How to call LogonUser() to get a non-restricted fu

2019-01-09 14:50发布

问题:

I am running a WindowsService on Windows Server 2012 and it needs to impersonate a domain admin user (who is also added to the local administrators group on the machine).

UAC is enabled on the system and Calling LogonUser using the credentials with a LogonType of LOGON32_LOGON_INTERACTIVE, seems to return a restricted token instead of a full token.

This is causing the administrative task i'm trying to do to fail.

What is the right way to call LogonUser in this situation so that a full token is returned instead of an restricted token?

PS: I came across a related question here How can I get elevated permissions (UAC) via impersonation under a non-interactive login? but it does not show the exact calls that need to be made to get the full token.

回答1:

You can get an unfiltered token from LogonUser() by using the LOGON32_LOGON_BATCH option instead of the LOGON32_LOGON_INTERACTIVE option.

There is some sample code in this answer which shows the use of LOGON32_LOGON_BATCH and the LogonUser() function to obtain an administrative token.


Addendum:

If you have SeTcbPrivilege, you have another option: you can use LOGON32_LOGON_INTERACTIVE when calling LogonUser() and then use the TokenLinkedToken option in GetTokenInformation() to obtain a handle to the elevated token that is linked to the filtered token.

SeTcbPrivilege is also known as "Act as part of the operating system" and is usually only available when you are running in local system context.

If you do not have SeTcbPrivilege, you can still call GetTokenInformation() to fetch a copy of the linked token, but in this case you get an impersonation token at SecurityIdentification level so it is of no use if you are wanting to create a new process. (Credit to RbMm for pointing this out.)