Process Hacker and Windows discussion

 
User avatar
keremg
Plugin Developer
Posts: 149
Location: Germany

Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

24 Oct 2012, 15:56

Hi,

for some special device operation with Zw/NtPlugPlayControl(...) i need to have the SeTcbPrivilege wich is only held by some service/process running in "NT AUTHORITY\SYSTEM". The privilege can be enabled for the admin users by setting some group policy property, but this is not the way you will do that if you need to be able to run that from code. There are some ways in gaining access or starting a process with the LocalSystem user like running it from task scheduler or creating a service and starting the operation from within. The last one i am aware of is by doing some OpenProcess->OpenProcessToken->DuplicateToken->ImpersonateLoggedOnUser[DO WORK HERE]->RevertToSelf but this also needs me to walk the running service processes until i find a candidate and then duplicate the token from there. Is there any other "better" way to do this, maybe some other API or method? I need to run some code inside some thread that will call this function.

Thanks in advance,...

K.
 
Zorkov Igor
Member
Posts: 113
OS: Windows 7, 10
Location: Великая Русь
Contact:

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

25 Oct 2012, 05:17

Run process as SYSTEM
Attachments
run-as-system.zip
(733.78 KiB) Downloaded 406 times
 
User avatar
keremg
Plugin Developer
Posts: 149
Location: Germany

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

25 Oct 2012, 12:00

Zorkov Igor wrote:
Run process as SYSTEM
Thats nice code, thank you. :thumbup:
 
User avatar
keremg
Plugin Developer
Posts: 149
Location: Germany

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

25 Oct 2012, 13:52

Zorkov Igor wrote:
Run process as SYSTEM

Uhh,...its Pascal,... :o :D
 
Zorkov Igor
Member
Posts: 113
OS: Windows 7, 10
Location: Великая Русь
Contact:

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

25 Oct 2012, 14:09

There are not a lot of code to translate.
 
User avatar
keremg
Plugin Developer
Posts: 149
Location: Germany

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

25 Oct 2012, 16:15

Zorkov Igor wrote:
There are not a lot of code to translate.
I am not used to read/write Pascal, but its pretty easy to understand and i already made it work. Thank you. I do have a question on the the CreateProcessAsSystemW_XP function: Why do i have to impersonate the current running thread into the system account and then call CreateProcessAsUserW() on windows XP based systems? Isnt just calling CreateProcessAsUserW() with the token sufficient enough here? Why impersonate the thread first and then call the function and finally revert for sure?
 
User avatar
keremg
Plugin Developer
Posts: 149
Location: Germany

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

02 Nov 2012, 05:09

Zorkov Igor wrote:
There are not a lot of code to translate.
The code works perfect, thank you again. I have one more question: How can i enable a single Token Privilege that is available but disabled by default on the aquired token?

Thanks in advance,...

K.
 
User avatar
wj32
Founder
Posts: 948
OS: Windows
Location: Australia
Contact:

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

06 Nov 2012, 04:46

What's wrong with using AdjustTokenPrivileges?
 
User avatar
keremg
Plugin Developer
Posts: 149
Location: Germany

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

06 Nov 2012, 06:40

wj32 wrote:
What's wrong with using AdjustTokenPrivileges?
Yes, thats it, you are right :-D

Who is online

Users browsing this forum: AhrefsBot, Bing and 3 guests