-CreateProcessAsUserA (HANDLE hToken,
- LPCSTR lpApplicationName,
- LPSTR lpCommandLine,
- LPSECURITY_ATTRIBUTES lpProcessAttributes,
- LPSECURITY_ATTRIBUTES lpThreadAttributes,
- BOOL bInheritHandles,
- DWORD dwCreationFlags,
- LPVOID lpEnvironment,
- LPCSTR lpCurrentDirectory,
- LPSTARTUPINFOA lpStartupInfo,
- LPPROCESS_INFORMATION lpProcessInformation)
+CreateProcessAsUserA(HANDLE hToken,
+ LPCSTR lpApplicationName,
+ LPSTR lpCommandLine,
+ LPSECURITY_ATTRIBUTES lpProcessAttributes,
+ LPSECURITY_ATTRIBUTES lpThreadAttributes,
+ BOOL bInheritHandles,
+ DWORD dwCreationFlags,
+ LPVOID lpEnvironment,
+ LPCSTR lpCurrentDirectory,
+ LPSTARTUPINFOA lpStartupInfo,
+ LPPROCESS_INFORMATION lpProcessInformation)
- PROCESS_ACCESS_TOKEN AccessToken;
- NTSTATUS Status;
-
- /* Create the process with a suspended main thread */
- if (!CreateProcessA (lpApplicationName,
- lpCommandLine,
- lpProcessAttributes,
- lpThreadAttributes,
- bInheritHandles,
- dwCreationFlags | CREATE_SUSPENDED,
- lpEnvironment,
- lpCurrentDirectory,
- lpStartupInfo,
- lpProcessInformation))
+ PROCESS_ACCESS_TOKEN AccessToken;
+ NTSTATUS Status;
+
+ /* Create the process with a suspended main thread */
+ if (!CreateProcessA(lpApplicationName,
+ lpCommandLine,
+ lpProcessAttributes,
+ lpThreadAttributes,
+ bInheritHandles,
+ dwCreationFlags | CREATE_SUSPENDED,
+ lpEnvironment,
+ lpCurrentDirectory,
+ lpStartupInfo,
+ lpProcessInformation))
- /* Set the new process token */
- Status = NtSetInformationProcess (lpProcessInformation->hProcess,
- ProcessAccessToken,
- (PVOID)&AccessToken,
- sizeof (AccessToken));
- if (!NT_SUCCESS (Status))
+ /* Set the new process token */
+ Status = NtSetInformationProcess(lpProcessInformation->hProcess,
+ ProcessAccessToken,
+ (PVOID)&AccessToken,
+ sizeof(AccessToken));
+ if (!NT_SUCCESS (Status))
-CreateProcessAsUserW (HANDLE hToken,
- LPCWSTR lpApplicationName,
- LPWSTR lpCommandLine,
- LPSECURITY_ATTRIBUTES lpProcessAttributes,
- LPSECURITY_ATTRIBUTES lpThreadAttributes,
- BOOL bInheritHandles,
- DWORD dwCreationFlags,
- LPVOID lpEnvironment,
- LPCWSTR lpCurrentDirectory,
- LPSTARTUPINFOW lpStartupInfo,
- LPPROCESS_INFORMATION lpProcessInformation)
+CreateProcessAsUserW(HANDLE hToken,
+ LPCWSTR lpApplicationName,
+ LPWSTR lpCommandLine,
+ LPSECURITY_ATTRIBUTES lpProcessAttributes,
+ LPSECURITY_ATTRIBUTES lpThreadAttributes,
+ BOOL bInheritHandles,
+ DWORD dwCreationFlags,
+ LPVOID lpEnvironment,
+ LPCWSTR lpCurrentDirectory,
+ LPSTARTUPINFOW lpStartupInfo,
+ LPPROCESS_INFORMATION lpProcessInformation)
- PROCESS_ACCESS_TOKEN AccessToken;
- NTSTATUS Status;
-
- /* Create the process with a suspended main thread */
- if (!CreateProcessW (lpApplicationName,
- lpCommandLine,
- lpProcessAttributes,
- lpThreadAttributes,
- bInheritHandles,
- dwCreationFlags | CREATE_SUSPENDED,
- lpEnvironment,
- lpCurrentDirectory,
- lpStartupInfo,
- lpProcessInformation))
+ PROCESS_ACCESS_TOKEN AccessToken;
+ NTSTATUS Status;
+
+ /* Create the process with a suspended main thread */
+ if (!CreateProcessW(lpApplicationName,
+ lpCommandLine,
+ lpProcessAttributes,
+ lpThreadAttributes,
+ bInheritHandles,
+ dwCreationFlags | CREATE_SUSPENDED,
+ lpEnvironment,
+ lpCurrentDirectory,
+ lpStartupInfo,
+ lpProcessInformation))
- /* Set the new process token */
- Status = NtSetInformationProcess (lpProcessInformation->hProcess,
- ProcessAccessToken,
- (PVOID)&AccessToken,
- sizeof (AccessToken));
- if (!NT_SUCCESS (Status))
+ /* Set the new process token */
+ Status = NtSetInformationProcess(lpProcessInformation->hProcess,
+ ProcessAccessToken,
+ (PVOID)&AccessToken,
+ sizeof(AccessToken));
+ if (!NT_SUCCESS (Status))
- PSID lpSid;
- DWORD dwLength;
- HKEY hUsersKey;
- HKEY hUserKey;
-
- if (Sid != NULL)
- *Sid = NULL;
-
- /* Open the Users key */
- if (RegOpenKeyExW (HKEY_LOCAL_MACHINE,
- L"SAM\\SAM\\Domains\\Account\\Users",
- 0,
- KEY_READ,
- &hUsersKey))
+ PSID lpSid;
+ DWORD dwLength;
+ HKEY hUsersKey;
+ HKEY hUserKey;
+
+ if (Sid != NULL)
+ *Sid = NULL;
+
+ /* Open the Users key */
+ if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,
+ L"SAM\\SAM\\Domains\\Account\\Users",
+ 0,
+ KEY_READ,
+ &hUsersKey))
- if (GetLastError () == ERROR_FILE_NOT_FOUND)
- {
- ERR("Invalid user name!\n");
- SetLastError (ERROR_NO_SUCH_USER);
- }
- else
- {
- ERR("Failed to open user key! (Error %lu)\n", GetLastError());
- }
-
- RegCloseKey (hUsersKey);
- return FALSE;
+ if (GetLastError() == ERROR_FILE_NOT_FOUND)
+ {
+ ERR("Invalid user name!\n");
+ SetLastError(ERROR_NO_SUCH_USER);
+ }
+ else
+ {
+ ERR("Failed to open user key! (Error %lu)\n", GetLastError());
+ }
+
+ RegCloseKey(hUsersKey);
+ return FALSE;
- /* Allocate sid buffer */
- TRACE("Required SID buffer size: %lu\n", dwLength);
- lpSid = (PSID)RtlAllocateHeap (RtlGetProcessHeap (),
- 0,
- dwLength);
- if (lpSid == NULL)
+ /* Allocate sid buffer */
+ TRACE("Required SID buffer size: %lu\n", dwLength);
+ lpSid = (PSID)RtlAllocateHeap(RtlGetProcessHeap(),
+ 0,
+ dwLength);
+ if (lpSid == NULL)
- ERR("Failed to read the SID! (Error %lu)\n", GetLastError());
- RtlFreeHeap (RtlGetProcessHeap (),
- 0,
- lpSid);
- RegCloseKey (hUserKey);
- return FALSE;
+ ERR("Failed to read the SID! (Error %lu)\n", GetLastError());
+ RtlFreeHeap(RtlGetProcessHeap(),
+ 0,
+ lpSid);
+ RegCloseKey(hUserKey);
+ return FALSE;
- /* Open the account domain key */
- if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,
- L"SAM\\SAM\\Domains\\Account",
- 0,
- KEY_READ,
- &hDomainKey))
+ /* Open the account domain key */
+ if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,
+ L"SAM\\SAM\\Domains\\Account",
+ 0,
+ KEY_READ,
+ &hDomainKey))
- /* Allocate sid buffer */
- TRACE("Required SID buffer size: %lu\n", dwLength);
- lpSid = (PSID)RtlAllocateHeap(RtlGetProcessHeap(),
- 0,
- dwLength);
- if (lpSid == NULL)
+ /* Allocate sid buffer */
+ TRACE("Required SID buffer size: %lu\n", dwLength);
+ lpSid = (PSID)RtlAllocateHeap(RtlGetProcessHeap(),
+ 0,
+ dwLength);
+ if (lpSid == NULL)
- ERR("Failed to read the SID! (Error %lu)\n", GetLastError());
- RtlFreeHeap(RtlGetProcessHeap(),
- 0,
- lpSid);
- RegCloseKey(hDomainKey);
- return FALSE;
+ ERR("Failed to read the SID! (Error %lu)\n", GetLastError());
+ RtlFreeHeap(RtlGetProcessHeap(),
+ 0,
+ lpSid);
+ RegCloseKey(hDomainKey);
+ return FALSE;
- ULONG Rids[8] = {0, 0, 0, 0, 0, 0, 0, 0};
- UCHAR RidCount;
- PSID DstSid;
- ULONG i;
-
- RidCount = *RtlSubAuthorityCountSid(SrcSid);
- if (RidCount >= 8)
- return NULL;
-
- for (i = 0; i < RidCount; i++)
- Rids[i] = *RtlSubAuthoritySid(SrcSid, i);
-
- Rids[RidCount] = Rid;
- RidCount++;
-
- RtlAllocateAndInitializeSid(RtlIdentifierAuthoritySid(SrcSid),
- RidCount,
- Rids[0],
- Rids[1],
- Rids[2],
- Rids[3],
- Rids[4],
- Rids[5],
- Rids[6],
- Rids[7],
- &DstSid);
-
- return DstSid;
+ ULONG Rids[8] = {0, 0, 0, 0, 0, 0, 0, 0};
+ UCHAR RidCount;
+ PSID DstSid;
+ ULONG i;
+
+ RidCount = *RtlSubAuthorityCountSid(SrcSid);
+ if (RidCount >= 8)
+ return NULL;
+
+ for (i = 0; i < RidCount; i++)
+ Rids[i] = *RtlSubAuthoritySid(SrcSid, i);
+
+ Rids[RidCount] = Rid;
+ RidCount++;
+
+ RtlAllocateAndInitializeSid(RtlIdentifierAuthoritySid(SrcSid),
+ RidCount,
+ Rids[0],
+ Rids[1],
+ Rids[2],
+ Rids[3],
+ Rids[4],
+ Rids[5],
+ Rids[6],
+ Rids[7],
+ &DstSid);
+
+ return DstSid;
- RtlAllocateAndInitializeSid(
- &SystemAuthority,
- 2,
- SECURITY_BUILTIN_DOMAIN_RID,
- DOMAIN_ALIAS_RID_ADMINS,
- SECURITY_NULL_RID,
- SECURITY_NULL_RID,
- SECURITY_NULL_RID,
- SECURITY_NULL_RID,
- SECURITY_NULL_RID,
- SECURITY_NULL_RID,
- &Sid);
+ RtlAllocateAndInitializeSid(&SystemAuthority,
+ 2,
+ SECURITY_BUILTIN_DOMAIN_RID,
+ DOMAIN_ALIAS_RID_ADMINS,
+ SECURITY_NULL_RID,
+ SECURITY_NULL_RID,
+ SECURITY_NULL_RID,
+ SECURITY_NULL_RID,
+ SECURITY_NULL_RID,
+ SECURITY_NULL_RID,
+ &Sid);
- RtlAllocateAndInitializeSid(
- &SystemAuthority,
- 2,
- SECURITY_BUILTIN_DOMAIN_RID,
- DOMAIN_ALIAS_RID_USERS,
- SECURITY_NULL_RID,
- SECURITY_NULL_RID,
- SECURITY_NULL_RID,
- SECURITY_NULL_RID,
- SECURITY_NULL_RID,
- SECURITY_NULL_RID,
- &Sid);
+ RtlAllocateAndInitializeSid(&SystemAuthority,
+ 2,
+ SECURITY_BUILTIN_DOMAIN_RID,
+ DOMAIN_ALIAS_RID_USERS,
+ SECURITY_NULL_RID,
+ SECURITY_NULL_RID,
+ SECURITY_NULL_RID,
+ SECURITY_NULL_RID,
+ SECURITY_NULL_RID,
+ SECURITY_NULL_RID,
+ &Sid);
- RtlAllocateAndInitializeSid(
- &SystemAuthority,
- SECURITY_LOGON_IDS_RID_COUNT,
- SECURITY_LOGON_IDS_RID,
- Luid.HighPart,
- Luid.LowPart,
- SECURITY_NULL_RID,
- SECURITY_NULL_RID,
- SECURITY_NULL_RID,
- SECURITY_NULL_RID,
- SECURITY_NULL_RID,
- &Sid);
+ RtlAllocateAndInitializeSid(&SystemAuthority,
+ SECURITY_LOGON_IDS_RID_COUNT,
+ SECURITY_LOGON_IDS_RID,
+ Luid.HighPart,
+ Luid.LowPart,
+ SECURITY_NULL_RID,
+ SECURITY_NULL_RID,
+ SECURITY_NULL_RID,
+ SECURITY_NULL_RID,
+ SECURITY_NULL_RID,
+ &Sid);
- if (TokenGroups->Groups[i].Sid != NULL)
- RtlFreeHeap(GetProcessHeap(), 0, TokenGroups->Groups[i].Sid);
+ if (TokenGroups->Groups[i].Sid != NULL)
+ RtlFreeHeap(GetProcessHeap(), 0, TokenGroups->Groups[i].Sid);
{
{ L"SeUnsolicitedInputPrivilege", 0 },
{ L"SeMachineAccountPrivilege", 0 },
{
{ L"SeUnsolicitedInputPrivilege", 0 },
{ L"SeMachineAccountPrivilege", 0 },
{ L"SeImpersonatePrivilege", SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
{ L"SeCreateGlobalPrivilege", SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }
};
{ L"SeImpersonatePrivilege", SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT },
{ L"SeCreateGlobalPrivilege", SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }
};
- OBJECT_ATTRIBUTES ObjectAttributes;
- SECURITY_QUALITY_OF_SERVICE Qos;
- TOKEN_USER TokenUser;
- TOKEN_OWNER TokenOwner;
- TOKEN_PRIMARY_GROUP TokenPrimaryGroup;
- PTOKEN_GROUPS TokenGroups;
- PTOKEN_PRIVILEGES TokenPrivileges;
- TOKEN_DEFAULT_DACL TokenDefaultDacl;
- LARGE_INTEGER ExpirationTime;
- LUID AuthenticationId;
- TOKEN_SOURCE TokenSource;
- PSID UserSid = NULL;
- PSID PrimaryGroupSid = NULL;
- PSID OwnerSid = NULL;
- PSID LocalSystemSid;
- PACL Dacl;
- NTSTATUS Status;
- SID_IDENTIFIER_AUTHORITY SystemAuthority = {SECURITY_NT_AUTHORITY};
- unsigned i;
-
- Qos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
- Qos.ImpersonationLevel = SecurityAnonymous;
- Qos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
- Qos.EffectiveOnly = FALSE;
-
- ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
- ObjectAttributes.RootDirectory = NULL;
- ObjectAttributes.ObjectName = NULL;
- ObjectAttributes.Attributes = 0;
- ObjectAttributes.SecurityDescriptor = NULL;
- ObjectAttributes.SecurityQualityOfService = &Qos;
-
- Status = NtAllocateLocallyUniqueId(&AuthenticationId);
- if (!NT_SUCCESS(Status))
+ OBJECT_ATTRIBUTES ObjectAttributes;
+ SECURITY_QUALITY_OF_SERVICE Qos;
+ TOKEN_USER TokenUser;
+ TOKEN_OWNER TokenOwner;
+ TOKEN_PRIMARY_GROUP TokenPrimaryGroup;
+ PTOKEN_GROUPS TokenGroups;
+ PTOKEN_PRIVILEGES TokenPrivileges;
+ TOKEN_DEFAULT_DACL TokenDefaultDacl;
+ LARGE_INTEGER ExpirationTime;
+ LUID AuthenticationId;
+ TOKEN_SOURCE TokenSource;
+ PSID UserSid = NULL;
+ PSID PrimaryGroupSid = NULL;
+ PSID OwnerSid = NULL;
+ PSID LocalSystemSid;
+ PACL Dacl;
+ NTSTATUS Status;
+ SID_IDENTIFIER_AUTHORITY SystemAuthority = {SECURITY_NT_AUTHORITY};
+ unsigned i;
+
+ Qos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
+ Qos.ImpersonationLevel = SecurityAnonymous;
+ Qos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
+ Qos.EffectiveOnly = FALSE;
+
+ ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
+ ObjectAttributes.RootDirectory = NULL;
+ ObjectAttributes.ObjectName = NULL;
+ ObjectAttributes.Attributes = 0;
+ ObjectAttributes.SecurityDescriptor = NULL;
+ ObjectAttributes.SecurityQualityOfService = &Qos;
+
+ Status = NtAllocateLocallyUniqueId(&AuthenticationId);
+ if (!NT_SUCCESS(Status))
- /* Get the user SID from the registry */
- if (!SamGetUserSid (lpszUsername, &UserSid))
+ ExpirationTime.QuadPart = -1;
+
+ /* Get the user SID from the registry */
+ if (!SamGetUserSid (lpszUsername, &UserSid))
- /* Allocate and initialize token groups */
- TokenGroups = AllocateGroupSids(&PrimaryGroupSid,
- &OwnerSid);
- if (NULL == TokenGroups)
+ /* Allocate and initialize token groups */
+ TokenGroups = AllocateGroupSids(&PrimaryGroupSid,
+ &OwnerSid);
+ if (NULL == TokenGroups)
- /* Allocate and initialize token privileges */
- TokenPrivileges = RtlAllocateHeap(GetProcessHeap(), 0,
- sizeof(TOKEN_PRIVILEGES)
+ /* Allocate and initialize token privileges */
+ TokenPrivileges = RtlAllocateHeap(GetProcessHeap(), 0,
+ sizeof(TOKEN_PRIVILEGES)
- if (! LookupPrivilegeValueW(NULL, DefaultPrivs[i].PrivName,
- &TokenPrivileges->Privileges[TokenPrivileges->PrivilegeCount].Luid))
+ if (! LookupPrivilegeValueW(NULL,
+ DefaultPrivs[i].PrivName,
+ &TokenPrivileges->Privileges[TokenPrivileges->PrivilegeCount].Luid))
- RtlFreeHeap(GetProcessHeap(), 0, Dacl);
- FreeGroupSids(TokenGroups);
- RtlFreeHeap(GetProcessHeap(), 0, TokenPrivileges);
- RtlFreeSid(UserSid);
- return FALSE;
+ RtlFreeHeap(GetProcessHeap(), 0, Dacl);
+ FreeGroupSids(TokenGroups);
+ RtlFreeHeap(GetProcessHeap(), 0, TokenPrivileges);
+ RtlFreeSid(UserSid);
+ return FALSE;
- 1,
- SECURITY_LOCAL_SYSTEM_RID,
- SECURITY_NULL_RID,
- SECURITY_NULL_RID,
- SECURITY_NULL_RID,
- SECURITY_NULL_RID,
- SECURITY_NULL_RID,
- SECURITY_NULL_RID,
- SECURITY_NULL_RID,
- &LocalSystemSid);
-
- /* SID: S-1-5-18 */
- RtlAddAccessAllowedAce(Dacl,
- ACL_REVISION,
- GENERIC_ALL,
- LocalSystemSid);
-
- RtlFreeSid(LocalSystemSid);
-
- TokenDefaultDacl.DefaultDacl = Dacl;
-
- memcpy(TokenSource.SourceName,
- "User32 ",
- 8);
- Status = NtAllocateLocallyUniqueId(&TokenSource.SourceIdentifier);
- if (!NT_SUCCESS(Status))
+ 1,
+ SECURITY_LOCAL_SYSTEM_RID,
+ SECURITY_NULL_RID,
+ SECURITY_NULL_RID,
+ SECURITY_NULL_RID,
+ SECURITY_NULL_RID,
+ SECURITY_NULL_RID,
+ SECURITY_NULL_RID,
+ SECURITY_NULL_RID,
+ &LocalSystemSid);
+
+ /* SID: S-1-5-18 */
+ RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ GENERIC_ALL,
+ LocalSystemSid);
+
+ RtlFreeSid(LocalSystemSid);
+
+ TokenDefaultDacl.DefaultDacl = Dacl;
+
+ memcpy(TokenSource.SourceName,
+ "User32 ",
+ 8);
+
+ Status = NtAllocateLocallyUniqueId(&TokenSource.SourceIdentifier);
+ if (!NT_SUCCESS(Status))
- RtlFreeHeap(GetProcessHeap(), 0, Dacl);
- FreeGroupSids(TokenGroups);
- RtlFreeHeap(GetProcessHeap(), 0, TokenPrivileges);
- RtlFreeSid(UserSid);
- return FALSE;
+ RtlFreeHeap(GetProcessHeap(), 0, Dacl);
+ FreeGroupSids(TokenGroups);
+ RtlFreeHeap(GetProcessHeap(), 0, TokenPrivileges);
+ RtlFreeSid(UserSid);
+ return FALSE;
- Status = NtCreateToken(phToken,
- TOKEN_ALL_ACCESS,
- &ObjectAttributes,
- TokenPrimary,
- &AuthenticationId,
- &ExpirationTime,
- &TokenUser,
- TokenGroups,
- TokenPrivileges,
- &TokenOwner,
- &TokenPrimaryGroup,
- &TokenDefaultDacl,
- &TokenSource);
-
- RtlFreeHeap(GetProcessHeap(), 0, Dacl);
- FreeGroupSids(TokenGroups);
- RtlFreeHeap(GetProcessHeap(), 0, TokenPrivileges);
- RtlFreeSid(UserSid);
-
- return NT_SUCCESS(Status);
+ Status = NtCreateToken(phToken,
+ TOKEN_ALL_ACCESS,
+ &ObjectAttributes,
+ TokenPrimary,
+ &AuthenticationId,
+ &ExpirationTime,
+ &TokenUser,
+ TokenGroups,
+ TokenPrivileges,
+ &TokenOwner,
+ &TokenPrimaryGroup,
+ &TokenDefaultDacl,
+ &TokenSource);
+
+ RtlFreeHeap(GetProcessHeap(), 0, Dacl);
+ FreeGroupSids(TokenGroups);
+ RtlFreeHeap(GetProcessHeap(), 0, TokenPrivileges);
+ RtlFreeSid(UserSid);
+
+ return NT_SUCCESS(Status);