How to call LogonUser() to get a non-restricted full token inside a Windows Service with UAC enabled?

by

You can get an unfiltered token from LogonUser() by using the LOGON32_LOGON_BATCH option instead of the LOGON32_LOGON_INTERACTIVE option.

There is some sample code in this answer which shows the use of LOGON32_LOGON_BATCH and the LogonUser() function to obtain an administrative token.

Addendum:

If you have SeTcbPrivilege, you have another option: you can use LOGON32_LOGON_INTERACTIVE when calling LogonUser() and then use the TokenLinkedToken option in GetTokenInformation() to obtain a handle to the elevated token that is linked to the filtered token.

SeTcbPrivilege is also known as “Act as part of the operating system” and is usually only available when you are running in local system context.

If you do not have SeTcbPrivilege, you can still call GetTokenInformation() to fetch a copy of the linked token, but in this case you get an impersonation token at SecurityIdentification level so it is of no use if you are wanting to create a new process. (Credit to RbMm for pointing this out.)

More Related Contents:

  1. Privileges/owner issue when writing in C:\ProgramData\
  2. Win32: How to validate credentials against Active Directory?
  3. DLLImport of the origin function in the DLL
  4. How can I auto-elevate my batch file, so that it requests from UAC administrator rights if required?
  5. How to detect true Windows version?
  6. Is an atomic file rename (with overwrite) possible on Windows?
  7. Show touch keyboard (TabTip.exe) in Windows 10 Anniversary edition
  8. Where can I find my .emacs file for Emacs running on Windows?
  9. How to run a program automatically as admin on Windows 7 at startup?
  10. Good or evil – SetParent() win32 API between different processes
  11. What exactly are DLL files, and how do they work?
  12. Windows Visual Themes: Gallery of Parts and States?
  13. Which Font is the default for MFC Dialog Controls?
  14. Power off an USB device in software on Windows
  15. What is the smallest possible Windows (PE) executable?
  16. Programmatically change screen resolution?
  17. How do you programmatically resize and move windows with the Windows API?
  18. Win32 API analog of sending/catching SIGTERM
  19. How do I prevent DLL injection
  20. How can I invalidate the file system cache?
  21. How can I tell if a window has focus? (Win32 API)
  22. How to identify Windows 10 background store processes that have non-displayed windows that are programmatically visible and minimizable?
  23. Windows CDROM Eject
  24. How do I create a manifest file to launch application with admin privileges?
  25. How to change default sound playback device programmatically?
  26. How do I add a manifest to an executable using mt.exe?
  27. How can I stop my installer from triggering Windows 10’s “This app has been blocked for your protection” error?
  28. How can I detect Windows 8.1 in a Desktop application
  29. Do high-integrity tokens *have* to have the Administrators group enabled?
  30. What are these strange environment variables?

Leave a Comment