1

所以我想使用下面的这些功能从服务中执行一个流程。

  • CreateProcessAsUserW
  • WTSGetActiveConsoleSessionId
  • WTSQueryUserToken

但似乎我无法触发 CreateProcessAsUserW() ,因为 WTSQueryUserToken 以 FALSE 返回并且 ERROR_PRIVILEGE_NOT_HELD 正在窃听。

我在互联网上找到了一些线程,但这些解决方案在 Windows 7 和 Server 2008 之前。

我的代码在这里....

STARTUPINFOW        si = {0,};
PROCESS_INFORMATION pi = {0,};

HANDLE  hTokenNew   = nullptr;
HANDLE  hTokenDup   = nullptr;

HMODULE hModKernel32    = LoadLibrary(TEXT("kernel32.dll"));
HMODULE hModWtsapi32    = LoadLibrary(TEXT("Wtsapi32.dll"));
HMODULE hModUserEnv     = LoadLibrary(TEXT("Userenv.dll"));

auto lpfnWTSGetActiveConsoleSessionId   = reinterpret_cast<DWORD(*)(void)>(GetProcAddress(hModKernel32, "WTSGetActiveConsoleSessionId"));
auto lpfnWTSQueryUserToken              = reinterpret_cast<bool(*)(ULONG, PHANDLE)>(GetProcAddress(hModWtsapi32, "WTSQueryUserToken"));
auto lpfnCreateEnvironmentBlock         = reinterpret_cast<bool(*)(LPVOID*, HANDLE, bool)>(GetProcAddress(hModUserEnv, "CreateEnvironmentBlock"));
auto lpfnDestroyEnvironmentBlock        = reinterpret_cast<bool(*)(LPVOID)>(GetProcAddress(hModUserEnv, "DestroyEnvironmentBlock"));

LPVOID  pEnvironment    = nullptr;
DWORD   dwCreationFlag  = NORMAL_PRIORITY_CLASS;

DWORD dwSessionId = lpfnWTSGetActiveConsoleSessionId();

// FALSE Returned.
lpfnWTSQueryUserToken(dwSessionId, &hTokenNew); 

// 1314 : ERROR_PRIVILEGE_NOT_HELD
DWORD d = GetLastError();

// Since WTSQueryUserToken gives me FALSE and no token, the code below is meaningless.
DuplicateTokenEx(hTokenNew, MAXIMUM_ALLOWED, nullptr, SecurityIdentification, TokenPrimary, &hTokenDup);

si.cb           = sizeof(STARTUPINFO);
si.lpReserved   = nullptr;
si.lpReserved2  = nullptr;
si.cbReserved2  = 0;
si.dwFlags      = STARTF_USESHOWWINDOW;
si.wShowWindow  = SW_SHOW;
si.lpDesktop    = TEXT("winsta0\\default");

if(lpfnCreateEnvironmentBlock != nullptr)
{
    if (lpfnCreateEnvironmentBlock(&pEnvironment, hTokenDup, false))
    {
        dwCreationFlag |= CREATE_UNICODE_ENVIRONMENT;
    }
    else
    {
        pEnvironment = nullptr;
    }
}

if (!CreateProcessAsUserW(
        hTokenDup, 
        nullptr, 
        TEXT("D:\\MyProgram.exe"), 
        nullptr,
        nullptr, 
        false,
        dwCreationFlag,
        pEnvironment,
        nullptr, 
        &si, 
        &pi))
{
    return 0;
}

if(hTokenDup)
{
    CloseHandle(hTokenDup);
}

if (hTokenNew)
{
    CloseHandle(hTokenNew);
}

if (pi.hProcess)
{
    CloseHandle(pi.hProcess);
}

if (pi.hThread)
{
    CloseHandle(pi.hThread);
}

if (nullptr != pEnvironment)
{
    lpfnDestroyEnvironmentBlock(pEnvironment);
}

任何建议将不胜感激。提前致谢。

4

1 回答 1

2

根据 MSDN:“ERROR_PRIVILEGE_NOT_HELD - 调用者没有 SE_TCB_NAME 特权。”

您是否检查过您的进程是否具有 SE_TCB_NAME 权限?

于 2013-01-22T13:36:59.797 回答