0

Creating a token using OpenThreadToken() and then passing it to CreateProcessAsUser is failing with:

1349:The type of the token is inappropriate for its attempted use.

It is successful on one machine but failing on other win2008r2.

The DesiredAccess that is passed to OpenThreadToken is: TOKEN_QUERY|TOKEN_IMPERSONATE|TOKEN_DUPLICATE|TOKEN_ASSIGN_PRIMARY

Ɖiamond ǤeezeƦ
  • 3,223
  • 3
  • 28
  • 40
user5327778
  • 19
  • 1
  • 5

2 Answers2

1

exist 2 TOKEN_TYPE - TokenPrimary and TokenImpersonation . CreateProcessAsUser accept only TokenPrimary. from another side, thread if have token - always have TokenImpersonation token type. so token returned by OpenThreadToken is TokenImpersonation you need call DuplicateTokenEx(.., TokenPrimary, ); and pass this new token to CreateProcessAsUser

--- EDIT ---

really begin from Windows 7 we can use and TokenImpersonation as parameter to CreateProcessAsUser although in MSDN written about primary token. but in xp/2003 used another code for CreateProcessAsUser - direct called NtSetInformationProcess(,ProcessAccessToken,); -> PspSetPrimaryToken -> PspAssignPrimaryToken -> STATUS_BAD_TOKEN_TYPE

RbMm
  • 31,280
  • 3
  • 35
  • 56
  • But i am seeing this issue on only one machine , it is passing on other machine .Is there any registry entry that may creating the problem on that machine . – user5327778 Sep 28 '16 at 11:13
  • any registry entry here unrelated. token returned by OpenThreadToken must not work with CreateProcessAsUser anywhere (may be xp only, where another implementation of CreateProcessAsUser - first create process than try assign token to it). and you not show self code – RbMm Sep 28 '16 at 11:23
  • is there any other way other than DuplicateTokenEx () to convert a impersonation token into primary token ? – user5327778 Sep 28 '16 at 12:25
  • @RbMm Is there an working code example for this? – T.s. Arun Mar 18 '21 at 07:23
  • @T.s.Arun - example for what ? – RbMm Mar 18 '21 at 09:39
  • For PspSetPrimaryToken. I have used NtSetInformationProcess to assign token for the suspended process. But the suspended process crashes when resumed, Not right away, but when I tried to fetch the process token and print its privileges it crashed. I haven't tried using PspSetPrimaryToken. So it would be helpful if there is an example to refer to. @RbMm – T.s. Arun Mar 19 '21 at 10:29
0

The target thread is impersonating at the time of the call, so you're getting the wrong token. Using OpenProcessToken() instead of OpenThreadToken() should resolve the problem. If for some reason you only have the thread ID and not the process ID, GetProcessIdOfThread() will bridge the gap.

Alternatively, if you had some reason for wanting to use the impersonation token you would have to use DuplicateTokenEx() to convert it into a primary token. But this is unlikely to be what you want to do, because it introduces a race condition, since you would typically have no way to know when the target thread is impersonating the right user. Also, it will not work at all if the thread turns out to be impersonating at the anonymous level.

(This race condition is probably also why it seems to be working on some machines but not others, although it might also be that the impersonation takes place only on certain Windows versions.)

Harry Johnston
  • 35,639
  • 6
  • 68
  • 158