Hello, I have a Windows service application that is running as NT AUTHORITY\SYSTEM. I'd like to serve some type of client requests using a less privileged account. Windows XP (and later) has the NT AUTHORITY\LOCAL SERVICE account which would be perfect for my purposes. Is there any way to obtain a token handle to that account to be used in CreateProcessAsUser? (I've tried to call LogonUser several ways to create the token, the best I achieved was that it had failed with ERROR_ACCESS_DENIED instead of ERROR_LOGON_FAILURE.) Thank you, Gabor
> Hello, > > I have a Windows service application that is running as NT > AUTHORITY\SYSTEM. > I'd like to serve some type of client requests using a less privileged > account. Windows XP (and later) has the NT AUTHORITY\LOCAL SERVICE account > which would be perfect for my purposes. Is there any way to obtain a token > handle to that account to be used in CreateProcessAsUser? > > (I've tried to call LogonUser several ways to create the token, the best I > achieved was that it had failed with ERROR_ACCESS_DENIED instead of > ERROR_LOGON_FAILURE.) Have a look at this: http://download.microsoft.com/download/0/6/7/0678184e-905e-4783-9511-d4dca1f492b4/cmdasuser.exe It's an old utility by Keith Brown (well-known Windows security guru), complete with source (the whole thing's a self-compressed zip file). It's now obsolete since Microsoft introduced the "RunAs.exe" utility but you can see how it works In particular, by passing it the command line argument "localsystem", it will start a command prompt running under the System account. You should now be able to leverage this to figure out how to do the same thing under the localservice account. Note that there may be an easier way (since this code is old now) but the basic security model hasn't really changed in all these years. I therefore doubt if another way exists but you may want to exhaust that avenue first. Also make sure there are no hiccups under Vista given its security changes. Good luck.
Thaks for the tip. Actually, I have thought of creating a temporary service to call CreateProcess (cmdasuser does exactly this when requesting localsystem user). I'm curious if there is a more compact way... "Larry Smith" wrote: > > Hello, > > > > I have a Windows service application that is running as NT > > AUTHORITY\SYSTEM. > > I'd like to serve some type of client requests using a less privileged > > account. Windows XP (and later) has the NT AUTHORITY\LOCAL SERVICE account > > which would be perfect for my purposes. Is there any way to obtain a token > > handle to that account to be used in CreateProcessAsUser? > > > > (I've tried to call LogonUser several ways to create the token, the best I > > achieved was that it had failed with ERROR_ACCESS_DENIED instead of > > ERROR_LOGON_FAILURE.) > > Have a look at this: > > http://download.microsoft.com/download/0/6/7/0678184e-905e-4783-9511-d4dca1f492b4/cmdasuser.exe > > It's an old utility by Keith Brown (well-known Windows security guru), > complete with source (the whole thing's a self-compressed zip file). It's > now obsolete since Microsoft introduced the "RunAs.exe" utility but you can > see how it works In particular, by passing it the command line argument > "localsystem", it will start a command prompt running under the System > account. You should now be able to leverage this to figure out how to do the > same thing under the localservice account. Note that there may be an easier > way (since this code is old now) but the basic security model hasn't really > changed in all these years. I therefore doubt if another way exists but you > may want to exhaust that avenue first. Also make sure there are no hiccups > under Vista given its security changes. Good luck. > > >
> Thaks for the tip. > > Actually, I have thought of creating a temporary service to call > CreateProcess (cmdasuser does exactly this when requesting localsystem > user). > I'm curious if there is a more compact way... Anything's possible but I've never come across one. There's no password for this account so it seems doubtful that "LogonUser()" can be applied. At least it makes no mention of this while "CreateService()" specifically does. It also seems highly doubtful that "LogonUser()" was ever intended for these special accounts (System, LocalService and NetworkService). I'm not sure why though. In most respects they're really no different than any other account (i.e., their tokens are the same as all other tokens). It would also be a lot easier to work with them rather than relying on a service as you're now finding out. You may want to try contacting Keith Brown himself or opening an incident with MSFT. If there's an easier way I'd like to know as well (but I'd be surprised).
On Jul 29, 6:48 am, "Larry Smith" wrote: > > Thaks for the tip. > > > Actually, I have thought of creating a temporary service to call > > CreateProcess (cmdasuser does exactly this when requesting localsystem > > user). > > I'm curious if there is a more compact way... > > Anything's possible but I've never come across one. There's no password for > this account so it seems doubtful that "LogonUser()" can be applied. At > least it makes no mention of this while "CreateService()" specifically does. > It also seems highly doubtful that "LogonUser()" was ever intended for these > special accounts (System, LocalService and NetworkService). I'm not sure why > though. In most respects they're really no different than any other account > (i.e., their tokens are the same as all other tokens). It would also be a > lot easier to work with them rather than relying on a service as you're now > finding out. You may want to try contacting Keith Brown himself or opening > an incident with MSFT. If there's an easier way I'd like to know as well > (but I'd be surprised). Another possibility is to dumb down the LocalSystem token using CreateRestrictedToken. See http://msdn.microsoft.com/en-us/library/aa379316(VS.85).aspx for more info. Dave
