You can refer to this GitHub repository PrimaryTokenTheft which starts the cmd.exe child process properly.
Run process with elevated access by standard user account
I am developing Privilege Manager Application, For this we need elevated access for specific application to standard user.
To achieve this i'm following below method
1.My service is running as system account
1.On service startup, I'm doing below tasks.
2.Standed user added into Local Administrator group.
3.Schedule task created by Run with highest privilege, Schedule task started.
4.The process stared with elevated access, This process will listen elvated access request from standard user.
5.Standed user removed from Local Administrator group.
2.User request elevated access to specific application.The request is forwarded to listener process
3.Listener process starts child process by using below API's
1.WTSGetActiveConsoleSessionId ==> Get current user session id
2.OpenProcess ==> Used to get the handle of currentprocess
3.OpenProcessToken ==> Getting current process token
4.DuplicateTokenEx ==> Current process token duplicated
5.SetTokenInformation ==> Setting console session id in duplicated token
6.CreateProcessAsUser ==> Process started by using this API
Note:
It's working without an issue for process's calc.exe, brave.exe (These process's started without elevated access)
Some process's started with elevated rights, But not able to access user interface (Some interactive process not working as expected - mstsc.exe,regedt32.exe,cmd.exe)
2 answers
Sort by: Most helpful
-
Xiaopo Yang - MSFT 12,721 Reputation points Microsoft Vendor
2021-06-09T07:10:09.437+00:00 -
RLWA32 44,931 Reputation points
2021-06-09T12:55:25.717+00:00 The token that the listener process obtains from the interactive session of a standard user account cannot be used to create an elevated process.
The elevated listener process started by the Task Scheduler is probably running in session 0. If the elevated listener is running in session 0 its token will not contain the Logon Sid of the standard user's interactive session. Consequently, any elevated process created in the interactive session using this token will not have sufficient access to the session's window station.