服务进程创建一个带窗口的进程,过UAC

转载 2013年08月26日 01:08:47
主要代码如下:
DWORD FindSessionPid(LPSTR lpProcessName, DWORD dwSessionId)
{
DWORD res = 0;

PROCESSENTRY32 procEntry;

HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnap == INVALID_HANDLE_VALUE)
{
   return res ;
}

procEntry.dwSize = sizeof(PROCESSENTRY32);

if (!Process32First(hSnap, &procEntry))
{
   goto _end;
}

do
{
   if (_stricmp(procEntry.szExeFile, lpProcessName) == 0)
   {
    DWORD winlogonSessId = 0;
    if (ProcessIdToSessionId(procEntry.th32ProcessID, &winlogonSessId) && winlogonSessId == dwSessionId)
    {
     res = procEntry.th32ProcessID;
     break;
    }
   }

} while (Process32Next(hSnap, &procEntry));

_end:
CloseHandle(hSnap);
return res;
}

BOOL LaunchAppIntoDifferentSession(LPSTR lpCmdLine)
{
PROCESS_INFORMATION pi;
STARTUPINFO si;
BOOL bResult = FALSE;
DWORD dwSessionId = 0, winlogonPid = 0;
HANDLE hUserToken, hUserTokenDup, hPToken, hProcess;
DWORD dwCreationFlags;

// Log the client on to the local computer.

typedef DWORD (WINAPI *__pfnWTSGetActiveConsoleSessionId)();
typedef BOOL (WINAPI *__pfnWTSQueryUserToken)( ULONG SessionId, PHANDLE phToken );

__pfnWTSGetActiveConsoleSessionId pfnWTSGetActiveConsoleSessionId =
   (__pfnWTSGetActiveConsoleSessionId)GetProcAddress(LoadLibraryA("kernel32.dll"), "WTSGetActiveConsoleSessionId");

__pfnWTSQueryUserToken pfnWTSQueryUserToken =
   (__pfnWTSQueryUserToken)GetProcAddress(LoadLibraryA("Wtsapi32.dll"), "WTSQueryUserToken");

if(pfnWTSGetActiveConsoleSessionId == NULL)
{
   WriteLog("Not found api: WTSGetActiveConsoleSessionId\n");
   return 0;
}
if(pfnWTSQueryUserToken == NULL)
{
   WriteLog("Not found api: WTSQueryUserToken\n");
   return 0;
}

dwSessionId = pfnWTSGetActiveConsoleSessionId();

winlogonPid = FindSessionPid("explorer.exe", dwSessionId);

if(winlogonPid == 0)
{
   winlogonPid = FindSessionPid("winlogon.exe", dwSessionId);
}

if(winlogonPid == 0)
{
   WriteLog("Can't Find Explorer\n");
   return 0;
}

////////////////////////////////////////////////////////////////////////

dwCreationFlags = NORMAL_PRIORITY_CLASS|CREATE_NEW_CONSOLE;
ZeroMemory(&si, sizeof(STARTUPINFO));
si.cb= sizeof(STARTUPINFO);
si.lpDesktop = "winsta0\\default";
ZeroMemory(&pi, sizeof(pi));

TOKEN_PRIVILEGES tp;
LUID luid;
LPVOID TokenInformation;
DWORD RetLen = 0;

if( !pfnWTSQueryUserToken(dwSessionId, &hUserToken) )
{
   hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, winlogonPid);

   if(!OpenProcessToken(hProcess, TOKEN_ALL_ACCESS_P, &hPToken))
   {
    char pTemp[121];
    sprintf(pTemp, "Process token open Error: %u\n", GetLastError());
    WriteLog(pTemp);
   }

   if(hPToken == NULL)
   {
    WriteLog("Process tokenError: \n");
   }
}
else
{
   hPToken = hUserToken;
}

if(GetTokenInformation(hPToken, TokenLinkedToken, &TokenInformation, 4, &RetLen))
{
   hUserTokenDup = TokenInformation;
}
else
{
    if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
    {
     char pTemp[121];
     sprintf(pTemp, "Lookup Privilege value Error: %u\n", GetLastError());
     WriteLog(pTemp);
    }

   if(!DuplicateTokenEx(hPToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hUserTokenDup))
   {
    char pTemp[121];
    sprintf(pTemp, "DuplicateTokenEx Error: %u\n", GetLastError());
    WriteLog(pTemp);
   }
}

LPVOID pEnv = NULL;

if(CreateEnvironmentBlock(&pEnv, hUserTokenDup, TRUE))
{
   dwCreationFlags |= CREATE_UNICODE_ENVIRONMENT;
}
else
{
   WriteLog("CreateEnvironmentBlock Failed\n");
   pEnv = NULL;
}

// Launch the process in the client's logon session.

bResult = CreateProcessAsUser(
   hUserTokenDup,            // client's access token
   NULL,       // file to execute
   lpCmdLine,         // command line     
   NULL,              // pointer to process SECURITY_ATTRIBUTES
   NULL,              // pointer to thread SECURITY_ATTRIBUTES
   FALSE,             // handles are not inheritable
   dwCreationFlags,   // creation flags
   pEnv,              // pointer to new environment block
   NULL,              // name of current directory
   &si,               // pointer to STARTUPINFO structure
   &pi                // receives information about new process
   );
// End impersonation of client.

//GetLastError Shud be 0

int iResultOfCreateProcessAsUser = GetLastError();

if(bResult == FALSE && iResultOfCreateProcessAsUser != 0)
{
   char pTemp[121];
   sprintf(pTemp, "CreateProcessAsUser Error: %u\n", GetLastError());
   WriteLog(pTemp);
}

if(pi.hProcess)
{
   CloseHandle(pi.hProcess);
}
if(pi.hThread)
{
   CloseHandle(pi.hThread);
}

//Perform All the Close Handles task

if(hProcess)
{
   CloseHandle(hProcess);
}
if(hUserToken)
{
   CloseHandle(hUserToken);
}
if(hUserTokenDup)
{
   CloseHandle(hUserTokenDup);
}
if(hPToken)
{
   CloseHandle(hPToken);
}
if(pEnv)
{
   DestroyEnvironmentBlock(pEnv);
}

return bResult;
}

调用方式:

LaunchAppIntoDifferentSession("c:\\windows\\notepad.exe");

前提是有个服务进程已经启动,然后服务进程会以管理员模式(不需要用户点UAC的框)启动一个新的可以创建窗口的进程。

安装这个服务需要点UAC的框,所以不是什么不可公开的思路。好处就一点:每次自启动的进程,不需要再让用户点UAC框了

相关文章推荐

Windows多个session下不同用户使用Global命名空间的Mutex

Windows系统中可以同时登陆多个用户,各个用户在不同的session中。对于windows 7来说,可以通过切换用户的方式,实现多个用户的同时登陆。对于windows 2012等服务器操作系统来说...
  • tzxx
  • tzxx
  • 2015年05月09日 16:42
  • 1447

在服务中用管理员权限创建一个可弹出UI的进程

do { // if (!OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hThisToken )) // ...

根据窗口title杀死一个进程

  • 2013年07月29日 08:49
  • 77KB
  • 下载

2.1 Windows核心编程-进程UAC下以管理员权限运行

从NT6.0开始,微软为了提高安全防护增加了非常多的新机制,其中对普通用户层开发人员影响最大的就是”用户账户控制系统(User Account Control , UAC)”如果想让自己的程序默认以指...
  • bxsec
  • bxsec
  • 2017年07月27日 16:13
  • 701

C++Windows下如何让窗口进程只运行一个实例

为了方便我们新建一个名为MFCTest的MFC对话框项目然后打开找到CMFCTestApp::InitInstance()函数添加单实例检测代码: BOOL CMFCTestApp::InitIns...
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:服务进程创建一个带窗口的进程,过UAC
举报原因:
原因补充:

(最多只允许输入30个字)