CreateProecssAsUser elevated privilege?

Question

I'm getting an error with my CreateProcessAsUser function. It says "The requested operation requires elevation. " I thought i had given it the highest privilege i could. Anyone help? thanks

My code is as follows:

            activeSessionId = WTSGetActiveConsoleSessionId();//get the currently logged on user's active session id
            hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );//take snapshot of all processes in The system

            pe32.dwSize = sizeof(PROCESSENTRY32);
            Process32First(hProcessSnap, &pe32)

            do//iterate through all processes
            {   
                if(_wcsicmp(pe32.szExeFile, L"winlogon.exe") == 0)//narrow down to process called "winlogon.exe"
                {
                    if (ProcessIdToSessionId(pe32.th32ProcessID, &peSessionID)
                    && peSessionID == activeSessionId)//compare the sessionID of each winlog process to the active console session id
                    {
                        winlogonPID = pe32.th32ProcessID;
                        break;
                    }
                }
            }while( Process32Next( hProcessSnap, &pe32 ) );

            dwCreationFlags = (NORMAL_PRIORITY_CLASS|CREATE_NEW_CONSOLE);

            hProcess = OpenProcess(PROCESS_ALL_ACCESS,false,winlogonPID);//return handle to winlogon process

            OpenProcessToken(hProcess,TOKEN_ALL_ACCESS,&hPToken)//opens the access token
            LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid)//get the locally unique identifier(luid)


            //creates a new access token and duplicates winlogon token of the active user
            DuplicateTokenEx(hPToken,MAXIMUM_ALLOWED,NULL,SecurityIdentification,TokenPrimary,&hUserTokenDup)

            }

            SetTokenInformation(hUserTokenDup,TokenSessionId,(void*)&activeSessionId,sizeof(DWORD))//sets info for duplicated token

            //adjust the privileges of the duplicated token
            tp.PrivilegeCount = 1;
            tp.Privileges[0].Luid = luid;
            tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

            AdjustTokenPrivileges(hUserTokenDup, FALSE, &tp, sizeof(TOKEN_PRIVILEGES),(PTOKEN_PRIVILEGES)NULL,NULL)


            pEnv = NULL;
            if(CreateEnvironmentBlock(&pEnv,hUserTokenDup,TRUE))//retrieve environment variables for the user
            {
                dwCreationFlags|=CREATE_UNICODE_ENVIRONMENT;
            }
            else pEnv = NULL;

            ZeroMemory( &si, sizeof(si) );//set parameters to 0
            si.cb = sizeof(si);//the size of si
            si.lpDesktop = L"WinSta0\\Default";//window station and desktop of interactive user
            ZeroMemory( &pi, sizeof(pi) );//set parameters to 0

            //launch the process in active logged in user's session
            CreateProcessAsUser
                (
                hUserTokenDup,  
                NULL,
                Path,
                NULL,
                NULL,
                FALSE,
                dwCreationFlags,
                pEnv,
                NULL,
                &si,
                &pi
                )
              )


              //Destroy the Environment block
                      (DestroyEnvironmentBlock(pEnv)


              CloseHandle(hProcess)
              CloseHandle(hUserToken)
              CloseHandle(hUserTokenDup)
              CloseHandle(hPToken)

        }

Answer 1

What user account is your calling code running under? Does that account have permissions to run processes as other users?

My code that uses CreateProcessAsUser() runs in a service under the SYSTEM account. The following approach works fine for me, without having to enumerate processes at all:

// error handling omitted for brevity...

DWORD dwSessionId = WTSGetActiveConsoleSessionId();
HANDLE hProcessToken = NULL;
HANDLE hUserToken = NULL;

TOKEN_PRIVILEGES TokenPriv, OldTokenPriv;
DWORD OldSize = 0;
OpenProcess(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hProcessToken);
LookupPrivilegeValue(NULL, SE_TCB_NAME, &TokenPriv.Privileges[0].Luid);
TokenPriv.PrivilegeCount = 1;
TokenPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hProcessToken, FALSE, &TokenPriv, sizeof(TokenPriv), &OldTokenPriv, &OldSize);

HANDLE hToken = NULL;
WTSQueryUserToken(dwSessionId, &hToken);
DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hUserToken);
CloseHandle(hToken);

LPVOID pEnv = NULL;
CreateEnvironmentBlock(&pEnv, hUserToken, FALSE);

STARTUPINFO si = {0};
si.cb = sizeof(si);
si.lpDesktop = TEXT("WinSta0\\Default");
//...

PROCESS_INFORMATION pi = {0};

//launch the process in active logged in user's session
CreateProcessAsUser(
    hUserToken,  
    NULL,
    Path,
    NULL,
    NULL,
    FALSE,
    NORMAL_PRIORITY_CLASS | CREATE_UNICODE_ENVIRONMENT | ...,
    pEnv,
    NULL,
    &si,
    &pi
);

CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
DestroyEnvironmentBlock(pEnv);
CloseHandle(hUserToken);

AdjustTokenPrivileges(hProcessToken, FALSE, &OldTokenPriv, sizeof(OldTokenPriv), NULL, NULL);
CloseHandle(hProcessToken);