在服务中用管理员权限创建一个可弹出UI的进程
2014-01-20 15:23
399 查看
在服务中用管理员权限创建一个可弹出UI的进程
do
{
// if (!OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hThisToken ))
// {
// PrintfDbgStr(TEXT("OpenProcessToken error !error code:%d\n"),GetLastError());
// bSuccess = FALSE;
// break;
// }
// if(!SetPrivilege(hThisToken,SE_TCB_NAME,TRUE))
// {
// PrintfDbgStr(TEXT("SetPrivilege error !error code:%d\n"),GetLastError());
// bSuccess = FALSE;
// break;
// }
DWORD dwSessionId = WTSGetActiveConsoleSessionId();
if(!WTSQueryUserToken(dwSessionId,&hToken))
{
PrintfDbgStr(TEXT("WTSQueryUserToken error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si,sizeof(STARTUPINFO));
ZeroMemory(&pi,sizeof(PROCESS_INFORMATION));
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = _T("WinSta0\\Default");
si.wShowWindow = TRUE;
si.dwFlags = STARTF_USESHOWWINDOW;
LPVOID pEnv = NULL;
DWORD dwCreationFlag = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE;
if(!CreateProcessAsUser(hToken,NULL,pBuf,NULL,NULL,FALSE,dwCreationFlag,pEnv,NULL,&si,&pi))
{
PrintfDbgStr(TEXT("CreateProcessAsUser error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
}while(0);
这种方法创建的进程不是管理员权限的,因为是调用了用户的令牌创建的进程。不过,确实能顺利弹出UI。
[cpp]
view plaincopyprint?
HANDLE hToken = NULL;
HANDLE hTokenDup = NULL;
do
{
if(OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken))
{
if(DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS,NULL, SecurityIdentification, TokenPrimary, &hTokenDup))
{
DWORD dwSessionId = WTSGetActiveConsoleSessionId();
if(!SetTokenInformation(hTokenDup,TokenSessionId,&dwSessionId,sizeof(DWORD)))
{
PrintfDbgStr(TEXT("SetTokenInformation error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si,sizeof(STARTUPINFO));
ZeroMemory(&pi,sizeof(PROCESS_INFORMATION));
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = _T("WinSta0\\Default");
si.wShowWindow = SW_SHOW;
si.dwFlags = STARTF_USESHOWWINDOW /*|STARTF_USESTDHANDLES*/;
LPVOID pEnv = NULL;
DWORD dwCreationFlag = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT;
if(!CreateEnvironmentBlock(&pEnv,hTokenDup,FALSE))
{
PrintfDbgStr(TEXT("CreateEnvironmentBlock error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
if(!CreateProcessAsUser(hTokenDup,NULL,pBuf,NULL,NULL,FALSE,dwCreationFlag,pEnv,NULL,&si,&pi))
{
PrintfDbgStr(TEXT("CreateProcessAsUser error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
if(pEnv)
{
DestroyEnvironmentBlock(pEnv);
}
}
else
{
PrintfDbgStr(TEXT("DuplicateTokenEx error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
}
else
{
PrintfDbgStr(TEXT("cannot get administror!error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
}while(0);
if(hTokenDup != NULL && hTokenDup != INVALID_HANDLE_VALUE)
CloseHandle(hTokenDup);
if(hToken != NULL && hToken != INVALID_HANDLE_VALUE)
CloseHandle(hToken);
在服务中用管理员权限创建一个可弹出UI的进程
do
{
// if (!OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hThisToken ))
// {
// PrintfDbgStr(TEXT("OpenProcessToken error !error code:%d\n"),GetLastError());
// bSuccess = FALSE;
// break;
// }
// if(!SetPrivilege(hThisToken,SE_TCB_NAME,TRUE))
// {
// PrintfDbgStr(TEXT("SetPrivilege error !error code:%d\n"),GetLastError());
// bSuccess = FALSE;
// break;
// }
DWORD dwSessionId = WTSGetActiveConsoleSessionId();
if(!WTSQueryUserToken(dwSessionId,&hToken))
{
PrintfDbgStr(TEXT("WTSQueryUserToken error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si,sizeof(STARTUPINFO));
ZeroMemory(&pi,sizeof(PROCESS_INFORMATION));
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = _T("WinSta0\\Default");
si.wShowWindow = TRUE;
si.dwFlags = STARTF_USESHOWWINDOW;
LPVOID pEnv = NULL;
DWORD dwCreationFlag = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE;
if(!CreateProcessAsUser(hToken,NULL,pBuf,NULL,NULL,FALSE,dwCreationFlag,pEnv,NULL,&si,&pi))
{
PrintfDbgStr(TEXT("CreateProcessAsUser error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
}while(0);
do
{
// if (!OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hThisToken ))
// {
// PrintfDbgStr(TEXT("OpenProcessToken error !error code:%d\n"),GetLastError());
// bSuccess = FALSE;
// break;
// }
// if(!SetPrivilege(hThisToken,SE_TCB_NAME,TRUE))
// {
// PrintfDbgStr(TEXT("SetPrivilege error !error code:%d\n"),GetLastError());
// bSuccess = FALSE;
// break;
// }
DWORD dwSessionId = WTSGetActiveConsoleSessionId();
if(!WTSQueryUserToken(dwSessionId,&hToken))
{
PrintfDbgStr(TEXT("WTSQueryUserToken error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si,sizeof(STARTUPINFO));
ZeroMemory(&pi,sizeof(PROCESS_INFORMATION));
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = _T("WinSta0\\Default");
si.wShowWindow = TRUE;
si.dwFlags = STARTF_USESHOWWINDOW;
LPVOID pEnv = NULL;
DWORD dwCreationFlag = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE;
if(!CreateProcessAsUser(hToken,NULL,pBuf,NULL,NULL,FALSE,dwCreationFlag,pEnv,NULL,&si,&pi))
{
PrintfDbgStr(TEXT("CreateProcessAsUser error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
}while(0);这种方法创建的进程不是管理员权限的,因为是调用了用户的令牌创建的进程。不过,确实能顺利弹出UI。
[cpp]
view plaincopyprint?
HANDLE hToken = NULL;
HANDLE hTokenDup = NULL;
do
{
if(OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken))
{
if(DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS,NULL, SecurityIdentification, TokenPrimary, &hTokenDup))
{
DWORD dwSessionId = WTSGetActiveConsoleSessionId();
if(!SetTokenInformation(hTokenDup,TokenSessionId,&dwSessionId,sizeof(DWORD)))
{
PrintfDbgStr(TEXT("SetTokenInformation error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si,sizeof(STARTUPINFO));
ZeroMemory(&pi,sizeof(PROCESS_INFORMATION));
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = _T("WinSta0\\Default");
si.wShowWindow = SW_SHOW;
si.dwFlags = STARTF_USESHOWWINDOW /*|STARTF_USESTDHANDLES*/;
LPVOID pEnv = NULL;
DWORD dwCreationFlag = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT;
if(!CreateEnvironmentBlock(&pEnv,hTokenDup,FALSE))
{
PrintfDbgStr(TEXT("CreateEnvironmentBlock error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
if(!CreateProcessAsUser(hTokenDup,NULL,pBuf,NULL,NULL,FALSE,dwCreationFlag,pEnv,NULL,&si,&pi))
{
PrintfDbgStr(TEXT("CreateProcessAsUser error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
if(pEnv)
{
DestroyEnvironmentBlock(pEnv);
}
}
else
{
PrintfDbgStr(TEXT("DuplicateTokenEx error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
}
else
{
PrintfDbgStr(TEXT("cannot get administror!error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
}while(0);
if(hTokenDup != NULL && hTokenDup != INVALID_HANDLE_VALUE)
CloseHandle(hTokenDup);
if(hToken != NULL && hToken != INVALID_HANDLE_VALUE)
CloseHandle(hToken);
HANDLE hToken = NULL;
HANDLE hTokenDup = NULL;
do
{
if(OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken))
{
if(DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS,NULL, SecurityIdentification, TokenPrimary, &hTokenDup))
{
DWORD dwSessionId = WTSGetActiveConsoleSessionId();
if(!SetTokenInformation(hTokenDup,TokenSessionId,&dwSessionId,sizeof(DWORD)))
{
PrintfDbgStr(TEXT("SetTokenInformation error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si,sizeof(STARTUPINFO));
ZeroMemory(&pi,sizeof(PROCESS_INFORMATION));
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = _T("WinSta0\\Default");
si.wShowWindow = SW_SHOW;
si.dwFlags = STARTF_USESHOWWINDOW /*|STARTF_USESTDHANDLES*/;
LPVOID pEnv = NULL;
DWORD dwCreationFlag = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT;
if(!CreateEnvironmentBlock(&pEnv,hTokenDup,FALSE))
{
PrintfDbgStr(TEXT("CreateEnvironmentBlock error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
if(!CreateProcessAsUser(hTokenDup,NULL,pBuf,NULL,NULL,FALSE,dwCreationFlag,pEnv,NULL,&si,&pi))
{
PrintfDbgStr(TEXT("CreateProcessAsUser error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
if(pEnv)
{
DestroyEnvironmentBlock(pEnv);
}
}
else
{
PrintfDbgStr(TEXT("DuplicateTokenEx error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
}
else
{
PrintfDbgStr(TEXT("cannot get administror!error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
}while(0);
if(hTokenDup != NULL && hTokenDup != INVALID_HANDLE_VALUE)
CloseHandle(hTokenDup);
if(hToken != NULL && hToken != INVALID_HANDLE_VALUE)
CloseHandle(hToken);这里就能用管理员权限打开一个进程并,弹出UI了,注意dwCreationFlag和si的参数设定,我是经过多次试验得出的,错了的话,可能就弹不出来了哦。这种方法是打开用户的令牌但是把服务的所有权限都给这个令牌,所以用户令牌就有足够的权限用管理员打开进程了。
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 在服务中用管理员权限创建一个可弹出UI的进程
- 在服务中用管理员权限创建一个可弹出UI的进程 (转载)
- 在服务中用管理员权限创建一个进程
- 服务程序中创建带管理员权限的UI进程问题总结
- VC 判断进程是否是以管理员权限运行,并且判断是否是用户进程而非服务进程
- 如何在Mac OS X上创建一个Service服务进程
- 创建一个非超级管理员用户,并增加 sudo 权限
- 如何利用Win32服务进程去创建一个GUI用户进程?
- 一个进程是否以管理员权限运行
- 服务进程创建一个带窗口的进程,过UAC
- 服务进程创建一个带窗口的进程
- 如何为一个服务进程创建监控,即使出core也能自动重启
- [Win32] 服务程序开发(3)Session 0隔离(下)创建SYSTEM权限可交互进程
- 不是管理员权限的进程启动一个具备管理员权限的EXE
- 用sc create----创建一个服务
- mysql5.7 创建一个超级管理员
- 在服务里面弹出一个窗口到用户的桌面上[转]
- [转载]创建高权限进程
- 关于MMC不能打开文件C:\Program Files\Microsoft SQL Server\80\Tools\Binn\SQL Server Enterprise Manager.MSC可能是由于文件不存在,不是一个MMC控制台,或者用后来的MMC版本创建。也可能你没有访问此文件的足够权限
- 创建一个免费的Android推送通知服务帐户