如何调用 LogonUser() 以在启用了 UAC 的 Windows 服务中获取不受限制的完整令牌? [英] How to call LogonUser() to get a non-restricted full token inside a Windows Service with UAC enabled?

问题描述

我在 Windows Server 2012 上运行 WindowsService，它需要模拟域管理员用户(该用户也被添加到机器上的本地管理员组).

I am running a WindowsService on Windows Server 2012 and it needs to impersonate a domain admin user (who is also added to the local administrators group on the machine).

UAC 在系统上启用，使用登录类型为 LOGON32_LOGON_INTERACTIVE 的凭据调用 LogonUser 似乎返回受限令牌而不是完整令牌.

UAC is enabled on the system and Calling LogonUser using the credentials with a LogonType of LOGON32_LOGON_INTERACTIVE, seems to return a restricted token instead of a full token.

这导致我尝试执行的管理任务失败.

This is causing the administrative task i'm trying to do to fail.

在这种情况下调用 LogonUser 以返回完整令牌而不是受限令牌的正确方法是什么?

What is the right way to call LogonUser in this situation so that a full token is returned instead of an restricted token?

PS:我在这里遇到了一个相关的问题 如何在非交互式登录下通过模拟获得提升的权限 (UAC)?但它没有显示获取完整令牌所需的确切调用.

PS: I came across a related question here How can I get elevated permissions (UAC) via impersonation under a non-interactive login? but it does not show the exact calls that need to be made to get the full token.

推荐答案

您可以使用 LOGON32_LOGON_BATCH 选项而不是 LOGON32_LOGON_INTERACTIVE 选项从 LogonUser() 获取未过滤的令牌选项.

You can get an unfiltered token from LogonUser() by using the LOGON32_LOGON_BATCH option instead of the LOGON32_LOGON_INTERACTIVE option.

this answer 中有一些示例代码，其中显示了 LOGON32_LOGON_BATCH 的使用以及LogonUser() 函数获取管理令牌.

There is some sample code in this answer which shows the use of LOGON32_LOGON_BATCH and the LogonUser() function to obtain an administrative token.

附录:

如果你有 SeTcbPrivilege，你还有另一个选择:你可以在调用 LogonUser() 时使用 LOGON32_LOGON_INTERACTIVE 然后使用 GetTokenInformation() 中的 TokenLinkedToken 选项来获取句柄链接到已过滤令牌的提升令牌.

If you have SeTcbPrivilege, you have another option: you can use LOGON32_LOGON_INTERACTIVE when calling LogonUser() and then use the TokenLinkedToken option in GetTokenInformation() to obtain a handle to the elevated token that is linked to the filtered token.

SeTcbPrivilege 也称为作为操作系统的一部分"，通常仅在您在本地系统上下文中运行时可用.

SeTcbPrivilege is also known as "Act as part of the operating system" and is usually only available when you are running in local system context.

如果您没有 SeTcbPrivilege，您仍然可以调用 GetTokenInformation() 来获取链接令牌的副本，但在这种情况下，您将获得 SecurityIdentification 级别的模拟令牌，因此它不是如果要创建新进程，请使用.(感谢 RbMm 指出了这一点.)

If you do not have SeTcbPrivilege, you can still call GetTokenInformation() to fetch a copy of the linked token, but in this case you get an impersonation token at SecurityIdentification level so it is of no use if you are wanting to create a new process. (Credit to RbMm for pointing this out.)

这篇关于如何调用 LogonUser() 以在启用了 UAC 的 Windows 服务中获取不受限制的完整令牌?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！