Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

Process Hacker development discussion
First unread post9 postsPage 1 of 1

Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

Unread postby keremg » Wed Oct 24, 2012 3:56 pm

Hi,

for some special device operation with Zw/NtPlugPlayControl(...) i need to have the SeTcbPrivilege wich is only held by some service/process running in "NT AUTHORITY\SYSTEM". The privilege can be enabled for the admin users by setting some group policy property, but this is not the way you will do that if you need to be able to run that from code. There are some ways in gaining access or starting a process with the LocalSystem user like running it from task scheduler or creating a service and starting the operation from within. The last one i am aware of is by doing some OpenProcess->OpenProcessToken->DuplicateToken->ImpersonateLoggedOnUser[DO WORK HERE]->RevertToSelf but this also needs me to walk the running service processes until i find a candidate and then duplicate the token from there. Is there any other "better" way to do this, maybe some other API or method? I need to run some code inside some thread that will call this function.

Thanks in advance,...

K.
User avatar
keremg offline
Posts: 136
Location: Germany

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

Unread postby Zorkov Igor » Thu Oct 25, 2012 5:17 am

Run process as SYSTEM
Attachments
run-as-system.zip
Zorkov Igor offline
Posts: 77
Location: Russia
OS: Windows 7, 8, 8.1

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

Unread postby keremg » Thu Oct 25, 2012 12:00 pm

Zorkov Igor wrote:Run process as SYSTEM


Thats nice code, thank you. :thumbup:
User avatar
keremg offline
Posts: 136
Location: Germany

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

Unread postby keremg » Thu Oct 25, 2012 1:52 pm

Zorkov Igor wrote:Run process as SYSTEM



Uhh,...its Pascal,... :o :D
User avatar
keremg offline
Posts: 136
Location: Germany

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

Unread postby Zorkov Igor » Thu Oct 25, 2012 2:09 pm

There are not a lot of code to translate.
Zorkov Igor offline
Posts: 77
Location: Russia
OS: Windows 7, 8, 8.1

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

Unread postby keremg » Thu Oct 25, 2012 4:15 pm

Zorkov Igor wrote:There are not a lot of code to translate.

I am not used to read/write Pascal, but its pretty easy to understand and i already made it work. Thank you. I do have a question on the the CreateProcessAsSystemW_XP function: Why do i have to impersonate the current running thread into the system account and then call CreateProcessAsUserW() on windows XP based systems? Isnt just calling CreateProcessAsUserW() with the token sufficient enough here? Why impersonate the thread first and then call the function and finally revert for sure?
User avatar
keremg offline
Posts: 136
Location: Germany

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

Unread postby keremg » Fri Nov 02, 2012 5:09 am

Zorkov Igor wrote:There are not a lot of code to translate.


The code works perfect, thank you again. I have one more question: How can i enable a single Token Privilege that is available but disabled by default on the aquired token?

Thanks in advance,...

K.
User avatar
keremg offline
Posts: 136
Location: Germany

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

Unread postby wj32 » Tue Nov 06, 2012 4:46 am

What's wrong with using AdjustTokenPrivileges?
User avatar
wj32 offline
Posts: 721
Location: Australia
OS: Windows

Re: Impersonating Thread into "NT AUTHORITY\SYSTEM" context.

Unread postby keremg » Tue Nov 06, 2012 6:40 am

wj32 wrote:What's wrong with using AdjustTokenPrivileges?


Yes, thats it, you are right :-D
User avatar
keremg offline
Posts: 136
Location: Germany

First unread post9 postsPage 1 of 1

Who is online

Users browsing this forum: No registered users and 0 guests