How does pskill work across the UAC/elevation boundary?

Question

Disclaimer: I'm asking specifically on Stackoverflow because I want to know how to re-implement this feature.

We recently noticed that the Sysinternals tool pskill can kill an elevated process from a non-elevated context.

Specifically, if you open a program with Run-As-Administrator and then run a normal shell (non-elevated) and try to kill that RunAs programm (e.g. another cmd.exe) via pskill, it will succeed.

Note: Both Powershell Stop-Process and the taskkill.exe utility cannot do this.

Killing Windows Services running as NT-Auth/System ~ Session 0 still gives access denied from a non-elevated context though, even with pskill, which is fine.

Which Windows API is used here? Our tooling uses OpenProcess(PROCESS_ALL_ACCESS... and TerminateProcess but this only works on the same elevation level.

Debug it and set a breakpoint on OpenProcess? – Anders Jan 26 '23 at 12:12 — Anders, Jan 26 '23 at 12:12
Debug with http://www.rohitab.com/apimonitor / OpenProcess – mwallner Jan 26 '23 at 13:44 — mwallner, Jan 26 '23 at 13:44

RbMm · Accepted Answer · 2023-01-27T10:42:06.177

3

really nothing strange. pskill try open process with PROCESS_TERMINATE|SYNCHRONIZE access. which is ok. by default elevated process grant

PROCESS_ALL_ACCESS to BUILTIN\Administrators (S-1-5-32-544) and NT AUTHORITY\SYSTEM (S-1-5-18)

also mandatory label set for SYSTEM_MANDATORY_LABEL_NO_WRITE_UP | SYSTEM_MANDATORY_LABEL_NO_READ_UP for Mandatory Label\High Mandatory Level - this disable all generic read and generic write access for tokens with low integrity level than High. so this label disable READ_CONTROL|PROCESS_QUERY_INFORMATION|PROCESS_VM_READ as part of general read access for process. but we still have SYNCHRONIZE|PROCESS_QUERY_LIMITED_INFORMATION|PROCESS_TERMINATE as maximum access. and this is enough for terminate.

so even if we run as low integrity process, but in the same logon session - we still can kill elevated process

edited Jan 27 '23 at 10:42

answered Jan 27 '23 at 01:12

RbMm

31,280
3
35
56

`SYNCHRONIZE|PROCESS_QUERY_LIMITED_INFORMATION|PROCESS_TERMINATE` works for me, thanks! ... But I have to skip `READ_CONTROL`: Adding that flag I'll get ERROR_ACCESS_DENIED! – Martin Ba Jan 27 '23 at 10:12
1

@MartinBa - you really need only `PROCESS_TERMINATE` access. about `READ_CONTROL` - i was incorrect in the last part of answer. the mandatory label disable all generic read and generic write access to process. so need remove this access from request. the `READ_CONTROL` is part of generic read. i will modify answer – RbMm Jan 27 '23 at 10:36
thank for the additional info. I personally also "need" SYNC, because I want to wait for the process handle after I issue TerminateProcess. But good to know. – Martin Ba Jan 27 '23 at 10:40
1

@MartinBa - you can open process with `SYNCHRONIZE|PROCESS_QUERY_LIMITED_INFORMATION|PROCESS_TERMINATE` from the same logon session. – RbMm Jan 27 '23 at 10:43
DACL give `SYNCHRONIZE|READ_CONTROL|PROCESS_QUERY_LIMITED_INFORMATION|PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_TERMINATE` for the logon session sid and label remove `READ_CONTROL|PROCESS_QUERY_INFORMATION|PROCESS_VM_READ` from this – RbMm Jan 27 '23 at 10:44

How does pskill work across the UAC/elevation boundary?

1 Answers1