How does psexec run with elevated privileges

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   Hi,

How does psexec run with elevated privileges (-h option)? Does it hack the Windows? Which Win API is used to work around the UAC mechanism.

Pawel

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
dzonka Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 22 February 2012 Status: Offline Points: 5	Post Options Post Reply Quote dzonka Report Post Thanks(0) Quote Reply Topic: How does psexec run with elevated privileges Posted: 22 February 2012 at 12:07pm
	Hi, How does psexec run with elevated privileges (-h option)? Does it hack the Windows? Which Win API is used to work around the UAC mechanism. Pawel

MagicAndre1981 Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 08 January 2007 Location: Germany Status: Offline Points: 709	Post Options Post Reply Quote MagicAndre1981 Report Post Thanks(0) Quote Reply Posted: 22 February 2012 at 12:19pm
	it starts a service which runs the software but it doesn't workaround the UAC. Run it from filtered token (normal cmd.exe) and you get an access denied error. Edited by MagicAndre1981 - 22 February 2012 at 12:21pm

dzonka Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 22 February 2012 Status: Offline Points: 5	Post Options Post Reply Quote dzonka Report Post Thanks(0) Quote Reply Posted: 22 February 2012 at 12:24pm
	I think it is not enough to start a process with elevated privileges. It UAC is enabled the process will run with restricted privileges after impersonalization.

dzonka Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 22 February 2012 Status: Offline Points: 5	Post Options Post Reply Quote dzonka Report Post Thanks(0) Quote Reply Posted: 22 February 2012 at 12:28pm
	-h If the target system is Vista or higher, has the process run with the account's elevated token, if available. So the process can run as Administrator

MagicAndre1981 Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 08 January 2007 Location: Germany Status: Offline Points: 709	Post Options Post Reply Quote MagicAndre1981 Report Post Thanks(0) Quote Reply Posted: 22 February 2012 at 12:54pm
	elevated means running with full token and not the restricted/filtered token.

dzonka Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 22 February 2012 Status: Offline Points: 5	Post Options Post Reply Quote dzonka Report Post Thanks(0) Quote Reply Posted: 22 February 2012 at 1:08pm
	I understand that. The issue is: Before -h switch was introduced, psexec remote processes run with filtered token on machines where UAC was enabled. That was even though the process was created by a service. The -h switch changes this behavior. If the switch is enabled, the remote process is created by the same service although somehow the token is full. The question is what changes in the source code was introduced to support -h switch.

MagicAndre1981 Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 08 January 2007 Location: Germany Status: Offline Points: 709	Post Options Post Reply Quote MagicAndre1981 Report Post Thanks(0) Quote Reply Posted: 22 February 2012 at 1:33pm
	I have no idea. I've only used the -h option once and so I don't know when it was added. Wait what wj32 can tell you about it.

wj32 Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Senior Member Joined: 16 January 2009 Location: Australia Status: Offline Points: 971	Post Options Post Reply Quote wj32 Report Post Thanks(1) Quote Reply Posted: 22 February 2012 at 8:20pm
	You can call GetTokenInformation with TokenLinkedToken to get the elevated version of the token.
	MCTS: Windows Internals Process Hacker, a free and open source process viewer.