如何在启用了UAC的Windows服务中调用LogonUser()以获取不受限制的完整令牌? [英] How to call LogonUser() to get a non-restricted full token inside a Windows Service with UAC enabled?
问题描述
我正在Windows Server 2012上运行WindowsService,它需要模拟域管理员用户(该用户也已添加到计算机的本地管理员组中).
I am running a WindowsService on Windows Server 2012 and it needs to impersonate a domain admin user (who is also added to the local administrators group on the machine).
系统上已启用UAC,并且使用LogonType为LOGON32_LOGON_INTERACTIVE的凭据来调用LogonUser,似乎返回的是受限令牌,而不是完整令牌.
UAC is enabled on the system and Calling LogonUser using the credentials with a LogonType of LOGON32_LOGON_INTERACTIVE, seems to return a restricted token instead of a full token.
这导致我尝试执行的管理任务失败.
This is causing the administrative task i'm trying to do to fail.
在这种情况下调用LogonUser的正确方法是什么,以便返回完整令牌而不是受限令牌?
What is the right way to call LogonUser in this situation so that a full token is returned instead of an restricted token?
PS: I came across a related question here How can I get elevated permissions (UAC) via impersonation under a non-interactive login? but it does not show the exact calls that need to be made to get the full token.
推荐答案
您可以使用LOGON32_LOGON_BATCH选项而不是LOGON32_LOGON_INTERACTIVE选项从LogonUser()中获得未过滤的令牌.
You can get an unfiltered token from LogonUser() by using the LOGON32_LOGON_BATCH option instead of the LOGON32_LOGON_INTERACTIVE option.
在此答案中有一些示例代码,其中显示了LOGON32_LOGON_BATCH和LogonUser()函数用于获取管理令牌.
There is some sample code in this answer which shows the use of LOGON32_LOGON_BATCH and the LogonUser() function to obtain an administrative token.
附录:
如果您具有SeTcbPrivilege,则还有另一个选择:您可以在调用LogonUser()时使用LOGON32_LOGON_INTERACTIVE,然后在GetTokenInformation()中使用TokenLinkedToken选项来获取链接到已过滤的提升令牌的句柄.令牌.
If you have SeTcbPrivilege, you have another option: you can use LOGON32_LOGON_INTERACTIVE when calling LogonUser() and then use the TokenLinkedToken option in GetTokenInformation() to obtain a handle to the elevated token that is linked to the filtered token.
SeTcbPrivilege也称为充当操作系统的一部分",通常仅在本地系统上下文中运行时可用.
SeTcbPrivilege is also known as "Act as part of the operating system" and is usually only available when you are running in local system context.
如果您没有SeTcbPrivilege,仍然可以调用GetTokenInformation()来获取链接令牌的副本,但是在这种情况下,您会获得SecurityIdentification级别的模拟令牌,因此如果您想要的话,它就没有用了.创建一个新的过程. (向RbMm指出这一点.)
If you do not have SeTcbPrivilege, you can still call GetTokenInformation() to fetch a copy of the linked token, but in this case you get an impersonation token at SecurityIdentification level so it is of no use if you are wanting to create a new process. (Credit to RbMm for pointing this out.)
这篇关于如何在启用了UAC的Windows服务中调用LogonUser()以获取不受限制的完整令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
