Run process with elevated access by standard user account

Bala Smart 51 Reputation points
2021-06-09T05:31:46.067+00:00

I am developing Privilege Manager Application, For this we need elevated access for specific application to standard user.
To achieve this i'm following below method
1.My service is running as system account

1.On service startup, I'm doing below tasks.  
2.Standed user added into Local Administrator group.  
3.Schedule task created by Run with highest privilege, Schedule task started.  
4.The process stared with elevated access, This process will listen elvated access request from standard user.  
5.Standed user removed from Local Administrator group.  

2.User request elevated access to specific application.The request is forwarded to listener process
3.Listener process starts child process by using below API's

1.WTSGetActiveConsoleSessionId ==> Get current user session id  
2.OpenProcess ==> Used to get the handle of currentprocess  
3.OpenProcessToken ==> Getting current process token  
4.DuplicateTokenEx ==> Current process token duplicated  
5.SetTokenInformation ==> Setting console session id in duplicated token  
6.CreateProcessAsUser ==> Process started by using this API  

Note:
It's working without an issue for process's calc.exe, brave.exe (These process's started without elevated access)
Some process's started with elevated rights, But not able to access user interface (Some interactive process not working as expected - mstsc.exe,regedt32.exe,cmd.exe)

103679-process.png

Windows API - Win32
Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,575 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,819 questions
C++
C++
A high-level, general-purpose programming language, created as an extension of the C programming language, that has object-oriented, generic, and functional features in addition to facilities for low-level memory manipulation.
3,683 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Xiaopo Yang - MSFT 12,721 Reputation points Microsoft Vendor
    2021-06-09T07:10:09.437+00:00

    You can refer to this GitHub repository PrimaryTokenTheft which starts the cmd.exe child process properly.


  2. RLWA32 44,931 Reputation points
    2021-06-09T12:55:25.717+00:00

    The token that the listener process obtains from the interactive session of a standard user account cannot be used to create an elevated process.

    The elevated listener process started by the Task Scheduler is probably running in session 0. If the elevated listener is running in session 0 its token will not contain the Logon Sid of the standard user's interactive session. Consequently, any elevated process created in the interactive session using this token will not have sufficient access to the session's window station.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.