Creating a process in a non-zero session from a se

2019-01-26 01:47发布

问题:

I was wondering if there is a simple way for a service to create a process in user session?

My service is running as a user(administrator) account and not as a LocalSystem acount, therefore i can't use the WTSQueryUserToken function.

i have tried calling

OpenProcessToken(GetCurrentProcess,TOKEN_ALL_ACCESS,TokenHandle);

but when i use this token to run

 CreateProcessAsUser(TokenHandle,.....)

my process is still running in session 0. how can i resolve this issue?

I'm using an Ole automation so i don't really care on which session the process will be running on, as long it is not the session 0 - because the Ole from some reason doesn't create its processes (winword.exe for instance) in session 0, but rather it creates them in other user sessions.

Any suggestions will be welcome. Thanks in advance.

回答1:

I Have been able to resolve this issue myself, thanks for all of those who have looked at this question.

Ok, so as i mentioned above - the Token belongs to a process which is running in session 0...

so what i have done...is looked for a token of a process that is not running in session 0. when you take it's process id as the parameter for OpenProcessToken. than the CreateProcessAsUser will create the process in the same session (and probably with the same cridentals as the process you have chosen);

The problem was that i couldn't have get any details on most of the processes using the function: QueryFullProcessImageName - because it has a bug, and it doesn't work on proccesses that are created from a path that contains spaces (like C:\Program files for instance) and another issue with that function i guess is that because i'm running the original process using a user cridentals i can't access the information of a process that is running using the Local-system account. which is pretty bad because i wanted to take the winlogon.exe as my process (because it indicate a new opened session).

also in order to succeeed in that trick, you must play a little bit with the security of the system, in order to allow the process to ask for elevated security: what i have chosen to get elevated for is : SeDebugPrivilege - for finding information on the running processes SeAssignPrimaryTokenPrivilege - in order to run a new process with the token i extracted from the user session process(i.e explorer.exe) SeCreateTokenPrivilege - i dont know if it is needed but i did it anyway because it sounds related.

in order to succeed in elevating this Privileges - you must add the user that run the process to the relevant users in all of this Privileges in run->gpedit.msc or run->secpol.msc (under Local Computer Policy\Computer Configuration\ Windows Settings\Security settings\ LocalPolicies\User Rights Assignments)

add your account to the following rights(compaitable with the Previleges above) :
Create a token object
Debug Programs
Replace a Process level token

and that is it! :) it has been working Great! Btw, you might want to disable all the UAC stuff...i dont know if it is related or not, but it has made the working with 2008 less painful - no more annoying popups.