On Jan 8, 2008 12:09 PM, Christoph Lindemann
wrote:
> You could try dumping the thread token, to see who/if the thread is
> currently impersonating.
>
> You might need to load the registry hive of the user manually before you
> can access it.
Thanks again Christoph,
Turns out it was already done for me. HKCU is good to go. 
However, I’m running in a different session. (session id 0)
I tried the following to spawn a process on the current user’s desktop:
// at one point I ran amock with access masks (TOKEN_QUERY sufficient?)
if (OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_DUPLICATE
| TOKEN_ASSIGN_PRIMARY | TOKEN_IMPERSONATE, FALSE, &hToken))
{
HANDLE hDupToken;
if (DuplicateTokenEx(hToken, TOKEN_QUERY | TOKEN_DUPLICATE |
TOKEN_ASSIGN_PRIMARY | TOKEN_IMPERSONATE, NULL, SecurityImpersonation,
TokenPrimary, &hDupToken))
{
PROCESS_INFORMATION pi;
if (CreateProcessWithTokenW(hDupToken, LOGON_WITH_PROFILE,
_T(“C:\svn\source\test.exe”), NULL, 0, NULL, NULL, NULL, &pi))
{
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
}
}
}
CreateProcessWithTokenW returns a big fat error 5 (Access denied). Do
I need to supply the window station name in the STARTUPINFO struct
(that I currently do not use)? Or did I miss a step in setting up the
token?
(ShellExecute on the same executable works, except it pops up in session 0)
–
Rune