Disclaimer: I'm asking specifically on Stackoverflow because I want to know how to re-implement this feature.
We recently noticed that the Sysinternals tool pskill
can kill an elevated process from a non-elevated context.
Specifically, if you open a program with Run-As-Administrator and then run a normal shell (non-elevated) and try to kill that RunAs programm (e.g. another cmd.exe) via pskill
, it will succeed.
Note: Both Powershell Stop-Process
and the taskkill.exe
utility cannot do this.
Killing Windows Services running as NT-Auth/System ~ Session 0 still gives access denied from a non-elevated context though, even with pskill, which is fine.
Which Windows API is used here? Our tooling uses OpenProcess(PROCESS_ALL_ACCESS...
and TerminateProcess
but this only works on the same elevation level.