Jump to content
  • Advertisement
Sign in to follow this  
Nemesis2k2

Permission Woes: Getting access to the Winlogon desktop without system privileges

This topic is 4613 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Ok, long story short. I'm writing an app which gives a lot of options to control the launching of an application, including impersonating a user, and in this case, specifying the window station and desktop to launch the process under. All this is working. The problem is, I would like an administrator to be able to specify the Winlogon desktop as the target, and launch an application under it. I'm running into a few permission issues however. In order to launch an application under a given desktop, the account the process is launched under must have certain privileges enabled. The Winlogon desktop, being a more secure and restrictive desktop than the default interactive desktop, doesn't have many of the required privileges enabled by default, even for administrators. In order to grant a user access to a secured object, we have to obtain a handle to the object in question and modify the DACL for the object, granting the necessary rights to the user in question. In this case, it's not the modification of the DACL that's the problem, it's obtaining the handle in the first place. By default, administrators are granted the necessary rights to enumerate the Winlogon desktop, as well as read and modify its DACL. For most securable objects, that would be enough to obtain a handle and modify its permissions. In order to obtain a handle to an existing desktop, we call the OpenDesktop function. Here's the catch: As detailed in the MSDN documentation, in order to obtain a handle with READ_CONTROL, WRITE_DAC, or WRITE_OWNER privileges, all of which are privileges administrators have for the winlogon desktop, we also need to request the DESKTOP_READOBJECTS and DESKTOP_WRITEOBJECTS privileges, which administrators do not have by default. Now, administrators can work around this by spawning a command console from a service to obtain system credentials, however I'm wondering if there is any way to modify the DACL for the winlogon desktop using the default permissions granted to administrators. If not, why do administrators have read and write permissions to the winlogon DACL, if they can't ever obtain a handle with these privileges enabled?

Share this post


Link to post
Share on other sites
Advertisement
You should probably post this on one of MS's *.security newsgroups. You may get lucky and find someone here that both writes games and deals in depth with windows security, but your chances are much better on a security newsgroup :)

Robert

Share this post


Link to post
Share on other sites
Yeah, I realise it was a longshot asking this here. If I don't get a response, and I don't find a solution myself within the next couple of days, I'll hunt around and find a better place to pose this question. Cheers for the newsgroups suggestion. I looked on the MSDN forums and was less than impressed with the choices.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

We are the game development community.

Whether you are an indie, hobbyist, AAA developer, or just trying to learn, GameDev.net is the place for you to learn, share, and connect with the games industry. Learn more About Us or sign up!

Sign me up!