1. Using PsExec
http://technet.microsoft.com/ko-kr/sysinternals/bb897553.aspx
PsExec -d
2. using CreateRestrictedToken, CreateProcessAsUser
HANDLE hProcessToken = NULL;
::OpenProcessToken( GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_ADJUST_SESSIONID | TOKEN_READ | TOKEN_WRITE, &hProcessToken ); HANDLE hRestrictedToken = NULL; ::CreateRestrictedToken(hProcessToken, DISABLE_MAX_PRIVILEGE, 0, 0, 0, 0, 0, 0, &hRestrictedToken ); //Create startup info STARTUPINFO si = {0}; PROCESS_INFORMATION pi = {0}; si.lpDesktop = L"winsta0\\default"; si.cb = sizeof( si ); // Get the current executables name TCHAR exePath[MAX_PATH+1] = {0}; GetModuleFileName(NULL, exePath, MAX_PATH); // Start the new (non-elevated) restricted process
if( !CreateProcessAsUser(hRestrictedToken, L"c:\\windows\\notepad.exe", NULL, NULL, NULL, TRUE, NORMAL_PRIORITY_CLASS, NULL, NULL, &si, &pi)) { CloseHandle(hRestrictedToken); return; } |
3 using SaferCreateLevel CreateProcessAsUser
|
SAFER_LEVEL_HANDLE hLevel = NULL;
if (!SaferCreateLevel(SAFER_SCOPEID_MACHINE, SAFER_LEVELID_NORMALUSER, SAFER_LEVEL_OPEN, &hLevel, NULL)) { return false; } HANDLE hRestrictedToken = NULL; if (!SaferComputeTokenFromLevel(hLevel, NULL, &hRestrictedToken, 0, NULL)) { SaferCloseLevel(hLevel); return false; } SaferCloseLevel(hLevel); //Create startup info STARTUPINFO si = {0}; PROCESS_INFORMATION pi = {0}; si.lpDesktop = L"winsta0\\default"; si.cb = sizeof( si ); // Get the current executables name TCHAR exePath[MAX_PATH+1] = {0}; GetModuleFileName(NULL, exePath, MAX_PATH); // Start the new (non-elevated) restricted process if( !CreateProcessAsUser(hRestrictedToken, exePath, NULL, NULL, NULL, TRUE, NORMAL_PRIORITY_CLASS, NULL, NULL, &si, &pi)) { CloseHandle(hRestrictedToken); return false; } CloseHandle(hRestrictedToken); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return true; |
Rss Feed