2

I try to create python script to start process as user (In future this code will be run from session 0 by windows service). For this i decide to use win32api.

But I have an error:

win32process.CreateProcessAsUser(token, None, "c:\\windows\\notepad.exe", None, None, 0, 0, None, None, startup)
pywintypes.error: (1314, 'CreateProcessAsUser', 'A required privilege is not held by the client.')

What privilege? I think I'm already gave all privileges, if I correctly understand this

My code:

import win32con
import win32process
import win32security
import win32api


def adjust_privilege(privilege, enable=1):
    flags = win32security.TOKEN_ADJUST_PRIVILEGES | win32security.TOKEN_QUERY
    htoken = win32security.OpenProcessToken(
        win32api.GetCurrentProcess(), flags)
    id = win32security.LookupPrivilegeValue(None, privilege)
    if enable:
        new_privilege = [(id, win32security.SE_PRIVILEGE_ENABLED)]
    else:
        new_privilege = [(id, 0)]
    win32security.AdjustTokenPrivileges(htoken, 0, new_privilege)


if __name__ == "__main__":
    adjust_privilege(win32security.SE_TCB_NAME)
    adjust_privilege(win32security.SE_ASSIGNPRIMARYTOKEN_NAME)
    adjust_privilege(win32security.SE_INCREASE_QUOTA_NAME)

    user = "username"
    password = "password"
    domain = "domain"
    logontype = win32con.LOGON32_LOGON_INTERACTIVE
    provider = win32con.LOGON32_PROVIDER_WINNT50
    token = win32security.LogonUser(user, domain, password, logontype, provider)
    startup = win32process.STARTUPINFO()
    startup.dwFlags = win32process.STARTF_USESHOWWINDOW
    startup.wShowWindow = win32con.SW_SHOW
    startup.lpDesktop = 'winsta0\default'
    win32process.CreateProcessAsUser(token, None, "c:\\windows\\notepad.exe", None, None, 0, 0, None, None, startup)

I would really appreciate any help.

Evgeny
  • 23
  • 4
  • 1
    simply read msdn at very begin - *Typically, the process that calls the `CreateProcessAsUser` function must have the `SE_INCREASE_QUOTA_NAME` privilege and may require the `SE_ASSIGNPRIMARYTOKEN_NAME` privilege* and in your case you need use `CreateProcessWithLogonW` instead `LogonUser + CreateProcessAsUser` – RbMm Jan 17 '20 at 13:40
  • and you not check result of `AdjustTokenPrivileges` - if you **try** get `SE_ASSIGNPRIMARYTOKEN_NAME` - this yet not mean that you really get it (tcb here not need) – RbMm Jan 17 '20 at 13:43

1 Answers1

3

First, here is an example on msdn to Starting an Interactive Client Process.

Second, As @RbMm pointer out:

you need use CreateProcessWithLogonW instead LogonUser + CreateProcessAsUser

According to the document:

If this function fails with ERROR_PRIVILEGE_NOT_HELD (1314), use the CreateProcessWithLogonW function instead.

This seems to be an example used in Python.

Other useful articles:

Launching an interactive process from Windows Service in Windows Vista and later

Drake Wu
  • 6,927
  • 1
  • 7
  • 30
  • Thanks for useful information. I tried 1.A example from this link [link](https://blogs.msdn.microsoft.com/winsdk/2009/07/14/launching-an-interactive-process-from-windows-service-in-windows-vista-and-later/) Launch a hidden temporary process as explained in step 1.A. I. Get the user token by calling WTSQueryUserToken WTSGetActiveConsoleSessionId (), &hToken) ; II. Use this token in CreateProcessAsUser to launch the temporary process. But I had the same problems with privileges. – Evgeny Jan 20 '20 at 09:48
  • According to the [return value](https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokenprivileges#return-value) in docs: **To determine whether the function adjusted all of the specified privileges, call GetLastError, which returns one of the following values when the function succeeds** if error == `ERROR_NOT_ALL_ASSIGNED`, The token does not have one or more of the privileges specified in the NewState parameter. The function may succeed with this error value even if no privileges were adjusted. – Drake Wu Jan 21 '20 at 06:02
  • It is recommended to use `CreateProcessWithLogonW` according to the document – Drake Wu Jan 21 '20 at 06:07