OleClipboard and IDataObject under local SYSTEM account

joeyes 30

There is an implementation of remote file transfer via dragging virtual files using IStream/IDataObject (based on Raymond Chen's blog topic: What a drag: Dragging a virtual file (IStream edition)).

Basically, it works good. But if the application is run under the SYSTEM account, the IDataObject::GetData() is called only once - requests a FILEDESCRIPTOR, but doesn't return with a requests for FILECONTENTS.

How I use IDataObject:


if (SUCCEEDED(OleInitialize(NULL))) {
    IDataObject* dtob = new MyDataObject(/*some files info here*/);
    if (dtob) {
        OleSetClipboard(dtob);
        dtob->Release();
    }
    
    //simulate Ctrl-V
    ...
    
    MSG msg;
    while (GetMessage(&msg, NULL, 0, 0)) {
        TranslateMessage(&msg);
        DispatchMessage(&msg);
    }
    OleUninitialize();
}

RLWA32 39,916 Reputation points

2023-02-07T19:18:58.0233333+00:00

It would be helpful if you shared a sample that reliably reproduces the problem you are experiencing.
Xiaopo Yang - MSFT 11,251 Reputation points Microsoft Vendor

2023-02-08T01:54:33.7533333+00:00

Typically, The SYSTEM account is used by the operating system and by services running under Windows. It's not recommended to do with the SYSTEM account.

And could you please show a minimal, reproducible sample with steps?
joeyes 30 Reputation points

2023-02-08T05:16:39.2033333+00:00
Source.txt

There are some app functionality which works only under system, e.g it should work on the lock screen.

Added source sample.

works without admin privileges (just press ctrl-v somewhere, e.g. on desktop - it's create "Dummy" file)

doesn't works with admin privileges (in this case app run in the SYSTEM account)

joeyes 30

Added source sample (sorry, I couldn't attach it as a file for some reason). If you run it without admin privileges and press ctrl-v somewhere (on desktop for example) it should create "Dummy" file. But with admin privileges (app will run as SYSTEM) it won't work.

#include <windows.h>

#include "sddl.h"
#include <string>
#include <assert.h>
#include <WtsApi32.h>
#include <windows.h>
#include <shlwapi.h>
#include <strsafe.h>
#include <codecvt>
#include <shlobj.h> 

#pragma comment(lib, "wtsapi32.lib")
#pragma comment(lib, "Shlwapi.lib")

class MyDataObject : public IDataObject {
public:
    // IUnknown
    STDMETHODIMP QueryInterface(REFIID riid, void** ppvObj);
    STDMETHODIMP_(ULONG) AddRef();
    STDMETHODIMP_(ULONG) Release();

    // IDataObject
    STDMETHODIMP GetData(FORMATETC* pfe, STGMEDIUM* pmed);
    STDMETHODIMP GetDataHere(FORMATETC* pfe, STGMEDIUM* pmed);
    STDMETHODIMP QueryGetData(FORMATETC* pfe);
    STDMETHODIMP GetCanonicalFormatEtc(FORMATETC* pfeIn,
        FORMATETC* pfeOut);
    STDMETHODIMP SetData(FORMATETC* pfe, STGMEDIUM* pmed,
        BOOL fRelease);
    STDMETHODIMP EnumFormatEtc(DWORD dwDirection,
        LPENUMFORMATETC* ppefe);
    STDMETHODIMP DAdvise(FORMATETC* pfe, DWORD grfAdv,
        IAdviseSink* pAdvSink, DWORD* pdwConnection);
    STDMETHODIMP DUnadvise(DWORD dwConnection);
    STDMETHODIMP EnumDAdvise(LPENUMSTATDATA* ppefe);

    MyDataObject();

private:
    enum {
        DATA_FILEGROUPDESCRIPTOR,
        DATA_FILECONTENTS,
        DATA_NUM,
        DATA_INVALID = -1
    };

    int GetDataIndex(const FORMATETC* pfe);
private:
    ULONG refCnt_;
    FORMATETC m_rgfe[DATA_NUM];
};

void SetFORMATETC(FORMATETC* pfe, UINT cf, TYMED tymed = TYMED_HGLOBAL, LONG lindex = -1,
    DWORD dwAspect = DVASPECT_CONTENT, DVTARGETDEVICE* ptd = NULL) {
    pfe->cfFormat = (CLIPFORMAT)cf;
    pfe->tymed = tymed;
    pfe->lindex = lindex;
    pfe->dwAspect = dwAspect;
    pfe->ptd = ptd;
}

MyDataObject::MyDataObject() : refCnt_(1) {
    SetFORMATETC(&m_rgfe[DATA_FILEGROUPDESCRIPTOR],
        RegisterClipboardFormat(CFSTR_FILEDESCRIPTOR));
    SetFORMATETC(&m_rgfe[DATA_FILECONTENTS],
        RegisterClipboardFormat(CFSTR_FILECONTENTS),
        TYMED_ISTREAM, /* lindex */ 0);
}

HRESULT MyDataObject::QueryInterface(REFIID riid, void** ppv) {
    IUnknown* punk = NULL;
    if (riid == IID_IUnknown) {
        punk = static_cast<IUnknown*>(this);
    } else if (riid == IID_IDataObject) {
        punk = static_cast<IDataObject*>(this);
    }

    *ppv = punk;
    if (punk) {
        punk->AddRef();
        return S_OK;
    } else {
        return E_NOINTERFACE;
    }
}

ULONG MyDataObject::AddRef() {
    return ++refCnt_;
}

ULONG MyDataObject::Release() {
    ULONG cRef = --refCnt_;
    if (cRef == 0)
        delete this;
    return cRef;
}

int MyDataObject::GetDataIndex(const FORMATETC* pfe) {
    for (int i = 0; i < ARRAYSIZE(m_rgfe); i++) {
        if (pfe->cfFormat == m_rgfe[i].cfFormat &&
            (pfe->tymed & m_rgfe[i].tymed) &&
            pfe->dwAspect == m_rgfe[i].dwAspect &&
            pfe->lindex == m_rgfe[i].lindex) {
            return i;
        }
    }
    return DATA_INVALID;
}

HRESULT CreateHGlobalFromBlob(const void* pvData, SIZE_T cbData, UINT uFlags, HGLOBAL* phglob) {
    HGLOBAL hglob = GlobalAlloc(uFlags, cbData);
    if (hglob) {
        void* pvAlloc = GlobalLock(hglob);
        if (pvAlloc) {
            CopyMemory(pvAlloc, pvData, cbData);
            GlobalUnlock(hglob);
        }
        else {
            GlobalFree(hglob);
            hglob = NULL;
        }
    }
    *phglob = hglob;
    return hglob ? S_OK : E_OUTOFMEMORY;
}

HRESULT MyDataObject::QueryGetData(FORMATETC* pfe) {
    return GetDataIndex(pfe) == DATA_INVALID ? S_FALSE : S_OK;
}

HRESULT MyDataObject::EnumFormatEtc(DWORD dwDirection, LPENUMFORMATETC* ppefe) {
    if (dwDirection == DATADIR_GET) {
        return SHCreateStdEnumFmtEtc(ARRAYSIZE(m_rgfe), m_rgfe, ppefe);
    }
    *ppefe = NULL;
    return E_NOTIMPL;
}

HRESULT MyDataObject::GetDataHere(FORMATETC* pfe, STGMEDIUM* pmed) {
    return E_NOTIMPL;
}

HRESULT MyDataObject::GetCanonicalFormatEtc(FORMATETC* pfeIn, FORMATETC* pfeOut) {
    *pfeOut = *pfeIn;
    pfeOut->ptd = NULL;
    return DATA_S_SAMEFORMATETC;
}

HRESULT MyDataObject::SetData(FORMATETC* pfe, STGMEDIUM* pmed, BOOL fRelease) {
    return E_NOTIMPL;
}

HRESULT MyDataObject::DAdvise(FORMATETC* pfe, DWORD grfAdv, IAdviseSink* pAdvSink, DWORD* pdwConnection) {
    return OLE_E_ADVISENOTSUPPORTED;
}

HRESULT MyDataObject::DUnadvise(DWORD dwConnection) {
    return OLE_E_ADVISENOTSUPPORTED;
}

HRESULT MyDataObject::EnumDAdvise(LPENUMSTATDATA* ppefe) {
    return OLE_E_ADVISENOTSUPPORTED;
}

HRESULT MyDataObject::GetData(FORMATETC* pfe, STGMEDIUM* pmed) {
    ZeroMemory(pmed, sizeof(*pmed));
    if (GetDataIndex(pfe) != -1)
        printf("IDataObject::GetData call with format index %d\n", GetDataIndex(pfe));
    switch (GetDataIndex(pfe)) {
    case DATA_FILEGROUPDESCRIPTOR: {
        FILEGROUPDESCRIPTOR fgd;
        ZeroMemory(&fgd, sizeof(fgd));
        fgd.cItems = 1;
        StringCchCopy(fgd.fgd[0].cFileName, ARRAYSIZE(fgd.fgd[0].cFileName), TEXT("Dummy"));
        pmed->tymed = TYMED_HGLOBAL;
        return CreateHGlobalFromBlob(&fgd, sizeof(fgd),
            GMEM_MOVEABLE, &pmed->hGlobal);
    }
    case DATA_FILECONTENTS:
        pmed->tymed = TYMED_ISTREAM;
        pmed->pstm = SHOpenRegStream(HKEY_LOCAL_MACHINE,
            TEXT("Hardware\\Description\\System\\CentralProcessor\\0"),
            TEXT("~MHz"), STGM_READ);
        if (pmed->pstm) {
            LARGE_INTEGER liZero = { 0, 0 };
            pmed->pstm->Seek(liZero, STREAM_SEEK_END, NULL);
        }
        return pmed->pstm ? S_OK : E_FAIL;
    }
    return DV_E_FORMATETC;
}

BOOL IsSystemSid(PSID sid) {
    return ::IsWellKnownSid(sid, WinLocalSystemSid);
}

HANDLE OpenSystemProcessToken() {
    PWTS_PROCESS_INFO pInfo;
    DWORD count;
    if (!::WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, 0, 1, &pInfo, &count)) {
        printf("Error enumerating processes (error=%ld)\n", ::GetLastError());
        return nullptr;
    }

    HANDLE hToken{};
    for (DWORD i = 0; i < count && !hToken; i++) {
        if (pInfo[i].SessionId == 0 && IsSystemSid(pInfo[i].pUserSid)) {
            auto hProcess = ::OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pInfo[i].ProcessId);
            if (hProcess) {
                ::OpenProcessToken(hProcess, TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_QUERY | TOKEN_IMPERSONATE, &hToken);
                ::CloseHandle(hProcess);
            }
        }
    }

    ::WTSFreeMemory(pInfo);
    return hToken;
}

BOOL SetPrivilege(HANDLE hToken, PCTSTR lpszPrivilege, bool bEnablePrivilege) {
    TOKEN_PRIVILEGES tp;
    LUID luid;

    if (!::LookupPrivilegeValue(nullptr, lpszPrivilege, &luid))
        return FALSE;

    tp.PrivilegeCount = 1;
    tp.Privileges[0].Luid = luid;
    if (bEnablePrivilege)
        tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    else
        tp.Privileges[0].Attributes = 0;

    // Enable the privilege or disable all privileges.
    if (!::AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), nullptr, nullptr)) {
        return FALSE;
    }

    if (::GetLastError() == ERROR_NOT_ALL_ASSIGNED)
        return FALSE;

    return TRUE;
}

BOOL EnableDebugPrivilege(void) {
    HANDLE hToken;
    BOOL result;
    if (!::OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
        return FALSE;
    }
    result = SetPrivilege(hToken, SE_DEBUG_NAME, TRUE);
    ::CloseHandle(hToken);
    return result;
}

std::wstring string_to_wstring(const std::string& str) {
    using convert_typeX = std::codecvt_utf8<wchar_t>;
    std::wstring_convert<convert_typeX, wchar_t> converterX;
    return converterX.from_bytes(str);
}

//https://github.com/zodiacon/sysrun
int runAsSystem(int argc, const char* argv[]) {
    if (FALSE == EnableDebugPrivilege()) {
        printf("EnableDebugPrivilege failed: Access denied\n");
        return -1;
    }

    auto hToken = OpenSystemProcessToken();
    if (!hToken) {
        printf("OpenSystemProcessToken failed: Access denied\n");
        return -1;
    }

    HANDLE hDupToken, hPrimary;
    ::DuplicateTokenEx(hToken, TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_ASSIGN_PRIMARY | TOKEN_ADJUST_PRIVILEGES,
        nullptr, SecurityImpersonation, TokenImpersonation, &hDupToken);
    ::DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, nullptr, SecurityImpersonation, TokenPrimary, &hPrimary);
    ::CloseHandle(hToken);

    if (hDupToken == nullptr) {
        printf("Failed to create token (error=%ld)\n", ::GetLastError());
        return -1;
    }

    STARTUPINFO si = { sizeof(si) };
    wchar_t lpDesktop[16] = L"Winsta0\\default";
    si.lpDesktop = lpDesktop;

    PROCESS_INFORMATION pi;

    BOOL impersonated = ::SetThreadToken(nullptr, hDupToken);
    assert(impersonated);
    if (!impersonated) {
        printf("SetThreadToken failed: Access denied\n");
        return -1;
    }

    HANDLE hCurrentToken;
    DWORD session = 0, len = sizeof(session);
    ::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, &hCurrentToken);
    ::GetTokenInformation(hCurrentToken, TokenSessionId, &session, len, &len);
    ::CloseHandle(hCurrentToken);

    if (!SetPrivilege(hDupToken, SE_ASSIGNPRIMARYTOKEN_NAME, TRUE) ||
        !SetPrivilege(hDupToken, SE_INCREASE_QUOTA_NAME, TRUE)) {
        printf("SetPrivilege failed: Insufficient privileges\n");
        return -1;
    }

    ::SetTokenInformation(hPrimary, TokenSessionId, &session, sizeof(session));


    std::string commandLine;
    for (int i = 0; i < argc; i++)
        (commandLine += argv[i]) += " ";
    commandLine += "--run_as_system";

    if (!CreateProcessAsUser(hPrimary, nullptr, const_cast<wchar_t*>(string_to_wstring(commandLine).c_str()),
        nullptr, nullptr, FALSE, 0, nullptr, nullptr, &si, &pi)) {
        printf("Failed to create process (error=%ld)\n", ::GetLastError());
        return -1;
    }
    else {
        printf("Process created: %ld\n", pi.dwProcessId);
    }

    return 0;
}

int main(int argc, const char* argv[]) {
    bool runningAsSystem = argc > 1 && !strcmp(argv[argc - 1], "--run_as_system");
    if (!runningAsSystem) {
        if (runAsSystem(argc, argv) < 0)
            printf("Cannot run as SYSTEM\n");
        else
            return 0;
    }

    if (SUCCEEDED(OleInitialize(NULL))) {
        IDataObject* pdto = new MyDataObject();
        if (pdto) {
            OleSetClipboard(pdto);
            pdto->Release();
        }

        MSG msg;
        while (GetMessage(&msg, NULL, 0, 0)) {
            TranslateMessage(&msg);
            DispatchMessage(&msg);
        }
        OleUninitialize();
    }

    return 0;
}

Accepted answer

Sam Barraclough 85 Reputation points

2023-02-14T20:06:14.3066667+00:00
It sounds like we're working on similar projects - software KVM with clipboard functions.

After a very long time, I figured out that the reason it doesn't work on the SYSTEM account is because of COM security. I managed to get it working by using the CoInitializeSecurity function:

Ole32.CoInitializeSecurity( 0, 0, default, 0, Rpc.RPC_C_AUTHN_LEVEL.RPC_C_AUTHN_LEVEL_NONE, Rpc.RPC_C_IMP_LEVEL.RPC_C_IMP_LEVEL_IDENTIFY, default, default, default).ThrowIfFailed();
Please sign in to rate this answer.

2 people found this answer helpful.
joeyes 30 Reputation points

2023-02-15T11:07:46.0233333+00:00

Thank you, it works!
Sign in to comment

2 additional answers

RLWA32 39,916 Reputation points

2023-02-08T10:36:08.55+00:00

There is a security boundary for the clipboard between elevated processes running as SYSTEM and non-elevated processes for certain clipboard formats. This boundary is not documented to the best of my knowledge. You will find that if you place simple text on the clipboard from an elevated process running as SYSTEM that it can be pasted into Notepad.
Please sign in to rate this answer.
joeyes 30 Reputation points

2023-02-08T12:01:04.0566667+00:00

So there are no ways to solve this? And why GetData receives FILEDESCRIPTOR request in the very beginning?

RLWA32 39,916 Reputation points

2023-02-08T13:07:04.19+00:00

In my own tests when a non-elevated client attempts to retrieve the file contents by asking the data object returned from the clipboard for CFSTR_FILECONTENTS the call to IDataObject::GetData fails with 0x80040064 (Invalid FORMATETC structure). This would be the above-mentioned security boundary at work.

joeyes 30 Reputation points

2023-02-09T05:11:49.46+00:00

Just checked it on Windows Server 2022 - everything works as expected. There are some diffs between win server / win 10(11) security mechanisms?

RLWA32 39,916 Reputation points

2023-02-09T08:03:39.4766667+00:00

As I mentioned earlier these security boundaries are not documented by Microsoft. I'm only aware of them because of a previous issue that was answered in the msdn forums with respect to an older version of Windows. Only Microsoft can provide an authoritative explanation for the different behaviors that you are seeing.
Sign in to comment
Xiaopo Yang - MSFT 11,251 Reputation points Microsoft Vendor

2023-02-10T02:32:06.85+00:00

Hello @joeyes The code also works fine for me.
Please sign in to rate this answer.
joeyes 30 Reputation points

2023-02-10T05:27:24.7566667+00:00

Doesn't work for me (and for my colleague win 11 with exactly the same ver with you as well). Judging by the RLWA32 message above this is the result of some kind of windows security mechanism. But judging by the fact that everything works for you, then either this is not the case (a windows bug), or this mechanism somehow turns on/off

Xiaopo Yang - MSFT 11,251 Reputation points Microsoft Vendor

2023-02-10T08:32:01.9+00:00

You may need Process Monitor to check the difference.

joeyes 30 Reputation points

2023-02-10T09:41:18.5633333+00:00

Not so much information... Both screenshots include chunks of the log after pressing ctrl-v. On the top is app run under the SYSTEM account.

Xiaopo Yang - MSFT 11,251 Reputation points Microsoft Vendor

2023-02-13T07:40:37.4333333+00:00

As this issue is complex, please open an incident via 'Contact us' tab at link below so that our engineer can work with you closely: https://developer.microsoft.com/en-us/windows/support/ and please choose the 'Technical Support - Coding/Debugging' for Windows SDK for this issue. In-addition, if the support engineer determines that the issue is the result of a bug the service request will be a no-charge case and you won't be charged.
Sign in to comment