1

I want to start a non-elevated process from an elevated one. I've accomplished this using SaferComputeTokenFromLevel. It appears to be working,since:

C:\>whoami /groups | findstr BUILTIN\Administrators
BUILTIN\Administrators     Alias    S-1-5-32-544    Group used for deny only

Deny only is there. So I am not admin.

  • 1) Why the (supodsedly) non-admin process Console Host Window shows as "Administrator:" in the title?

I even used SetTokenInformation to set it to medium integrity. It works but still showing as 'Administrator' even if it's not admin.

Then, if that non-admin process wants to start an elevated process again via ShellExecute with Verb=RunAs (with powershell -C Start-Process -Verb RunAs -FilePath CMD.EXE) the UAC popup doesn't appears, and the process is started but not elevated, not-admin.

  • 2) Why does this happens? (linked token maybe?)
  • 3) Finally, how can I launch a non-elevated process, that can use the RunAs verb to trigger an UAC and elevate succesfully?

Full Repro code (Run as admin!)

using Microsoft.Win32.SafeHandles;
using System;
using System.ComponentModel;
using System.Globalization;
using System.Runtime.InteropServices;

namespace SaferRepro
{
    class Program
    {
        static void Main(string[] args)
        {
            string appToRun = "CMD.EXE";
            string arguments = String.Empty;
            bool newWindow = true, hidden = false;
            var startupFolder = Environment.CurrentDirectory;
            int mediumIntegrity = 8192;

            using (var newToken = GetTokenFromSaferApi())
            {
                AdjustedTokenIntegrity(newToken, mediumIntegrity); // optional, launch as medium integrity process.
                var process = StartWithToken(newToken, appToRun, arguments, startupFolder, newWindow, hidden);
                GetProcessWaitHandle(process.DangerousGetHandle()).WaitOne();
            }
        }

        private static SafeTokenHandle GetTokenFromSaferApi()
        {
            IntPtr hSaferLevel;
            SafeTokenHandle hToken;

            SaferLevels level = SaferLevels.NormalUser;

            if (!NativeMethods.SaferCreateLevel(SaferScopes.User, level, 1, out hSaferLevel, IntPtr.Zero))
                throw new Win32Exception();

            if (!NativeMethods.SaferComputeTokenFromLevel(hSaferLevel, IntPtr.Zero, out hToken, SaferComputeTokenFlags.None, IntPtr.Zero))
                throw new Win32Exception();

            if (!NativeMethods.SaferCloseLevel(hSaferLevel))
                throw new Win32Exception();

            return hToken;
        }

        private static SafeProcessHandle StartWithToken(SafeTokenHandle newToken, string appToRun, string args, string startupFolder, bool newWindow, bool hidden)
        {
            var si = new STARTUPINFO();

            if (newWindow)
            {
                si.dwFlags = 0x00000001; // STARTF_USESHOWWINDOW
                si.wShowWindow = (short)(hidden ? 0 : 1);
            }

            si.cb = Marshal.SizeOf(si);

            var pi = new PROCESS_INFORMATION();
            uint dwCreationFlags = newWindow ? (uint)0x00000010 /*CREATE_NEW_CONSOLE*/: 0;

            if (!NativeMethods.CreateProcessAsUser(newToken, null, $"{appToRun} {args}",
                IntPtr.Zero, IntPtr.Zero, false, dwCreationFlags, IntPtr.Zero, startupFolder, ref si,
                out pi))
            {
                throw new Win32Exception();
            }

            NativeMethods.CloseHandle(pi.hThread);
            return new SafeProcessHandle(pi.hProcess, true);
        }

        private static bool AdjustedTokenIntegrity(SafeTokenHandle newToken, int integrityLevel)
        {
            string integritySid = "S-1-16-" + (integrityLevel.ToString(CultureInfo.InvariantCulture));
            IntPtr pIntegritySid;
            if (!NativeMethods.ConvertStringSidToSid(integritySid, out pIntegritySid))
                return false;

            TOKEN_MANDATORY_LABEL TIL = new TOKEN_MANDATORY_LABEL();
            TIL.Label.Attributes = 0x00000020 /* SE_GROUP_INTEGRITY */;
            TIL.Label.Sid = pIntegritySid;

            var pTIL = Marshal.AllocHGlobal(Marshal.SizeOf<TOKEN_MANDATORY_LABEL>());
            Marshal.StructureToPtr(TIL, pTIL, false);

            if (!NativeMethods.SetTokenInformation(newToken.DangerousGetHandle(),
               TOKEN_INFORMATION_CLASS.TokenIntegrityLevel,
               pTIL,
               (uint)(Marshal.SizeOf<TOKEN_MANDATORY_LABEL>() + NativeMethods.GetLengthSid(pIntegritySid))))
                return false;

            return true;
        }

        public static System.Threading.AutoResetEvent GetProcessWaitHandle(IntPtr processHandle) =>
            new System.Threading.AutoResetEvent(false)
            {
                SafeWaitHandle = new SafeWaitHandle(processHandle, ownsHandle: false)
            };
    }

    internal class SafeTokenHandle : SafeHandleZeroOrMinusOneIsInvalid
    {
        internal SafeTokenHandle(IntPtr handle) : base(true)
        {
            base.SetHandle(handle);
        }

        private SafeTokenHandle() : base(true) { }

        protected override bool ReleaseHandle()
        {
            return NativeMethods.CloseHandle(base.handle);
        }
    }

    static class NativeMethods
    {
        [DllImport("kernel32.dll", SetLastError = true)]
        internal static extern bool CloseHandle(IntPtr hObject);

        [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        public static extern bool CreateProcessAsUser(
             SafeTokenHandle hToken,
             string applicationName,
             string commandLine,
             IntPtr pProcessAttributes,
             IntPtr pThreadAttributes,
             bool bInheritHandles,
             uint dwCreationFlags,
             IntPtr pEnvironment,
             string currentDirectory,
             ref STARTUPINFO startupInfo,
             out PROCESS_INFORMATION processInformation);

        #region Safer

        [DllImport("advapi32", SetLastError = true, CallingConvention = CallingConvention.StdCall)]
        public static extern bool SaferCreateLevel(
            SaferScopes dwScopeId,
            SaferLevels dwLevelId,
            int OpenFlags,
            out IntPtr pLevelHandle,
            IntPtr lpReserved);

        [DllImport("advapi32", SetLastError = true, CallingConvention = CallingConvention.StdCall)]
        public static extern bool SaferCloseLevel(
            IntPtr pLevelHandle);

        [DllImport("advapi32", SetLastError = true, CallingConvention = CallingConvention.StdCall)]
        public static extern bool SaferComputeTokenFromLevel(
          IntPtr levelHandle,
          IntPtr inAccessToken,
          out SafeTokenHandle outAccessToken,
          SaferComputeTokenFlags dwFlags,
          IntPtr lpReserved
        );

        [DllImport("advapi32.dll", SetLastError = true)]
        public static extern bool ConvertStringSidToSid(
            string StringSid,
            out IntPtr ptrSid
            );

        [DllImport("advapi32.dll")]
        public static extern int GetLengthSid(IntPtr pSid);

        [DllImport("advapi32.dll", SetLastError = true)]
        public static extern Boolean SetTokenInformation(IntPtr TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass,
            IntPtr TokenInformation, UInt32 TokenInformationLength);
        #endregion
    }

    [Flags]
    public enum SaferLevels : uint
    {
        Disallowed = 0,
        Untrusted = 0x1000,
        Constrained = 0x10000,
        NormalUser = 0x20000,
        FullyTrusted = 0x40000
    }
    [Flags]
    public enum SaferComputeTokenFlags : uint
    {
        None = 0x0,
        NullIfEqual = 0x1,
        CompareOnly = 0x2,
        MakeIntert = 0x4,
        WantFlags = 0x8
    }

    [Flags]
    public enum SaferScopes : uint
    {
        Machine = 1,
        User = 2
    }

    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
    internal struct STARTUPINFO
    {
        public Int32 cb;
        public string lpReserved;
        public string lpDesktop;
        public string lpTitle;
        public Int32 dwX;
        public Int32 dwY;
        public Int32 dwXSize;
        public Int32 dwYSize;
        public Int32 dwXCountChars;
        public Int32 dwYCountChars;
        public Int32 dwFillAttribute;
        public Int32 dwFlags;
        public Int16 wShowWindow;
        public Int16 cbReserved2;
        public IntPtr lpReserved2;
        public IntPtr hStdInput;
        public IntPtr hStdOutput;
        public IntPtr hStdError;
    }

    [StructLayout(LayoutKind.Sequential)]
    internal struct PROCESS_INFORMATION
    {
        public IntPtr hProcess;
        public IntPtr hThread;
        public int dwProcessId;
        public int dwThreadId;
    }

    [StructLayout(LayoutKind.Sequential)]
    public struct TOKEN_MANDATORY_LABEL
    {

        public SID_AND_ATTRIBUTES Label;

    }

    [StructLayout(LayoutKind.Sequential)]
    public struct SID_AND_ATTRIBUTES
    {
        public IntPtr Sid;
        public uint Attributes;
    }

    // Integrity Levels
    public enum TOKEN_INFORMATION_CLASS
    {
        TokenUser = 1, TokenGroups, TokenPrivileges, TokenOwner, TokenPrimaryGroup, TokenDefaultDacl, TokenSource, TokenType, TokenImpersonationLevel, TokenStatistics, TokenRestrictedSids, TokenSessionId, TokenGroupsAndPrivileges, TokenSessionReference, TokenSandBoxInert, TokenAuditPolicy, TokenOrigin, TokenElevationType, TokenLinkedToken, TokenElevation, TokenHasRestrictions, TokenAccessInformation, TokenVirtualizationAllowed, TokenVirtualizationEnabled, TokenIntegrityLevel, TokenUIAccess, TokenMandatoryPolicy, TokenLogonSid, MaxTokenInfoClass
    }
}
Gerardo Grignoli
  • 14,058
  • 7
  • 57
  • 68
  • 1
    https://blog.nextxpert.com/2012/06/09/case-of-the-unexplained-whoami-exe-and-the-deny-flag/ – Hans Passant Feb 28 '20 at 16:02
  • Interesting @HansPassant. `WhoAmI` not to be trusted. Using `Process Explorer` the deny only is there as well. – Gerardo Grignoli Feb 28 '20 at 17:18
  • Related [comment](https://stackoverflow.com/questions/36752182/create-a-low-medium-process-from-a-elevated-process-with-createrestrictedtokenl#comment104907895_36752182) Now wondering how to get `SeTcbPrivilege` on an elevated process. Wondering if impersonating system would work. – Gerardo Grignoli Feb 28 '20 at 17:20
  • This unresolved [thread from 2006](https://social.msdn.microsoft.com/Forums/en-US/20a2d22b-6de6-449a-82f8-6b17e6ccd5be/how-to-createprocess-not-as-administrator?forum=windowssecurity) is very interesting but no solution. – Gerardo Grignoli Feb 28 '20 at 17:21
  • 1
    See [How can I launch an unelevated process from my elevated process and vice versa?](https://devblogs.microsoft.com/oldnewthing/20131118-00/?p=2643) and [How can I launch an unelevated process from my elevated process, redux](https://devblogs.microsoft.com/oldnewthing/20190425-00/?p=102443) – Remy Lebeau Feb 28 '20 at 19:04
  • The approach explained in the 'redux' link may work for me. Let me test it and let you know. – Gerardo Grignoli Feb 28 '20 at 19:30
  • 1
    @GerardoGrignoli Has this issue been solved? – Rita Han Mar 02 '20 at 04:57
  • @RitaHan-MSFT, the 'redux' example works, but the new process must be spawn on a new console window, and it's parent id is Explorer. Not exactly what I was looking for. – Gerardo Grignoli Mar 02 '20 at 07:01
  • Thanks @RitaHan-MSFT, but I am trying to do the oppossite: "I want to start a non-elevated process from an elevated one.". My program runs under admin privileges, but I want to run another process with lower privileges just in case because its not trusted. – Gerardo Grignoli Mar 03 '20 at 03:04
  • @GerardoGrignoli So you want the parent of the non-elevated process is your launcher program which runs under admin privileges? – Rita Han Mar 03 '20 at 06:26
  • @GerardoGrignoli A "**non-admin process Console Host Window shows as "Administrator:" in the title**", this seems an issue and I've report internally. – Rita Han Mar 17 '20 at 01:04
  • @GerardoGrignoli You may not launch a non-elevated process from an elevated one consider for security. It is suggested to start the none elevated process from an none elevated. – Rita Han Mar 17 '20 at 01:13
  • I was able to do it. First I had to impersonate system, then enable SeIncreaseQuotaPrivilege and SeAssignPrimaryTokenPrivilege, then get process token (elevated but not system), then get it's linked token (non elevated user token), then DuplicateToken, and finally use it with CreateProcessAsUser. @RitaHan-MSFT – Gerardo Grignoli Mar 17 '20 at 02:55
  • @RitaHan-MSFT regarding `this seems an issue and I've report internally` I think the issue to report is that Safer Api does not return a clean unelevated token when using `SaferLevels.NormalUser`, and because of that that token can't use the `RunAs` Verb sucessfully. Thanks for your support! – Gerardo Grignoli Mar 17 '20 at 02:59

1 Answers1

1

When your a token is elevated, it seems it can't be altered to unflag it's elevated flag status it. You can remove membership from Local Admins (actually set it as Deny Only), or set Integrity to Medium, but it will still be flagged as elevated (even without admin privileges). With this flag set, the RunAs Verb will not elevate.

Your options are:

  • Get explorer.exe token and assume it's not elevated. (its elevated if UAC is disabled or if the user .

  • If UAC is enabled, the elevated token has a link to the unelevated token that you can fetch with GetTokenInformation with TOKEN_INFORMATION_CLASS.TokenLinkedToken.

  • If UAC is disabled there is no linked token. My question doesn't really apply, since the UAC popup is disabled, will never show. FYI you can use SaferApi to create a non-admin token with the elevated flag set, but it's RunAs attempts will fail.

If you want to see how I coded this, check gsudo (a sudo for windows) that I am working on:

https://github.com/gerardog/gsudo/blob/dev/src/gsudo/Tokens/TokenManager.cs https://github.com/gerardog/gsudo/blob/dev/src/gsudo/Helpers/ProcessFactory.cs#L182

or check this other great answer

Gerardo Grignoli
  • 14,058
  • 7
  • 57
  • 68