Erl*_* D. 36 c# windows administrator
我正在为应用程序创建一个自动更新程序.应用程序由用户启动,无需管理员权限即可运行.autoupdater以管理员权限启动,并在下载新文件之前终止应用程序.
当我想在autoupdater完成后启动更新的应用程序时出现问题.如果我使用常规的System.Diagnostics.Process.Start(文件),应用程序也会以管理员权限启动,并且必须在当前用户上运行才能按预期工作.
那么,我如何使autoupdater以当前用户而不是管理员的身份启动应用程序?
我尝试过使用以下内容:
var pSI = new ProcessStartInfo() {
UseShellExecute = false,
UserName = Environment.UserName,
FileName = file
};
System.Diagnostics.Process.Start(pSI);
但是这会引发错误"无效的用户名或密码".我已检查用户名是否正确,我知道密码可能无效,因为我没有包含它.但是,要求用户输入他/她的密码不是一个选项,因为自动启动应用程序的全部原因是为了使用户更容易.
有什么建议?
Dav*_*nan 12
您想要实现的目标不能轻易完成,也不受支持.但是,可以使用少量的黑客攻击.Aaron Margosis撰写了一篇描述一种技术的文章.
要引用相关部分,您需要执行以下步骤:
- 在当前令牌中启用SeIncreaseQuotaPrivilege
- 获取表示桌面shell的HWND(GetShellWindow)
- 获取与该窗口关联的进程的进程ID(PID)(GetWindowThreadProcessId)
- 打开那个进程(OpenProcess)
- 从该进程获取访问令牌(OpenProcessToken)
- 使用该令牌创建主令牌(DuplicateTokenEx)
- 使用该主令牌启动新进程(CreateProcessWithTokenW)
本文包含一些演示C++源代码的下载链接,从中可以很容易地转换为C#.
use*_*201 11
Aaron Margosis 文章的 C#代码:
private static void RunAsDesktopUser(string fileName)
{
if (string.IsNullOrWhiteSpace(fileName))
throw new ArgumentException("Value cannot be null or whitespace.", nameof(fileName));
// To start process as shell user you will need to carry out these steps:
// 1. Enable the SeIncreaseQuotaPrivilege in your current token
// 2. Get an HWND representing the desktop shell (GetShellWindow)
// 3. Get the Process ID(PID) of the process associated with that window(GetWindowThreadProcessId)
// 4. Open that process(OpenProcess)
// 5. Get the access token from that process (OpenProcessToken)
// 6. Make a primary token with that token(DuplicateTokenEx)
// 7. Start the new process with that primary token(CreateProcessWithTokenW)
var hProcessToken = IntPtr.Zero;
// Enable SeIncreaseQuotaPrivilege in this process. (This won't work if current process is not elevated.)
try
{
var process = GetCurrentProcess();
if (!OpenProcessToken(process, 0x0020, ref hProcessToken))
return;
var tkp = new TOKEN_PRIVILEGES
{
PrivilegeCount = 1,
Privileges = new LUID_AND_ATTRIBUTES[1]
};
if (!LookupPrivilegeValue(null, "SeIncreaseQuotaPrivilege", ref tkp.Privileges[0].Luid))
return;
tkp.Privileges[0].Attributes = 0x00000002;
if (!AdjustTokenPrivileges(hProcessToken, false, ref tkp, 0, IntPtr.Zero, IntPtr.Zero))
return;
}
finally
{
CloseHandle(hProcessToken);
}
// Get an HWND representing the desktop shell.
// CAVEATS: This will fail if the shell is not running (crashed or terminated), or the default shell has been
// replaced with a custom shell. This also won't return what you probably want if Explorer has been terminated and
// restarted elevated.
var hwnd = GetShellWindow();
if (hwnd == IntPtr.Zero)
return;
var hShellProcess = IntPtr.Zero;
var hShellProcessToken = IntPtr.Zero;
var hPrimaryToken = IntPtr.Zero;
try
{
// Get the PID of the desktop shell process.
uint dwPID;
if (GetWindowThreadProcessId(hwnd, out dwPID) == 0)
return;
// Open the desktop shell process in order to query it (get the token)
hShellProcess = OpenProcess(ProcessAccessFlags.QueryInformation, false, dwPID);
if (hShellProcess == IntPtr.Zero)
return;
// Get the process token of the desktop shell.
if (!OpenProcessToken(hShellProcess, 0x0002, ref hShellProcessToken))
return;
var dwTokenRights = 395U;
// Duplicate the shell's process token to get a primary token.
// Based on experimentation, this is the minimal set of rights required for CreateProcessWithTokenW (contrary to current documentation).
if (!DuplicateTokenEx(hShellProcessToken, dwTokenRights, IntPtr.Zero, SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, TOKEN_TYPE.TokenPrimary, out hPrimaryToken))
return;
// Start the target process with the new token.
var si = new STARTUPINFO();
var pi = new PROCESS_INFORMATION();
if (!CreateProcessWithTokenW(hPrimaryToken, 0, fileName, "", 0, IntPtr.Zero, Path.GetDirectoryName(fileName), ref si, out pi))
return;
}
finally
{
CloseHandle(hShellProcessToken);
CloseHandle(hPrimaryToken);
CloseHandle(hShellProcess);
}
}
#region Interop
private struct TOKEN_PRIVILEGES
{
public UInt32 PrivilegeCount;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 1)]
public LUID_AND_ATTRIBUTES[] Privileges;
}
[StructLayout(LayoutKind.Sequential, Pack = 4)]
private struct LUID_AND_ATTRIBUTES
{
public LUID Luid;
public UInt32 Attributes;
}
[StructLayout(LayoutKind.Sequential)]
private struct LUID
{
public uint LowPart;
public int HighPart;
}
[Flags]
private enum ProcessAccessFlags : uint
{
All = 0x001F0FFF,
Terminate = 0x00000001,
CreateThread = 0x00000002,
VirtualMemoryOperation = 0x00000008,
VirtualMemoryRead = 0x00000010,
VirtualMemoryWrite = 0x00000020,
DuplicateHandle = 0x00000040,
CreateProcess = 0x000000080,
SetQuota = 0x00000100,
SetInformation = 0x00000200,
QueryInformation = 0x00000400,
QueryLimitedInformation = 0x00001000,
Synchronize = 0x00100000
}
private enum SECURITY_IMPERSONATION_LEVEL
{
SecurityAnonymous,
SecurityIdentification,
SecurityImpersonation,
SecurityDelegation
}
private enum TOKEN_TYPE
{
TokenPrimary = 1,
TokenImpersonation
}
[StructLayout(LayoutKind.Sequential)]
private struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public int dwProcessId;
public int dwThreadId;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
private struct STARTUPINFO
{
public Int32 cb;
public string lpReserved;
public string lpDesktop;
public string lpTitle;
public Int32 dwX;
public Int32 dwY;
public Int32 dwXSize;
public Int32 dwYSize;
public Int32 dwXCountChars;
public Int32 dwYCountChars;
public Int32 dwFillAttribute;
public Int32 dwFlags;
public Int16 wShowWindow;
public Int16 cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
[DllImport("kernel32.dll", ExactSpelling = true)]
private static extern IntPtr GetCurrentProcess();
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
private static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
[DllImport("advapi32.dll", SetLastError = true)]
private static extern bool LookupPrivilegeValue(string host, string name, ref LUID pluid);
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
private static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TOKEN_PRIVILEGES newst, int len, IntPtr prev, IntPtr relen);
[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool CloseHandle(IntPtr hObject);
[DllImport("user32.dll")]
private static extern IntPtr GetShellWindow();
[DllImport("user32.dll", SetLastError = true)]
private static extern uint GetWindowThreadProcessId(IntPtr hWnd, out uint lpdwProcessId);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern IntPtr OpenProcess(ProcessAccessFlags processAccess, bool bInheritHandle, uint processId);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool DuplicateTokenEx(IntPtr hExistingToken, uint dwDesiredAccess, IntPtr lpTokenAttributes, SECURITY_IMPERSONATION_LEVEL impersonationLevel, TOKEN_TYPE tokenType, out IntPtr phNewToken);
[DllImport("advapi32", SetLastError = true, CharSet = CharSet.Unicode)]
private static extern bool CreateProcessWithTokenW(IntPtr hToken, int dwLogonFlags, string lpApplicationName, string lpCommandLine, int dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
#endregion
这是我多年前看到的一个非常古老的问题,现在又重新审视了。因为它是第一个谷歌搜索结果......我会在这里发布我的答案。
我找到的所有解决方案都极其复杂和荒谬。多年来,我偶然发现了一个我在任何地方都没有看到记录的解决方案,直到现在才真正分享。
代码非常简单......本质上,我们正在编写一个批处理文件,其中包含您要运行的进程的可执行文件的名称/路径,以及您想要的任何参数。然后我们生成一个带有批处理文件路径的 explorer.exe 进程......
File.WriteAllText(@"C:\test.bat", @"C:\test.exe -randomArgs");
var proc = new Process
{
StartInfo = new ProcessStartInfo
{
FileName = "explorer.exe",
Arguments = @"C:\test.bat",
UseShellExecute = true,
Verb = "runas",
WindowStyle = ProcessWindowStyle.Hidden
}
};
proc.Start();
我们生成的资源管理器进程会立即被操作系统杀死,但是!运行的 root explorer.exe 进程运行批处理文件!您可以为 explorer.exe 提供可执行文件的名称,它会做同样的事情,但是该方法不支持参数。
据我所知,这是一个错误或未记录的功能。但是我无法想象它是如何被恶意使用的,因为它允许降低权限......这适用于 Windows 7/8/8.1/10。
假设你是信令应用干净地关闭,而不是终止它,如果你依然能够释放你的更新程序之前做出更改应用程序,一个简单的解决办法是让应用程序在退出前启动临时过程.您可以在临时位置为临时进程创建可执行文件.更新完成后,发出临时过程信号以重新启动应用程序并退出.这样,一切都自然发生,你不必乱七八糟.
另一种选择是在杀死它之前使用OpenProcess,OpenProcessToken和DuplicateToken获取应用程序安全令牌的副本.然后,您可以使用CreateProcessAsUser在原始上下文中重新启动应用程序.
即使更新程序在不同的帐户和/或与应用程序的不同会话中运行,这两种方法也应该有效.
在我的应用程序中,我最初使用了user3122201的解决方案,效果非常好。但是,我希望提升的应用程序使用匿名管道与低权限应用程序进行通信。为了实现这一目标,我需要一个允许继承管道句柄的解决方案。
我想出了下面的解决方案,它允许句柄继承。
请注意此解决方案与 user3122201 的解决方案之间的另一个小区别:下面的方法作为同一用户的进程运行,但访问权限受到限制,而 user3122201 的方法作为桌面用户的进程运行。
public static class ProcessHelper
{
/// Runs a process as a non-elevated version of the current user.
public static Process? RunAsRestrictedUser(string fileName, string? args = null)
{
if (string.IsNullOrWhiteSpace(fileName))
throw new ArgumentException("Value cannot be null or whitespace.", nameof(fileName));
if (!GetRestrictedSessionUserToken(out var hRestrictedToken))
{
return null;
}
try
{
var si = new STARTUPINFO();
var pi = new PROCESS_INFORMATION();
var cmd = new StringBuilder();
cmd.Append('"').Append(fileName).Append('"');
if (!string.IsNullOrWhiteSpace(args))
{
cmd.Append(' ').Append(args);
}
if (!CreateProcessAsUser(
hRestrictedToken,
null,
cmd,
IntPtr.Zero,
IntPtr.Zero,
true, // inherit handle
0,
IntPtr.Zero,
Path.GetDirectoryName(fileName),
ref si,
out pi))
{
return null;
}
return Process.GetProcessById(pi.dwProcessId);
}
finally
{
CloseHandle(hRestrictedToken);
}
}
// based on /sf/answers/1127708851/
private static bool GetRestrictedSessionUserToken(out IntPtr token)
{
token = IntPtr.Zero;
if (!SaferCreateLevel(SaferScope.User, SaferLevel.NormalUser, SaferOpenFlags.Open, out var hLevel, IntPtr.Zero))
{
return false;
}
IntPtr hRestrictedToken = IntPtr.Zero;
TOKEN_MANDATORY_LABEL tml = default;
tml.Label.Sid = IntPtr.Zero;
IntPtr tmlPtr = IntPtr.Zero;
try
{
if (!SaferComputeTokenFromLevel(hLevel, IntPtr.Zero, out hRestrictedToken, 0, IntPtr.Zero))
{
return false;
}
// Set the token to medium integrity.
tml.Label.Attributes = SE_GROUP_INTEGRITY;
tml.Label.Sid = IntPtr.Zero;
if (!ConvertStringSidToSid("S-1-16-8192", out tml.Label.Sid))
{
return false;
}
tmlPtr = Marshal.AllocHGlobal(Marshal.SizeOf(tml));
Marshal.StructureToPtr(tml, tmlPtr, false);
if (!SetTokenInformation(hRestrictedToken,
TOKEN_INFORMATION_CLASS.TokenIntegrityLevel,
tmlPtr, (uint)Marshal.SizeOf(tml)))
{
return false;
}
token = hRestrictedToken;
hRestrictedToken = IntPtr.Zero; // make sure finally() doesn't close the handle
}
finally
{
SaferCloseLevel(hLevel);
SafeCloseHandle(hRestrictedToken);
if (tml.Label.Sid != IntPtr.Zero)
{
LocalFree(tml.Label.Sid);
}
if (tmlPtr != IntPtr.Zero)
{
Marshal.FreeHGlobal(tmlPtr);
}
}
return true;
}
[StructLayout(LayoutKind.Sequential)]
private struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public int dwProcessId;
public int dwThreadId;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
private struct STARTUPINFO
{
public Int32 cb;
public string lpReserved;
public string lpDesktop;
public string lpTitle;
public Int32 dwX;
public Int32 dwY;
public Int32 dwXSize;
public Int32 dwYSize;
public Int32 dwXCountChars;
public Int32 dwYCountChars;
public Int32 dwFillAttribute;
public Int32 dwFlags;
public Int16 wShowWindow;
public Int16 cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
[StructLayout(LayoutKind.Sequential)]
private struct SID_AND_ATTRIBUTES
{
public IntPtr Sid;
public uint Attributes;
}
[StructLayout(LayoutKind.Sequential)]
private struct TOKEN_MANDATORY_LABEL
{
public SID_AND_ATTRIBUTES Label;
}
public enum SaferLevel : uint
{
Disallowed = 0,
Untrusted = 0x1000,
Constrained = 0x10000,
NormalUser = 0x20000,
FullyTrusted = 0x40000
}
public enum SaferScope : uint
{
Machine = 1,
User = 2
}
[Flags]
public enum SaferOpenFlags : uint
{
Open = 1
}
[DllImport("advapi32", SetLastError = true, CallingConvention = CallingConvention.StdCall)]
private static extern bool SaferCreateLevel(SaferScope scope, SaferLevel level, SaferOpenFlags openFlags, out IntPtr pLevelHandle, IntPtr lpReserved);
[DllImport("advapi32", SetLastError = true, CallingConvention = CallingConvention.StdCall)]
private static extern bool SaferComputeTokenFromLevel(IntPtr LevelHandle, IntPtr InAccessToken, out IntPtr OutAccessToken, int dwFlags, IntPtr lpReserved);
[DllImport("advapi32", SetLastError = true)]
private static extern bool SaferCloseLevel(IntPtr hLevelHandle);
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
private static extern bool ConvertStringSidToSid(string StringSid, out IntPtr ptrSid);
[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool CloseHandle(IntPtr hObject);
private static bool SafeCloseHandle(IntPtr hObject)
{
return (hObject == IntPtr.Zero) ? true : CloseHandle(hObject);
}
[DllImport("kernel32.dll", SetLastError = true)]
static extern IntPtr LocalFree(IntPtr hMem);
enum TOKEN_INFORMATION_CLASS
{
/// <summary>
/// The buffer receives a TOKEN_USER structure that contains the user account of the token.
/// </summary>
TokenUser = 1,
/// <summary>
/// The buffer receives a TOKEN_GROUPS structure that contains the group accounts associated with the token.
/// </summary>
TokenGroups,
/// <summary>
/// The buffer receives a TOKEN_PRIVILEGES structure that contains the privileges of the token.
/// </summary>
TokenPrivileges,
/// <summary>
/// The buffer receives a TOKEN_OWNER structure that contains the default owner security identifier (SID) for newly created objects.
/// </summary>
TokenOwner,
/// <summary>
/// The buffer receives a TOKEN_PRIMARY_GROUP structure that contains the default primary group SID for newly created objects.
/// </summary>
TokenPrimaryGroup,
/// <summary>
/// The buffer receives a TOKEN_DEFAULT_DACL structure that contains the default DACL for newly created objects.
/// </summary>
TokenDefaultDacl,
/// <summary>
/// The buffer receives a TOKEN_SOURCE structure that contains the source of the token. TOKEN_QUERY_SOURCE access is needed to retrieve this information.
/// </summary>
TokenSource,
/// <summary>
/// The buffer receives a TOKEN_TYPE value that indicates whether the token is a primary or impersonation token.
/// </summary>
TokenType,
/// <summary>
/// The buffer receives a SECURITY_IMPERSONATION_LEVEL value that indicates the impersonation level of the token. If the access token is not an impersonation token, the function fails.
/// </summary>
TokenImpersonationLevel,
/// <summary>
/// The buffer receives a TOKEN_STATISTICS structure that contains various token statistics.
/// </summary>
TokenStatistics,
/// <summary>
/// The buffer receives a TOKEN_GROUPS structure that contains the list of restricting SIDs in a restricted token.
/// </summary>
TokenRestrictedSids,
/// <summary>
/// The buffer receives a DWORD value that indicates the Terminal Services session identifier that is associated with the token.
/// </summary>
TokenSessionId,
/// <summary>
/// The buffer receives a TOKEN_GROUPS_AND_PRIVILEGES structure that contains the user SID, the group accounts, the restricted SIDs, and the authentication ID associated with the token.
/// </summary>
TokenGroupsAndPrivileges,
/// <summary>
/// Reserved.
/// </summary>
TokenSessionReference,
/// <summary>
/// The buffer receives a DWORD value that is nonzero if the token includes the SANDBOX_INERT flag.
/// </summary>
TokenSandBoxInert,
/// <summary>
/// Reserved.
/// </summary>
TokenAuditPolicy,
/// <summary>
/// The buffer receives a TOKEN_ORIGIN value.
/// </summary>
TokenOrigin,
/// <summary>
/// The buffer receives a TOKEN_ELEVATION_TYPE value that specifies the elevation level of the token.
/// </summary>
TokenElevationType,
/// <summary>
/// The buffer receives a TOKEN_LINKED_TOKEN structure that contains a handle to another token that is linked to this token.
/// </summary>
TokenLinkedToken,
/// <summary>
/// The buffer receives a TOKEN_ELEVATION structure that specifies whether the token is elevated.
/// </summary>
TokenElevation,
/// <summary>
/// The buffer receives a DWORD value that is nonzero if the token has ever been filtered.
/// </summary>
TokenHasRestrictions,
/// <summary>
/// The buffer receives a TOKEN_ACCESS_INFORMATION structure that specifies security information contained in the token.
/// </summary>
TokenAccessInformation,
/// <summary>
/// The buffer receives a DWORD value that is nonzero if virtualization is allowed for the token.
/// </summary>
TokenVirtualizationAllowed,
/// <summary>
/// The buffer receives a DWORD value that is nonzero if virtualization is enabled for the token.
/// </summary>
TokenVirtualizationEnabled,
/// <summary>
/// The buffer receives a TOKEN_MANDATORY_LABEL structure that specifies the token's integrity level.
/// </summary>
TokenIntegrityLevel,
/// <summary>
/// The buffer receives a DWORD value that is nonzero if the token has the UIAccess flag set.
/// </summary>
TokenUIAccess,
/// <summary>
/// The buffer receives a TOKEN_MANDATORY_POLICY structure that specifies the token's mandatory integrity policy.
/// </summary>
TokenMandatoryPolicy,
/// <summary>
/// The buffer receives the token's logon security identifier (SID).
/// </summary>
TokenLogonSid,
/// <summary>
/// The maximum value for this enumeration
/// </summary>
MaxTokenInfoClass
}
[DllImport("advapi32.dll", SetLastError = true)]
static extern Boolean SetTokenInformation(
IntPtr TokenHandle,
TOKEN_INFORMATION_CLASS TokenInformationClass,
IntPtr TokenInformation,
UInt32 TokenInformationLength);
const uint SE_GROUP_INTEGRITY = 0x00000020;
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
static extern bool CreateProcessAsUser(
IntPtr hToken,
string? lpApplicationName,
StringBuilder? lpCommandLine,
IntPtr lpProcessAttributes,
IntPtr lpThreadAttributes,
bool bInheritHandles,
uint dwCreationFlags,
IntPtr lpEnvironment,
string? lpCurrentDirectory,
ref STARTUPINFO lpStartupInfo,
out PROCESS_INFORMATION lpProcessInformation);
}