无法以非管理员模拟用户身份运行 - 访问被拒绝

发布于 2024-09-24 08:24:16 字数 411 浏览 7 评论 0原文

我在以管理员用户身份运行的应用程序中模拟非管理员用户帐户(使用 LogonUser()DuplicateToken()WindowsIdentity.Impersonate () 函数)。由于此用户帐户是临时的,因此我还需要加载用户配置文件(使用 LoadUserProfile() 本机函数)。所有方法均成功执行(未设置最后一个错误),并且当前身份是按预期模拟的非管理员用户。但是,当我尝试使用 System.Diagnostics.Process.Start() 运行新进程时,出现错误:

访问被拒绝。

当我尝试使用 runas /profile /user:mynonadmin user 手动执行相同的场景时,一切正常。

我在这里缺少什么?

I do impersonation of a non-admin user account in an app that is running as an admin user (using LogonUser(), DuplicateToken() and WindowsIdentity.Impersonate() functions). Since this user account is temporary, I also need to load a user profile (using LoadUserProfile() native function). All methods execute successfully (no last error is set) and the current identity is the impesonated non-admin user as expected. However, when I try to run a new process with System.Diagnostics.Process.Start(), I get an error:

Access is denied.

When I try to manually execute the same scenario with runas /profile /user:mynonadmin user, everything works fine.

What am I missing here?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

旧夏天 2024-10-01 08:24:16

不久前遇到过这个。

模拟的用户无权访问在 Process 对象上设置的 CWD。创建 ProcessStartInfo 对象并将工作目录设置为模拟用户有权访问的位置。

Ran into this a while back.

The impersonated user did not have access to the CWD which was set on the Process object. Create a ProcessStartInfo object and set the working directory to a location the impersonated user has access to.

终遇你 2024-10-01 08:24:16

我在一个服务项目中遇到了非常相似的情况。下面是一些过于简化的伪代码,可以让您了解我在做什么:

uint ConsoleSessionID = WTSGetActiveConsoleSessionId()
WTSQueryUserToken(ConsoleSessionID, out hToken)
IsUserInAdminGroup(hToken)
DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, ref sa, SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, TOKEN_TYPE.TokenPrimary, out IntPtr DuplicateToken)
WindowsIdentity.RunImpersonated(new SafeAccessTokenHandle(DuplicateToken), () =>
{
    Process p = new Process();
    p.StartInfo.FileName = ...
    p.StartInfo.Arguments = ...
    p.WorkingDirectory = ...
    p.StartInfo.UseShellExecute = true;
    p.StartInfo.Verb = "runas"; // Elevated!
    p.Start();
}

使用本地管理员帐户登录 Windows 时,这绝对可以正常工作。

但是,如果我创建了一个属于管理员组成员的“Test_User”帐户,我会从 Process.Start() 中收到 ACCESS DENIED 或 0xc0000142 异常。

允许服务与桌面交互

选中“允许服务与桌面交互”后,现在我是否使用实际的本地管理员帐户或属于本地管理员组成员的任何其他帐户,我的服务现在可以在登录用户的上下文中启动提升的应用程序。

当然,我返回并更新了用于安装服务的代码,以确保设置了 SERVICE_INTERACTIVE_PROCESS 标志,因此此选项是通过编程方式设置的。

希望这对某人有帮助...

I had a very similar situation with a service project. Here is some over-simplified pseudo code to give you an idea of what I was doing:

uint ConsoleSessionID = WTSGetActiveConsoleSessionId()
WTSQueryUserToken(ConsoleSessionID, out hToken)
IsUserInAdminGroup(hToken)
DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, ref sa, SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, TOKEN_TYPE.TokenPrimary, out IntPtr DuplicateToken)
WindowsIdentity.RunImpersonated(new SafeAccessTokenHandle(DuplicateToken), () =>
{
    Process p = new Process();
    p.StartInfo.FileName = ...
    p.StartInfo.Arguments = ...
    p.WorkingDirectory = ...
    p.StartInfo.UseShellExecute = true;
    p.StartInfo.Verb = "runas"; // Elevated!
    p.Start();
}

This worked ABSOLUTELY FINE when logging into Windows using the local Administrator account.

However, if I created a "Test_User" account that was a member of the administrators group, I was getting ACCESS DENIED OR a 0xc0000142 exception from Process.Start().

Allow service to interact with desktop

After checking "Allow service to interact with desktop", now whether I used the actual local Administrator account, or any other account that is a member of the local administrators group, my service can now start an elevated application in the context of the logged-on user.

Of course I went back and updated my code for installing the service, to ensure the SERVICE_INTERACTIVE_PROCESS flag was set, so this option was set programmatically.

Hope this helps someone...

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文