2024. 4. 9. 11:15

How to open Control Panel Items in the separate explorer.exe

If you want to open 'This PC\All Control Panel Items\Programs and Features'
First you need to convert each items to GUID

  • This PC -> 20d04fe0-3aea-1069-a2d8-08002b30309d
  • All Control Panel Items -> 21ec2020-3aea-1069-a2dd-08002b30309d
  • Programs and Features -> 7b81be6a-ce2b-4676-a29e-eb907a5126c5

Then launch exporer.exe with /separate paramter

For example:

C:\Windows\explorer.exe /separate, ::{20d04fe0-3aea-1069-a2d8-08002b30309d}\::{21ec2020-3aea-1069-a2dd-08002b30309d}\::{7b81be6a-ce2b-4676-a29e-eb907a5126c5}

Then the above process will be terminated and the below process shows up with ' Programs and Features'

C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

If you want to launch explorer.exe as your descendant process, there is a way

  1. Run: C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    • This process is your descendant process and it is invisible.
  2. Run: C:\Windows\explorer.exe /separate, ::{20d04fe0-3aea-1069-a2d8-08002b30309d}\::{21ec2020-3aea-1069-a2dd-08002b30309d}\::{7b81be6a-ce2b-4676-a29e-eb907a5126c5}
    • This process will be terminated and 'Programs and Features' will be showed in the previous explorer.exe.
    • But if there is one more explorer.exe /factory, there is no gurantee which one shows 'Programs and Features'.

 

2023. 5. 10. 11:59

How to prevent a services from being stopped by administrative users.

It is almost impossible to prevent administrators from stopping services.
But there are some ways to make it difficult for them.

  1. Ignoring the stop notification

SetServiceStatus

 

SetServiceStatus function (winsvc.h) - Win32 apps

Updates the service control manager's status information for the calling service.

learn.microsoft.com

If you call this function without 'SERVICE_ACCEPT_STOP' in dwControlsAccepted member in SERVICE_STAUS structure, the service ignores the stop notification.

  1. Chaning the access control on the service
// Get an acl of the service

  ATL::CDacl dacl;
  bool result = ATL::AtlGetDacl(L"serviceName", SE_SERVICE, &dacl);


// Traverse all access masks

  for (UINT index = 0; index < count; ++index) {
    CSid aceSid;
    ACCESS_MASK mask = 0;
    BYTE type = 0;
    BYTE flags = 0;
    GUID objectType;
    GUID inheritedObjectType;
    dacl.GetAclEntry(index, &aceSid, &mask, &type, &flags, &objectType, &inheritedObjectType);

}

// Change & Set acess mask

// Remove old ace
dacl.RemoveAce(speciifcIndex);
// Remove permissions(SERVICE_CHANGE_CONFIG & SERVICE_STOP)
specificMask &= ~SERVICE_CHANGE_CONFIG; 
specificMask &= ~SERVICE_STOP;
// Add new ace
 result = dacl.AddAllowedAce(specificSid, specificMask, specificFlags);
2022. 9. 2. 18:45

NtCreateToken

NtCreateToken

Return Codes

  • STATUS_SUCCESS - Indicates the operation was successful.
  • STATUS_INVALID_OWNER - Indicates the ID provided to be assigned
            as the default owner of the token does not have an attribute
            indicating it may be assigned as an owner.
  • STATUS_INVALID_PRIMARY_GROUP - Indicates the group ID provided
            via the PrimaryGroup parameter was not among those assigned
            to the token in the Groups parameter.
  • STATUS_BAD_IMPERSONATION_LEVEL - Indicates no impersonation level
            was provided when attempting to create a token of type
            TokenImpersonation.

createprocess-windows