Creating a process as a different user

This is not exactly a device driver question, but I figure all the
system-level folks here can probably help…

Within a user-mode process, I need to be able to launch another process
as another user. I think I can do that with LogonUser() and
CreateProcessAsUser(), or one of the related calls. The problem is that
for all of those functions, I need to supply the password as clear
text. This means I need to either prompt the user interactively to
enter the password as needed, or I need to obtain the password in
advance, encrypt it, store it on disk, and decrypt it as needed. User
interaction is not acceptable for my current work. And I would like to
avoid dealing with encryption and the security implications of storing
the password myself if at all possible. My process that is trying to
launch the other process is already running as the system account. So
I’m wondering, given my somewhat privileged status, is it possible to
create a process as a different user, particularly a less privileged
user, without specifying the password? I know that on UNIX, you can
always go from root to other users without the password. I’m wondering
if it is possible to do the same thing in Windows.

To give some background, I’m working on an NT4 style printer port
monitor, and it needs to launch an application after every print job for
further processing. The monitor is attached to the spoolsv.exe process,
which the XP task manager says is run as the user “SYSTEM”. The
application needs to be launched as a different user because it needs to
access a particular printer that is only set up for that user. I also
want to make sure HKEY_CURRENT_USER gets set correctly. Plus, I think
it is a bad idea to just launch stuff under the system account.

Thanks in advance for any insights!

If you call LogonUser() you’re going to need lots of scary privileges
(such as TCB) which from a security PoV I wouldn’t recommend.

Suppose you want to launch processes as the user FRED. This is the way I
did it (on NT4.0)…

Write a service and run it as FRED. (This means that the SCM takes care of
passwords for you…) The service offers a named pipe which you can connect
to and send it command lines. This command line can be used as a parameter
to CreateProcess()

If you need the process to be interactive you will need to add FRED to the
ACL on the Window Station WinSta0 and on the Desktop Default (assuming that
you’re on that desktop…) That code wil have to run as you. When you call
CreateProcess() you can specify that the desktop to run the process on to
be “WinSta0\Default”.

Hope this helps (and makes sense)

Richie

On Tuesday, May 14, 2002 3:27 AM, Faris Y. Yau [SMTP:xxxxx@stg.com] wrote:

This is not exactly a device driver question, but I figure all the
system-level folks here can probably help…

Within a user-mode process, I need to be able to launch another process
as another user.

If you want to perform unauthenticated process creation, you need ‘create
a token’ and I think ‘replace a process level token’, maybe some others,
and you use NtCreateToken(), which AFAIK isn’t documented. Once you have
the token, you can use it with CreateProcessAsUser().

These let you create user tokens without having to bother with the whole
tedious “logging on” process, so you can masquerade as any user without
bothering to authenticate.

This carries with it some risk – if the spawned process has, for
instance, a common open or save dialogue box, one can trivially use it to
spawn further processes as this user. I don’t know if one can restrict
the capabilities of the token to not permit subsequent tasks to be
spawned, or something along those lines, but it would seem desirable.

On Mon, 13 May 2002, Faris Y. Yau wrote:

This is not exactly a device driver question, but I figure all the
system-level folks here can probably help…

Within a user-mode process, I need to be able to launch another process
as another user. I think I can do that with LogonUser() and
CreateProcessAsUser(), or one of the related calls. The problem is that
for all of those functions, I need to supply the password as clear
text. This means I need to either prompt the user interactively to
enter the password as needed, or I need to obtain the password in
advance, encrypt it, store it on disk, and decrypt it as needed. User
interaction is not acceptable for my current work. And I would like to
avoid dealing with encryption and the security implications of storing
the password myself if at all possible. My process that is trying to
launch the other process is already running as the system account. So
I’m wondering, given my somewhat privileged status, is it possible to
create a process as a different user, particularly a less privileged
user, without specifying the password? I know that on UNIX, you can
always go from root to other users without the password. I’m wondering
if it is possible to do the same thing in Windows.

To give some background, I’m working on an NT4 style printer port
monitor, and it needs to launch an application after every print job for
further processing. The monitor is attached to the spoolsv.exe process,
which the XP task manager says is run as the user “SYSTEM”. The
application needs to be launched as a different user because it needs to
access a particular printer that is only set up for that user. I also
want to make sure HKEY_CURRENT_USER gets set correctly. Plus, I think
it is a bad idea to just launch stuff under the system account.

Thanks in advance for any insights!


You are currently subscribed to ntdev as: xxxxx@inkvine.fluff.org
To unsubscribe send a blank email to %%email.unsub%%


Peter xxxxx@inkvine.fluff.org
http://www.inkvine.fluff.org/~peter/

logic kicks ass:
(1) Horses have an even number of legs.
(2) They have two legs in back and fore legs in front.
(3) This makes a total of six legs, which certainly is an odd number of
legs for a horse.
(4) But the only number that is both odd and even is infinity.
(5) Therefore, horses must have an infinite number of legs.

I will say using SYSTEM privilage will be best for each user.And if you
have current user specific things then you can say GetCurrentUser.
But on windows there is no support to run process as other user without
knowing his password.
Or set the program to run for perticular user.

> I’m wondering, given my somewhat privileged status, is it possible to

create a process as a different user, particularly a less privileged
user, without specifying the password?

Undocumented NtCreateToken call is the only solution, if solution at all.

The thing is that LSA maintains its structure for each logon ID, which is destroyed at logoff and queried in
LsaCallAuthenticationPackage used for things like SMB redirector. Your NtCreateToken will not create this structure, thus LSA can
crash.

Max

At 04.27 14/05/2002, you wrote:

I know that on UNIX, you can always go from root to other users without
the password. I’m wondering if it is possible to do the same thing in Windows.

You can, I think, by writing a subauthentication package. See the Cygwin
project, IIRC they implemented what you need (setuid(), the “su” utility,
etc.). The Platform SDK also has two sample subauths
(WinBase\Security\WinNT\SubAuth and WinBase\Security\Win2000\KerbSubAuth,
respectively for MSV1_0 and Kerberos) you might want to check out