1

I need to create process as user. However during creating the process some error appears. The error is: 1314 CreateProcessAsUser A required privilege is not held by the client.

import win32api
import win32security
import win32process
import pywintypes


def attempt_to_logon():
    username = "abcdef"
    password = "123456"
    try:
        hUser = win32security.LogonUser(username, None,
                                    password, win32security.LOGON32_LOGON_INTERACTIVE,
                                    win32security.LOGON32_PROVIDER_DEFAULT)
    except win32security.error:
        print "unable to logon"
        return None
    return hUser


def run_as_user(hUser):
    startup = win32process.STARTUPINFO()
    startup.dwFlags = win32process.STARTF_USESHOWWINDOW
    startup.wShowWindow = win32con.SW_SHOW
    startup.lpDesktop = 'winsta0\default'

    try:
        result = win32process.CreateProcessAsUser(hUser,
                                              None,  # appName
                                              "c:\\windows\\notepad.exe",  # commandLine
                                              None,  # process attrs
                                              None,  # thread attrs
                                              0,  # inherit handles
                                              0,  # create flags
                                              None,  # new environment dict
                                              None,  # current directory
                                              startup)  # startup info

    except pywintypes.error, (errcode, method, msg):
        print errcode, method, msg

def AdjustPriv(priv, enable=1):
    flags = win32security.TOKEN_ADJUST_PRIVILEGES | win32security.TOKEN_QUERY
    htoken = win32security.OpenProcessToken(
    win32api.GetCurrentProcess(), flags)
    id = win32security.LookupPrivilegeValue(None, priv)
    if enable:
        newPriv = [(id, win32security.SE_PRIVILEGE_ENABLED)]
    else:
        newPriv = [(id, 0)]
    win32security.AdjustTokenPrivileges(htoken, 0, newPriv)

if __name__ == "__main__":
    AdjustPriv(win32security.SE_TCB_NAME)
    AdjustPriv(win32security.SE_ASSIGNPRIMARYTOKEN_NAME)
    AdjustPriv(win32security.SE_INCREASE_QUOTA_NAME)
    hUser = attempt_to_logon()
    run_as_user(hUser)

The error is in function run_as_user, when I try to create the process. I was able to read, that I have to set SE_TCB_NAME, SE_ASSIGNPRIMARYTOKEN_NAME and E_INCREASE_QUOTA_NAME for using CreateProcessAsUser. So I have no idea where the problem can be.

Frenky
  • 35
  • 8
  • An administrator typically doesn't have `SeAssignPrimaryTokenPrivilege`. You can't enable a privilege that's not present in the access token, and you're not checking whether `AdjustTokenPrivileges` actually enabled the privilege. If the current user doesn't have the required privilege, you'll need to run as a service using the LocalSystem account. – Eryk Sun Nov 20 '15 at 00:52
  • Actually, I use it within windows service. You can see [HERE](http://pastebin.com/NEmJupch) . I try to launch some external application from windows service and I found out, that CreateProcessAsUser should be a solution. What I should change in my code? Thanks for your answer! – Frenky Nov 20 '15 at 01:21
  • `win32security.AdjustTokenPrivileges` returns an empty tuple if the privilege isn't modified. As to the service, when installing it do you pass a `--username`, or use the default? – Eryk Sun Nov 20 '15 at 02:03
  • During the installing windows service I don´t use username and password. I just do: `python.exe .\pyfile.py install` and for starting `NET START nameofService`. – Frenky Nov 20 '15 at 12:27
  • 1
    Modify `AdjustPriv` to raise an exception or log an error when modifying a privilege fails. Check `sc qc your_service_name` to confirm that the start name is LocalSystem. Check `sc qprivs your_service_name` to query the available privileges in the service access token. – Eryk Sun Nov 21 '15 at 01:50

0 Answers0