我正在使用IShellDispatch2.ShellExecute在提升权限的流程下以标准用户身份运行流程,如Raymond Chen's article中所述。与ShellExecuteEx不同,此方法不返回有关进程的任何信息。
我需要知道启动过程何时完成,并且可能需要其退出代码。有没有办法获取此过程的处理方式(除了拍摄快照以外的其他方式)?
答案 0 :(得分:0)
您不能这样做,因为该外壳程序没有公开ShellExecuteEx方法,即使这样做,返回的进程句柄在您的进程中也无效。
我能想到的最简单的解决方案是创建一个小助手应用程序,该应用程序充当外壳程序和要启动的实际应用程序之间的中间人。当子进程退出时,此中间人应用程序可以调用ShellExecuteEx并将消息发送回您的真实应用程序。
答案 1 :(得分:0)
您可以使用CreateProcessAsUserW来启动进程,而无需提升用户令牌。但是这里存在一些问题-如果 hToken 是调用者主令牌的受限版本,则需要SE_INCREASE_QUOTA_NAME和SE_ASSIGNPRIMARYTOKEN_NAME特权才能调用此api。
秒如何获取用户令牌?您可以为此使用WTSQueryUserToken,但要调用此api,您需要具有SE_TCB_NAME特权
因此您需要拥有/获得3个特权SE_ASSIGNPRIMARYTOKEN_NAME,SE_TCB_NAME和SE_INCREASE_QUOTA_NAME。通常,LocalSystem进程拥有它。如果我们有SE_DEBUG_PRIVILEGE,我们可以打开其中的一部分。
所以通常我们需要下一步:
SessionId(需要致电WTSQueryUserToken)SE_DEBUG_PRIVILEGE(已升高
令牌通常具有此特权)WTSQueryUserToken CreateProcessAsUserW -----代码:---------------
inline ULONG BOOL_TO_ERROR(BOOL f)
{
return f ? NOERROR : GetLastError();
}
// use in _alloca(guz) because _alloca(0) work incorrect
// return 0 pointer instead allocates a zero-length item
volatile UCHAR guz;
ULONG takePrivileges(HANDLE hToken, ::PTOKEN_PRIVILEGES ptp, ULONG cb, BOOL& bContinue)
{
if (ULONG PrivilegeCount = ptp->PrivilegeCount)
{
int n = 3;
BOOL fAdjust = FALSE;
::PLUID_AND_ATTRIBUTES Privileges = ptp->Privileges;
do
{
switch (Privileges->Luid.LowPart)
{
case SE_ASSIGNPRIMARYTOKEN_PRIVILEGE:
case SE_INCREASE_QUOTA_PRIVILEGE:
case SE_TCB_PRIVILEGE:
if (!(Privileges->Attributes & SE_PRIVILEGE_ENABLED))
{
Privileges->Attributes |= SE_PRIVILEGE_ENABLED;
fAdjust = TRUE;
}
if (!--n)
{
bContinue = FALSE;
ULONG dwError = BOOL_TO_ERROR(DuplicateTokenEx(hToken,
TOKEN_ADJUST_PRIVILEGES|TOKEN_IMPERSONATE,
0, ::SecurityImpersonation, ::TokenImpersonation,
&hToken));
if (dwError == NOERROR)
{
if (fAdjust)
{
AdjustTokenPrivileges(hToken, FALSE, ptp, cb, NULL, NULL);
dwError = GetLastError();
}
if (dwError == NOERROR)
{
dwError = BOOL_TO_ERROR(SetThreadToken(0, hToken));
}
CloseHandle(hToken);
}
return dwError;
}
}
} while (Privileges++, --PrivilegeCount);
}
return ERROR_NOT_FOUND;
}
ULONG GetPrivileges()
{
ULONG dwError;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot != INVALID_HANDLE_VALUE)
{
dwError = ERROR_NOT_FOUND;
PROCESSENTRY32W pe = { sizeof(pe) };
if (Process32FirstW(hSnapshot, &pe))
{
ULONG cb = 0, rcb = 0x100;
PVOID stack = alloca(guz);
union {
PVOID buf;
::PTOKEN_PRIVILEGES ptp;
};
BOOL bContinue = TRUE;
do
{
if (HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pe.th32ProcessID))
{
HANDLE hToken;
if (OpenProcessToken(hProcess, TOKEN_QUERY|TOKEN_DUPLICATE, &hToken))
{
do
{
if (cb < rcb)
{
cb = RtlPointerToOffset(buf = alloca(rcb - cb), stack);
}
if (GetTokenInformation(hToken, ::TokenPrivileges, buf, cb, &rcb))
{
dwError = takePrivileges(hToken, ptp, rcb, bContinue);
break;
}
} while (GetLastError() == ERROR_INSUFFICIENT_BUFFER);
CloseHandle(hToken);
}
CloseHandle(hProcess);
}
} while (bContinue && Process32NextW(hSnapshot, &pe));
}
CloseHandle(hSnapshot);
}
else
{
dwError = GetLastError();
}
return dwError;
}
ULONG RunNotElevated(PCWSTR lpApplicationName, PWSTR lpCommandLine, PCWSTR lpCurrentDirectory)
{
HANDLE hToken, hDupToken = 0;
ULONG SessionId;
ULONG dwError = BOOL_TO_ERROR(ProcessIdToSessionId(GetCurrentProcessId(), &SessionId));
if (NOERROR == dwError &&
(NOERROR == (dwError = BOOL_TO_ERROR(OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY|TOKEN_DUPLICATE, &hToken)))))
{
dwError = BOOL_TO_ERROR(DuplicateTokenEx(hToken,
TOKEN_IMPERSONATE|TOKEN_ADJUST_PRIVILEGES, 0,
::SecurityImpersonation, ::TokenImpersonation, &hDupToken));
CloseHandle(hToken);
if (dwError == NOERROR)
{
// get SE_DEBUG_PRIVILEGE
static ::TOKEN_PRIVILEGES tp = { 1, { { {SE_DEBUG_PRIVILEGE }, SE_PRIVILEGE_ENABLED } } };
AdjustTokenPrivileges(hDupToken, FALSE, &tp, 0, 0, 0);
if ((dwError = GetLastError()) == NOERROR)
{
dwError = BOOL_TO_ERROR(SetThreadToken(0, hDupToken));
}
CloseHandle(hDupToken);
if (dwError == NOERROR)
{
if (NOERROR == (dwError = GetPrivileges()))
{
STARTUPINFOW si = { sizeof(si) };
PROCESS_INFORMATION pi;
PVOID lpEnvironment;
if (WTSQueryUserToken(SessionId, &hToken))
{
dwError = BOOL_TO_ERROR(CreateEnvironmentBlock(&lpEnvironment, hToken, FALSE));
if (dwError == NOERROR)
{
dwError = BOOL_TO_ERROR(CreateProcessAsUserW(
hToken, lpApplicationName, lpCommandLine,
NULL, NULL, FALSE, CREATE_UNICODE_ENVIRONMENT,
lpEnvironment, lpCurrentDirectory, &si, &pi));
DestroyEnvironmentBlock(lpEnvironment);
}
CloseHandle(hToken);
if (dwError == NOERROR)
{
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
}
}
SetThreadToken(0, 0);
}
}
}
return dwError;
}
void test_r()
{
WCHAR cmd[MAX_PATH];
if (GetEnvironmentVariable(L"comspec", cmd, RTL_NUMBER_OF(cmd)))
{
RunNotElevated1(cmd, L"cmd /k whoami /all",0);
}
}