在服务中用管理员权限创建一个可弹出UI的进程
2014-01-20 15:23
399 查看
在服务中用管理员权限创建一个可弹出UI的进程
do
{
// if (!OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hThisToken ))
// {
// PrintfDbgStr(TEXT("OpenProcessToken error !error code:%d\n"),GetLastError());
// bSuccess = FALSE;
// break;
// }
// if(!SetPrivilege(hThisToken,SE_TCB_NAME,TRUE))
// {
// PrintfDbgStr(TEXT("SetPrivilege error !error code:%d\n"),GetLastError());
// bSuccess = FALSE;
// break;
// }
DWORD dwSessionId = WTSGetActiveConsoleSessionId();
if(!WTSQueryUserToken(dwSessionId,&hToken))
{
PrintfDbgStr(TEXT("WTSQueryUserToken error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si,sizeof(STARTUPINFO));
ZeroMemory(&pi,sizeof(PROCESS_INFORMATION));
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = _T("WinSta0\\Default");
si.wShowWindow = TRUE;
si.dwFlags = STARTF_USESHOWWINDOW;
LPVOID pEnv = NULL;
DWORD dwCreationFlag = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE;
if(!CreateProcessAsUser(hToken,NULL,pBuf,NULL,NULL,FALSE,dwCreationFlag,pEnv,NULL,&si,&pi))
{
PrintfDbgStr(TEXT("CreateProcessAsUser error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
}while(0);
这种方法创建的进程不是管理员权限的,因为是调用了用户的令牌创建的进程。不过,确实能顺利弹出UI。
[cpp]
view plaincopyprint?
HANDLE hToken = NULL;
HANDLE hTokenDup = NULL;
do
{
if(OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken))
{
if(DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS,NULL, SecurityIdentification, TokenPrimary, &hTokenDup))
{
DWORD dwSessionId = WTSGetActiveConsoleSessionId();
if(!SetTokenInformation(hTokenDup,TokenSessionId,&dwSessionId,sizeof(DWORD)))
{
PrintfDbgStr(TEXT("SetTokenInformation error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si,sizeof(STARTUPINFO));
ZeroMemory(&pi,sizeof(PROCESS_INFORMATION));
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = _T("WinSta0\\Default");
si.wShowWindow = SW_SHOW;
si.dwFlags = STARTF_USESHOWWINDOW /*|STARTF_USESTDHANDLES*/;
LPVOID pEnv = NULL;
DWORD dwCreationFlag = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT;
if(!CreateEnvironmentBlock(&pEnv,hTokenDup,FALSE))
{
PrintfDbgStr(TEXT("CreateEnvironmentBlock error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
if(!CreateProcessAsUser(hTokenDup,NULL,pBuf,NULL,NULL,FALSE,dwCreationFlag,pEnv,NULL,&si,&pi))
{
PrintfDbgStr(TEXT("CreateProcessAsUser error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
if(pEnv)
{
DestroyEnvironmentBlock(pEnv);
}
}
else
{
PrintfDbgStr(TEXT("DuplicateTokenEx error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
}
else
{
PrintfDbgStr(TEXT("cannot get administror!error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
}while(0);
if(hTokenDup != NULL && hTokenDup != INVALID_HANDLE_VALUE)
CloseHandle(hTokenDup);
if(hToken != NULL && hToken != INVALID_HANDLE_VALUE)
CloseHandle(hToken);
在服务中用管理员权限创建一个可弹出UI的进程
do
{
// if (!OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hThisToken ))
// {
// PrintfDbgStr(TEXT("OpenProcessToken error !error code:%d\n"),GetLastError());
// bSuccess = FALSE;
// break;
// }
// if(!SetPrivilege(hThisToken,SE_TCB_NAME,TRUE))
// {
// PrintfDbgStr(TEXT("SetPrivilege error !error code:%d\n"),GetLastError());
// bSuccess = FALSE;
// break;
// }
DWORD dwSessionId = WTSGetActiveConsoleSessionId();
if(!WTSQueryUserToken(dwSessionId,&hToken))
{
PrintfDbgStr(TEXT("WTSQueryUserToken error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si,sizeof(STARTUPINFO));
ZeroMemory(&pi,sizeof(PROCESS_INFORMATION));
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = _T("WinSta0\\Default");
si.wShowWindow = TRUE;
si.dwFlags = STARTF_USESHOWWINDOW;
LPVOID pEnv = NULL;
DWORD dwCreationFlag = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE;
if(!CreateProcessAsUser(hToken,NULL,pBuf,NULL,NULL,FALSE,dwCreationFlag,pEnv,NULL,&si,&pi))
{
PrintfDbgStr(TEXT("CreateProcessAsUser error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
}while(0);
do { // if (!OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hThisToken )) // { // PrintfDbgStr(TEXT("OpenProcessToken error !error code:%d\n"),GetLastError()); // bSuccess = FALSE; // break; // } // if(!SetPrivilege(hThisToken,SE_TCB_NAME,TRUE)) // { // PrintfDbgStr(TEXT("SetPrivilege error !error code:%d\n"),GetLastError()); // bSuccess = FALSE; // break; // } DWORD dwSessionId = WTSGetActiveConsoleSessionId(); if(!WTSQueryUserToken(dwSessionId,&hToken)) { PrintfDbgStr(TEXT("WTSQueryUserToken error !error code:%d\n"),GetLastError()); bSuccess = FALSE; break; } STARTUPINFO si; PROCESS_INFORMATION pi; ZeroMemory(&si,sizeof(STARTUPINFO)); ZeroMemory(&pi,sizeof(PROCESS_INFORMATION)); si.cb = sizeof(STARTUPINFO); si.lpDesktop = _T("WinSta0\\Default"); si.wShowWindow = TRUE; si.dwFlags = STARTF_USESHOWWINDOW; LPVOID pEnv = NULL; DWORD dwCreationFlag = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE; if(!CreateProcessAsUser(hToken,NULL,pBuf,NULL,NULL,FALSE,dwCreationFlag,pEnv,NULL,&si,&pi)) { PrintfDbgStr(TEXT("CreateProcessAsUser error !error code:%d\n"),GetLastError()); bSuccess = FALSE; break; } }while(0);
这种方法创建的进程不是管理员权限的,因为是调用了用户的令牌创建的进程。不过,确实能顺利弹出UI。
[cpp]
view plaincopyprint?
HANDLE hToken = NULL;
HANDLE hTokenDup = NULL;
do
{
if(OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken))
{
if(DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS,NULL, SecurityIdentification, TokenPrimary, &hTokenDup))
{
DWORD dwSessionId = WTSGetActiveConsoleSessionId();
if(!SetTokenInformation(hTokenDup,TokenSessionId,&dwSessionId,sizeof(DWORD)))
{
PrintfDbgStr(TEXT("SetTokenInformation error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si,sizeof(STARTUPINFO));
ZeroMemory(&pi,sizeof(PROCESS_INFORMATION));
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = _T("WinSta0\\Default");
si.wShowWindow = SW_SHOW;
si.dwFlags = STARTF_USESHOWWINDOW /*|STARTF_USESTDHANDLES*/;
LPVOID pEnv = NULL;
DWORD dwCreationFlag = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT;
if(!CreateEnvironmentBlock(&pEnv,hTokenDup,FALSE))
{
PrintfDbgStr(TEXT("CreateEnvironmentBlock error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
if(!CreateProcessAsUser(hTokenDup,NULL,pBuf,NULL,NULL,FALSE,dwCreationFlag,pEnv,NULL,&si,&pi))
{
PrintfDbgStr(TEXT("CreateProcessAsUser error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
if(pEnv)
{
DestroyEnvironmentBlock(pEnv);
}
}
else
{
PrintfDbgStr(TEXT("DuplicateTokenEx error !error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
}
else
{
PrintfDbgStr(TEXT("cannot get administror!error code:%d\n"),GetLastError());
bSuccess = FALSE;
break;
}
}while(0);
if(hTokenDup != NULL && hTokenDup != INVALID_HANDLE_VALUE)
CloseHandle(hTokenDup);
if(hToken != NULL && hToken != INVALID_HANDLE_VALUE)
CloseHandle(hToken);
HANDLE hToken = NULL; HANDLE hTokenDup = NULL; do { if(OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken)) { if(DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS,NULL, SecurityIdentification, TokenPrimary, &hTokenDup)) { DWORD dwSessionId = WTSGetActiveConsoleSessionId(); if(!SetTokenInformation(hTokenDup,TokenSessionId,&dwSessionId,sizeof(DWORD))) { PrintfDbgStr(TEXT("SetTokenInformation error !error code:%d\n"),GetLastError()); bSuccess = FALSE; break; } STARTUPINFO si; PROCESS_INFORMATION pi; ZeroMemory(&si,sizeof(STARTUPINFO)); ZeroMemory(&pi,sizeof(PROCESS_INFORMATION)); si.cb = sizeof(STARTUPINFO); si.lpDesktop = _T("WinSta0\\Default"); si.wShowWindow = SW_SHOW; si.dwFlags = STARTF_USESHOWWINDOW /*|STARTF_USESTDHANDLES*/; LPVOID pEnv = NULL; DWORD dwCreationFlag = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT; if(!CreateEnvironmentBlock(&pEnv,hTokenDup,FALSE)) { PrintfDbgStr(TEXT("CreateEnvironmentBlock error !error code:%d\n"),GetLastError()); bSuccess = FALSE; break; } if(!CreateProcessAsUser(hTokenDup,NULL,pBuf,NULL,NULL,FALSE,dwCreationFlag,pEnv,NULL,&si,&pi)) { PrintfDbgStr(TEXT("CreateProcessAsUser error !error code:%d\n"),GetLastError()); bSuccess = FALSE; break; } if(pEnv) { DestroyEnvironmentBlock(pEnv); } } else { PrintfDbgStr(TEXT("DuplicateTokenEx error !error code:%d\n"),GetLastError()); bSuccess = FALSE; break; } } else { PrintfDbgStr(TEXT("cannot get administror!error code:%d\n"),GetLastError()); bSuccess = FALSE; break; } }while(0); if(hTokenDup != NULL && hTokenDup != INVALID_HANDLE_VALUE) CloseHandle(hTokenDup); if(hToken != NULL && hToken != INVALID_HANDLE_VALUE) CloseHandle(hToken);这里就能用管理员权限打开一个进程并,弹出UI了,注意dwCreationFlag和si的参数设定,我是经过多次试验得出的,错了的话,可能就弹不出来了哦。这种方法是打开用户的令牌但是把服务的所有权限都给这个令牌,所以用户令牌就有足够的权限用管理员打开进程了。
相关文章推荐
- 在服务中用管理员权限创建一个可弹出UI的进程
- 在服务中用管理员权限创建一个可弹出UI的进程 (转载)
- 在服务中用管理员权限创建一个进程
- 服务程序中创建带管理员权限的UI进程问题总结
- VC 判断进程是否是以管理员权限运行,并且判断是否是用户进程而非服务进程
- 如何在Mac OS X上创建一个Service服务进程
- 创建一个非超级管理员用户,并增加 sudo 权限
- 如何利用Win32服务进程去创建一个GUI用户进程?
- 一个进程是否以管理员权限运行
- 服务进程创建一个带窗口的进程,过UAC
- 服务进程创建一个带窗口的进程
- 如何为一个服务进程创建监控,即使出core也能自动重启
- [Win32] 服务程序开发(3)Session 0隔离(下)创建SYSTEM权限可交互进程
- 不是管理员权限的进程启动一个具备管理员权限的EXE
- 用sc create----创建一个服务
- mysql5.7 创建一个超级管理员
- 在服务里面弹出一个窗口到用户的桌面上[转]
- [转载]创建高权限进程
- 关于MMC不能打开文件C:\Program Files\Microsoft SQL Server\80\Tools\Binn\SQL Server Enterprise Manager.MSC可能是由于文件不存在,不是一个MMC控制台,或者用后来的MMC版本创建。也可能你没有访问此文件的足够权限
- 创建一个免费的Android推送通知服务帐户