MSDNによると、設定した権限に関係なく、 CreateProcessAsUserW からエラー1314が発生し続けますSE_INCREASE_QUOTA_NAMEとSE_ASSIGNPRIMARYTOKEN_NAMEを追加する必要があります。
念のため、グループ ポリシー コンソールで、権限が実際に追加されたことを確認しました。
LSA_OBJECT_ATTRIBUTES ObjectAttributes;
WCHAR* SystemName = &strSessionUserName[0];
USHORT SystemNameLength;
LSA_UNICODE_STRING lusSystemName;
NTSTATUS ntsResult;
LSA_HANDLE lsahPolicyHandle;
// Object attributes are reserved, so initialize to zeros.
ZeroMemory(&ObjectAttributes, sizeof(ObjectAttributes));
//Initialize an LSA_UNICODE_STRING to the server name.
SystemNameLength = (USHORT)wcslen(SystemName);
lusSystemName.Buffer = SystemName;
lusSystemName.Length = SystemNameLength * sizeof(WCHAR);
lusSystemName.MaximumLength = (SystemNameLength + 1) * sizeof(WCHAR);
// Get a handle to the Policy object.
ntsResult = LsaOpenPolicy(
nullptr, //Name of the target system.
&ObjectAttributes, //Object attributes.
0x000f0fff, //Desired access permissions.
&lsahPolicyHandle //Receives the policy handle.
);
PSID pSid;
if (false == ConvertStringSidToSid(strSid.data(), &pSid))
return false;
WCHAR* pQuotaName = L"SeIncreaseQuotaPrivilege";
LSA_UNICODE_STRING Privilege[1];
size_t stQuotaLength = wcslen(pQuotaName);
Privilege[0].Buffer = pQuotaName;
Privilege[0].Length = (USHORT)(stQuotaLength*sizeof(WCHAR));
Privilege[0].MaximumLength = (USHORT)(stQuotaLength + 1)*sizeof(WCHAR);
ntsResult = LsaAddAccountRights(lsahPolicyHandle, pSid, Privilege, 1);
if (!LookupPrivilegeValue(
NULL, // lookup privilege on local system
L"SeIncreaseQuotaPrivilege", // privilege to lookup
&luid)) // receives LUID of privilege
{
printf("LookupPrivilegeValue error: %u\n", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,
(PDWORD)NULL))
{
printf("AdjustTokenPrivileges error: %u\n", GetLastError());
return FALSE;
}
WCHAR* pAssignToken = L"SeAssignPrimaryTokenPrivilege";
size_t stAssignToken = wcslen(pAssignToken);
Privilege[0].Buffer = pAssignToken;
Privilege[0].Length = (USHORT)(stAssignToken*sizeof(WCHAR));
Privilege[0].MaximumLength = (USHORT)(stAssignToken + 1)*sizeof(WCHAR);
ntsResult = LsaAddAccountRights(lsahPolicyHandle, pSid, Privilege, 1);
if (!LookupPrivilegeValue(
NULL, // lookup privilege on local system
L"SeAssignPrimaryTokenPrivilege", // privilege to lookup
&luid)) // receives LUID of privilege
{
printf("LookupPrivilegeValue error: %u\n", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,
(PDWORD)NULL))
{
printf("AdjustTokenPrivileges error: %u\n", GetLastError());
return FALSE;
}
WCHAR* pTcbName = L"SeTcbPrivilege";
size_t stTcbName = wcslen(pTcbName);
Privilege[0].Buffer = pTcbName;
Privilege[0].Length = (USHORT)(stTcbName*sizeof(WCHAR));
Privilege[0].MaximumLength = (USHORT)(stTcbName + 1)*sizeof(WCHAR);
ntsResult = LsaAddAccountRights(lsahPolicyHandle, pSid, Privilege, 1);
if (!LookupPrivilegeValue(
NULL, // lookup privilege on local system
L"SeTcbPrivilege", // privilege to lookup
&luid)) // receives LUID of privilege
{
printf("LookupPrivilegeValue error: %u\n", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,
(PDWORD)NULL))
{
printf("AdjustTokenPrivileges error: %u\n", GetLastError());
return FALSE;
}
si.cb = sizeof(STARTUPINFO);
if (FALSE == CreateProcessAsUserW(hToken, nullptr, L"notepad.exe", nullptr, nullptr, false, CREATE_SUSPENDED | CREATE_BREAKAWAY_FROM_JOB, nullptr, nullptr, &si, &pi))
{
return false;
}
次のフラグを使用して、ターゲット ユーザーからトークンを取得します。
TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_ASSIGN_PRIMARY
CreateProcessWithToken / CreateProcessWithLogonの使用には問題があります。CreateProcessWithToken が新しいジョブを開始すると、ターゲット プロセスの初期化が台無しになり、CreateProcessWithLogon には実行時に不明なパスワードが必要になるためです。