Zitat von
Remko:
Sure: Suppose you poweruser is called Joe.
Let your service find the LogonSid for Joe. Use LsaLogonUser to start your process (eg Delphi) (eg with the supplied credentials). Include in the PTOKEN_GROUPS both the (local) admin sid and Joe's LogonSid. The process has full
access to Joe's desktop without the need to set
ACL's because you "are" Joe. Because the process has also Admin's SID you also have his privilegs. If wanted replace admin by a special user with debug privileges.
It is not good to use add Joe to the administrator groups. We have to create programs without such power
It also does not work to add the group debug users because the privilege is not added. I tested it.
I created successfully a new token with debug privilege (using NTCreateToken), but this needs the users LUID (which can be created by CreateLogonSession) - however I can find the users LUID by LsaGetLogonSessionData.
Delphi-Quellcode:
function GetUserNameLUID(const username : WideString) : TLuid;
var
ws : WideString;
res,
i,
lsCount : Cardinal;
lsLUIDS : PLuid;
LUIDarray : array of TLUID absolute lsLUIDS;
pLogonSessionData : PSECURITY_LOGON_SESSION_DATA;
begin
result.LowPart := 0;
result.HighPart := 0;
LsaEnumerateLogonSessions(@lsCount,lsLUIDS);
try
for i := 0 to lsCount-1 do
begin
res := LsaGetLogonSessionData(@LUIDarray[i], pLogonSessionData);
if (res = 0) then
begin
if (CompareText(pLogonSessionData.UserName.Buffer, userName) = 0) and
(CompareText(pLogonSessionData.AuthenticationPackage.Buffer, 'NTLM') = 0) then
begin
result := pLogonSessionData.LogonId;
LsaFreeReturnBuffer(pLogonSessionData);
LsaFreeReturnBuffer(lsLUIDS);
exit;
end;
LsaFreeReturnBuffer(pLogonSessionData);
end;
end;
finally
LsaFreeReturnBuffer(lsLUIDS);
end;
end;
By the way:
Did you see my post
Security Library. I would appreciate it if you could make a comment (I also need reinforcement).