System Account...

Hi:

How I can run my application in the security context of the System account without using a Service?

Thanks.

>How I can run my application in the security context of the System account

without using a Service?

Impossible. You must have a service which will launch it.

Max

Hello,

This can be done as folllows.

Get a handle to some process say WINLOGON.EXE, which
runs in
SYSTEM account using OpenProcess call. To get the
handle to
this process you will need to enable Debug privilege.

Hook the NtCreateProcess call in NTDLL.DLL. This call
takes
8 parameters out of which 4th parameter is handle to
parent
process (The user mode CreateProcess call by default
passes
current process handle for this parameter). The
hooking can
be done either by patching the code or by patching the
import
tables.

After this, you launch the application you want to run
in
SYSTEM context. The CreateProcess call will make a
call
to NtCreateProcess. Your hook will get control, here
you
modify the fourth parameter and set it to the handle
you
obtained in previous steps (handle to WINLOGON.EXE
process)
and chain on the call to the original NtCreateProcess
function.

By doing this, the application you launched will run
in
the SYSTEM security context and will inherit all the
process properties of WINLOGON.EXE process.

-Prasad

— “J. A.” wrote:
> Hi:
>
> How I can run my application in the security context
> of the System account without using a Service?
>
> Thanks.
>

=====
Prasad S. Dabak
Director of Engineering, Windows NT/2000 Division
Cybermedia Software Private Limited
http://www.cybermedia.co.in
Co-author of the book “Undocumented Windows NT”
ISBN 0764545698
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

Hello,

Alternatively, it should be possible to achieve this
by using OpenProcess, OpenProcessToken calls to get
handle to the security token of WINLOGON.EXE,
converting it into primary token using
DuplicateTokenEx call and then using
CreateProcessAsUser call to launch the process.

-Prasad

— Prasad Dabak wrote:
> Hello,
>
> This can be done as folllows.
>
> Get a handle to some process say WINLOGON.EXE, which
> runs in
> SYSTEM account using OpenProcess call. To get the
> handle to
> this process you will need to enable Debug
> privilege.
>
> Hook the NtCreateProcess call in NTDLL.DLL. This
> call
> takes
> 8 parameters out of which 4th parameter is handle to
> parent
> process (The user mode CreateProcess call by default
> passes
> current process handle for this parameter). The
> hooking can
> be done either by patching the code or by patching
> the
> import
> tables.
>
> After this, you launch the application you want to
> run
> in
> SYSTEM context. The CreateProcess call will make a
> call
> to NtCreateProcess. Your hook will get control, here
> you
> modify the fourth parameter and set it to the handle
> you
> obtained in previous steps (handle to WINLOGON.EXE
> process)
> and chain on the call to the original
> NtCreateProcess
> function.
>
> By doing this, the application you launched will run
> in
> the SYSTEM security context and will inherit all the
> process properties of WINLOGON.EXE process.
>
> -Prasad
>
>
> — “J. A.” wrote:
> > Hi:
> >
> > How I can run my application in the security
> context
> > of the System account without using a Service?
> >
> > Thanks.
> >
>
> =====
> Prasad S. Dabak
> Director of Engineering, Windows NT/2000 Division
> Cybermedia Software Private Limited
> http://www.cybermedia.co.in
> Co-author of the book “Undocumented Windows NT”
> ISBN 0764545698
>
> Do You Yahoo!?
> Talk to your friends online with Yahoo! Messenger.
> http://im.yahoo.com
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
> $subst(‘Email.Unsub’)
>
>

=====
Prasad S. Dabak
Director of Engineering, Windows NT/2000 Division
Cybermedia Software Private Limited
http://www.cybermedia.co.in
Co-author of the book “Undocumented Windows NT”
ISBN 0764545698

Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com