbackAuthzGetInformationFromContextAuthzInitializeCompoundContextAuthzInitializeContextFromAuthzContextAuthzInitializeContextFromSidAuthzInitializeContextFromTokenAuthzInitializeObjectAccessAuditEventAuthzInitializeObjectAccessAuditEvent2AuthzInitializeRemoteResourceManagerAuthzInitializeResourceManagerAuthzInitializeResourceManagerExAuthzInstallSecurityEventSourceAuthzModifyClaimsAuthzModifySecurityAttributesAuthzModifySidsAuthzOpenObjectAuditAuthzRegisterCapChangeNotificationAuthzRegisterSecurityEventSourceAuthzReportSecurityEventAuthzReportSecurityEventFromParamsAuthzSetAppContainerInformationAuthzUninstallSecurityEventSourceAuthzUnregisterCapChangeNotificationAuthzUnregisterSecurityEventSourceBuildExplicitAccessWithNameBuildImpersonateExplicitAccessWithNameBuildImpersonateTrusteeBuildSecurityDescriptorBuildTrusteeWithNameBuildTrusteeWithObjectsAndNameBuildTrusteeWithObjectsAndSidBuildTrusteeWithSidCheckTokenCapabilityCheckTokenMembershipCheckTokenMembershipExConvertSecurityDescriptorToStringSecurityDescriptorConvertSidToStringSidConvertStringSecurityDescriptorToSecurityDescriptorConvertStringSidToSidConvertToAutoInheritPrivateObjectSecurityCopySidCreatePrivateObjectSecurityCreatePrivateObjectSecurityExCreatePrivateObjectSecurityWithMultipleInheritanceCreateRestrictedTokenCreateSecurityPageCreateWellKnownSidDeleteAceDestroyPrivateObjectSecurityDSCreateSecurityPageDSCreateISecurityInfoObjectDSCreateISecurityInfoObjectExDSEditSecurityDuplicateTokenDuplicateTokenExEditSecurityEditSecurityAdvancedEqualDomainSidEqualPrefixSidEqualSidFindFirstFreeAceFreeInheritedFromArrayFreeSidGetAceGetAclInformationGetAppContainerNamedObjectPathGetAuditedPermissionsFromAclGetEffectiveRightsFromAclGetExplicitEntriesFromAclGetFileSecurityGetInheritanceSourceGetKernelObjectSecurityGetLengthSidGetMultipleTrusteeGetMultipleTrusteeOperationGetNamedSecurityInfoGetPrivateObjectSecurityGetSecurityDescriptorControlGetSecurityDescriptorDaclGetSecurityDescriptorGroupGetSecurityDescriptorLengthGetSecurityDescriptorOwnerGetSecurityDescriptorRMControlGetSecurityDescriptorSaclGetSecurityInfoGetSidIdentifierAuthorityGetSidLengthRequiredGetSidSubAuthorityGetSidSubAuthorityCountGetTokenInformationGetTrusteeFormGetTrusteeNameGetTrusteeTypeGetUserObjectSecurityGetWindowsAccountDomainSidImpersonateAnonymousTokenImpersonateLoggedOnUserImpersonateNamedPipeClientImpersonateSelfInitializeAclInitializeSecurityDescriptorInitializeSidIsTokenRestrictedIsValidAclIsValidSecurityDescriptorIsValidSidIsWellKnownSidLookupAccountNameLookupAccountSidLookupPrivilegeDisplayNameLookupPrivilegeNameLookupPrivilegeValueLookupSecurityDescriptorPartsMakeAbsoluteSDMakeSelfRelativeSDMapGenericMaskNtCompareTokensObjectCloseAuditAlarmObjectDeleteAuditAlarmObjectOpenAuditAlarmObjectPrivilegeAuditAlarmOpenProcessTokenOpenThreadTokenPrivilegeCheckPrivilegedServiceAuditAlarmQuerySecurityAccessMaskQueryServiceObjectSecurityRegGetKeySecurityRegSetKeySecurityRevertToSelfRtlConvertSidToUnicodeStringSetAclInformationSetEntriesInAclSetFileSecuritySetKernelObjectSecuritySetNamedSecurityInfoSetPrivateObjectSecuritySetPrivateObjectSecurityExSetSecurityAccessMaskSetSecurityDescriptorControlSetSecurityDescriptorDaclSetSecurityDescriptorGroupSetSecurityDescriptorOwnerSetSecurityDescriptorRMControlSetSecurityDescriptorSaclSetSecurityInfoSetServiceObjectSecuritySetThreadTokenSetTokenInformationSetUserObjectSecurityTreeResetNamedSecurityInfoTreeSetNamedSecurityInfo
GetTokenInformatio
http://msdn.microsoft.com/en-us/library/aa446671(v=vs.85).aspx
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment