7

I have a non-interactive service running as a the privileged SYSTEM user on Windows machines, and I need it to launch a given executable as an elevated process.

I have managed to launch a child process as SYSTEM, using WTSGetActiveConsoleSessionId(), finding a system process and duplicating it's token. Similarly, I can launch a non-elevated process as a regular user. But I need to launch the process as the regular user, but with elevated privileges - so that I don't have to show UAC, but the process is running as the appropriate user.

I am not trying to bypass UAC - since the user already agreed to installing the service. I am trying to mitigate an inconvenience. I have found a similar, unanswered question - but asked again in hope of maybe getting an answer.

Community
  • 1
  • 1
Liosan
  • 7,520
  • 2
  • 17
  • 16
  • Assuming that you're using WTSQueryUserToken to get a token for the interactive user, and that the interactive user is an administrator, you should be able to get the elevated token using GetTokenInformation with the TokenLinkedToken option. – Harry Johnston May 20 '14 at 23:52
  • On a side note, it should be possible (and more efficient) to launch a child process as SYSTEM by duplicating your own SYSTEM token and then changing the session ID using SetTokenInformation and the TokenSessionId option. – Harry Johnston May 20 '14 at 23:54
  • @HarryJohnston Thanks for the ideas! The linked token idea works ok. If you convert it to an answer, I can mark it as accepted. – Liosan May 21 '14 at 14:38
  • @Liosan: I have similar problem. i have to launch the process in all the active session. For that i am using WTSEnumerateSessions() to got all active session and launching the process. But i want to run the process in that session in admin mode(run as admin). Can you tell me how to do it. To Get the session token i used WTSQueryUserToken() API and to launch the process i used CreateProcessAsUser() API. Also my service is local service. – Umesha MS Sep 11 '14 at 05:15

1 Answers1

4

If you have a filtered token for the interactive user - for example, one retrieved via WTSQueryUserToken() - you can retrieve the unfiltered ("elevated") token by using the GetTokenInformation function with the TokenLinkedToken option.

Harry Johnston
  • 35,639
  • 6
  • 68
  • 158