3

I can launch a low integrity process with SysInternals' PsExec: 

psexec -l cmd

And a restricted process with 

runas /t:0x10000 cmd

What is the difference between Low Integrity Level and Restricted?

Why use one or the other? Aren't they redundant? Why have two ways?

Gerardo Grignoli
  • 14,058
  • 7
  • 57
  • 68
  • 1
    Hi downvoters. I rather not post this question on SuperUser since this information is usefull to secure my application design and I doubt the audience in SU has this kind of knowledge on operating system security tokens. – Gerardo Grignoli Feb 13 '20 at 01:17
  • i've never heard of *"Restricted"*. Is it an integrity level? The documentation of `runas` doesn't have any mention of it. The `/showtrustlevels` doesn't show it. The [well-known sid's don't include it](https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids). – Ian Boyd Mar 16 '20 at 02:49
  • 1
    `/t:0x10000` doesn't lower the token's integrity level, so the process is in a mixed state. It uses a [restricted token](https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-createrestrictedtoken), which has all privileges stripped except for SeChangeNotifyPrivilege; the administrators group set to deny only, and all other groups copied to the token's list of restricting SIDs. The latter also contains "NT AUTHORITY\RESTRICTED" (S-1-5-12), which allows denying access to restricted processes. Also, for a console app it sets the title to indicate it's restricted. – Eryk Sun May 16 '20 at 11:04
  • 1
    `/t:0x20000` strips privileges except for SeChangeNotifyPrivilege and sets the administrators group to deny only, but it does not set restricting SIDs. `/t:0x40000` apparently runs without restrictions, at least none that I can determine. – Eryk Sun May 16 '20 at 11:11

0 Answers0