JEDI Windows API
Setting the SessionID for a new process
23 May
Posted by: Christian Wimmer in: JEDI Windows Security Code Lib
This simple example shows how you can change the target session of a new process.
JwaWindows,
JwsclToken,
JwsclComUtils;
var
NewToken,
UserToken : TJwSecurityToken;
S : TStartupInfo;
P : TProcessInformation;
begin
UserToken := TJwSecurityToken.CreateWTSQueryUserTokenEx(nil, 1); //for example: here SessionID = 1
TJwAutoPointer.Wrap(UserToken); //automatic destroy
NewToken := TJwSecurityToken.CreateDuplicateExistingToken(UserToken.TokenHandle, MAXIMUM_ALLOWED);
TJwAutoPointer.Wrap(NewToken);
//needs TCB privilege -> Service
JwEnablePrivilege(SE_TCB_NAME, pst_Enable);
NewToken.TokenSessionId := 2; //e.g. set to session 2 – of course it must exist
ZeroMemory(@S, Sizeof(S));
S.cb := sizeof(S);
//examplary, but working CPAU call – adapt for your need
CreateProcessAsUser(NewToken.TokenHandle,‘C:\Windows\system32\cmd.exe’,nil,nil,nil,false, 0, nil, nil, S,P);
All the source is doing is to get a user’s token by calling CreateWTSQueryUserToken and then duplicate so it will become possible to change the Token SessionID. The session ID is changed by setting the property TokenSessionID which is only possible with the TCB privilege (we need it, but it needn’t to be active).
You can do the CreateProcess part a little better if you read this: “CreateProcess in full glory“.
Did you know?
1. You can test this example in your own Delphi environment without writing a service first.
2. It is not possible to change the session ID of a running process.
Search
Paypal donation (EUR)
Categories
Archives
Tags
Recent Posts
Recent Comments
- Christian Wimmer on Restrict access to process
- Carlos on Restrict access to process
- Christian Wimmer on You don’t need an Admin manifest to get Admin privileges.
- Chris on You don’t need an Admin manifest to get Admin privileges.
- Alexandre José » Obtendo o IP de um cliente Terminal Service on How to setup the library
2 Responses
Remko
24|May|2008 1Don’t forget that the if the new Session Id is a session belonging to another user you need to assure permissions on the desktop (by default even administrators do not have permissions on another user’s winstation and desktop). This is only an issue for GUI apps, console (cmd.exe) doesn’t need desktop permissions.
Christian Wimmer
08|Sep|2008 2If you want to run an application on the Winlogon Desktop (whatsoever session) your token must be a SYSTEM token, or the Winlogon Desktop DACL must grant access to the user token. However changing the DACL of this secure desktop is not recommended!
If you want to use the service’s token instead of CreateWTSQueryUserTokenEx you can just use CreateTokenByProcess to duplicate the current process token (and retrieve a new token instance). A duplicated token allows the change of its session ID.
var NewToken : TJwSecurityToken; begin //true duplicates the token NewToken := TJwSecuritytoken.CreateTokenByProcess(0, TOKEN_ALL_ACCESS, true);Leave a reply
You must be logged in to post a comment.