Re: Token Privileges
From: Yu Chen [MS] (yuchen_at_online.microsoft.com)
Date: 07/23/04
- Previous message: Yu Chen [MS]: "Re: CreateProcessWithLogonW on Server 2003"
- In reply to: Jordi Gou: "Re: Token Privileges"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 22 Jul 2004 15:43:46 -0700
> How can I log off and log on? Could you show me the code to do this?
As I said I don't know any way to automate this in code. You have to manualy
log off (CTRL-ALT-DEL, select "log-off") and log on as the same user, in
order to get a fresh primary token.
> However, I have a problem with windows 2000. I log in with unprivileged
user
> and I use the sample lsaprivs that we can find on SDK platform samples and
> it produces error 5 "access denied" on OpenPolicy method. If I log in as
an
> administrator the program does well.
This is expected. To run lsaprivs you need to be an administrator. Think
about it: it would be a huge security flaw if a non-administrator can grant
himself any privileges he wants.
> I need to execute this program to give SE_TCB_NAME privilege to execute
> LogonUser and become administrator user. So, how can I become an
> administrator on W2K if I can't use LogonUser because I can't get
> SE_TCB_NAME privilege?
Let me make sure I understand your scenario correctly:
Your application (say setup.exe) is run under a normal non-admin user, say
"UserA". The application setup.exe needs to call LogonUser and
CreateProcessAsUser so that it can launch another exe (say setup2.exe) as
the administrator. In order to call LogonUser and CreateProcessAsUser,
however, the UserA account needs to have a certain privileges. Setup.exe
can't do this when it's run under UserA - for the same reason as stated
above - only an administrator can grant privileges to a user.
May I ask where you get the administrator's password to call
LogonUser(administrator, password)? Do you ask the user to input it? In that
case, why not just ask the user to manually log as administrator and run
setup2.exe? Or you can use CreateProcessWithLogonW(administrator, password,
setup2.exe), it will work for W2k and above.
-- Yu Chen [MS] This posting is provided "AS IS" with no warranties, and confers no rights.
- Previous message: Yu Chen [MS]: "Re: CreateProcessWithLogonW on Server 2003"
- In reply to: Jordi Gou: "Re: Token Privileges"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
