Re: Refreshing User Access Token Without Logging Off
From: Umer Mian (mianNOSPAM_at_kkl.com)
Date: 12/22/03
- Next message: SR: "Certificate Stores"
- Previous message: Dale Weiss: "RE: Folder security name"
- In reply to: Kirk Ferdmann: "Re: Refreshing User Access Token Without Logging Off"
- Next in thread: Karl Levinson [x y] mvp: "Re: Refreshing User Access Token Without Logging Off"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 22 Dec 2003 16:28:11 -0500
> What kind of issues? I hope you are not referring to the fact that they
> require the password, because it's a good thing.
The issue with runas is that it activates the HKCU hive of the elevated
privileges user (i.e. it doesn't keep the HKCU hive of the currently logged
in user). This is a problem when using runas to elevate privileges for
software installation because now the installer will put user registry
entries in the wrong place. 'Su.exe' from the resource kit is supposed to
get around this with the '-e' switch:
"-e disables environment preparation. The parent environment is inherited.
This option prevents preparation of the user environment for the new
process, instead causing the environment to be inherited from SU."
However, I haven't gotten this to work quite right.
Being to able to refresh the user access token would allow you give a user
Administrator privileges and still keep user's environment. However, as you
said, this is probably not possible because it violates the security model.
Thanks for your help.
--Umer
"Kirk Ferdmann" <kirk_ferdmann@nospam.hotmail.com> wrote in message
news:i5-dnQ17UovqKH6iRVn-ug@comcast.com...
> "Umer Mian" <mianNOSPAM@kkl.com> wrote in message
> news:ue0l$knxDHA.2076@TK2MSFTNGP10.phx.gbl...
> > I want to be able to add a user to the Administrators group and have the
> > change take effect without having the user logoff. I know that the user
> > access token gets created upon login, but I've also heard that there's a
> way
> > to have it re-created using an API call. I've done a lot of searching,
but
> > haven't found anything so far.
>
> Theoretically you could use undocumented NtCreateToken to forge a token
and
> launch a new process with it. But obviously it will not have any effect on
> already running processes. Also I would highly recommend to stay away from
> this solution as it has so many issue under the surface. Many people
> reported trying this road an yet I haven't seen even one successful
> implementation.
>
> > Does anyone know which API call you need to make to refresh the user
> access
> > token?
>
> I believe there is none as it contradicts the model.
>
> > Has anyone written a tool or script to do this? The reason you'd want
> > to do this is because it would allow you to elevate a user's privileges
> > without having the user logoff. I know that runas and 'su.exe' (from the
> > resource kit) are the standard privilege-escalation tools, BUT there are
> > issues with both.
>
> What kind of issues? I hope you are not referring to the fact that they
> require the password, because it's a good thing.
>
> -Kirk
>
>
- Next message: SR: "Certificate Stores"
- Previous message: Dale Weiss: "RE: Folder security name"
- In reply to: Kirk Ferdmann: "Re: Refreshing User Access Token Without Logging Off"
- Next in thread: Karl Levinson [x y] mvp: "Re: Refreshing User Access Token Without Logging Off"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
