JSI Tip 1853. Start a process in the security context of any user.

The Windows NT 4.0 Server Resource Kit, Supplement 4, contains SU.

SU provides the ability to start a process running as an arbitrary user. The utility is named after the SU utility of the UNIX family of operating systems.

The new process runs in the security context of the specified user, providing that the specified username, domain, and password are correct. To start a process as an arbitrary user, you must have the password for the corresponding user.

The new process starts with an environment block representing the per-user environment variables that Windows NT maintains. This behavior can be disabled.

When the new process starts, the Registry hive representing the target user is available to the process. This portion of the Registry is accessed through the HKEY_CURRENT_USER Registry key. This behavior can also be disabled.

The logon type equates to the logon right required by the target user (who was granted the privileges). Furthermore, the logon type dictates how the access token representing the target user is populated. The security ID (SID) with type SE_GROUP_LOGON_ID in the access token for the new process represents the type of logon, Batch, Interactive, or Service. Logon rights can be granted through User Manager as described above.

In this release of SU, the caller no longer needs the following privileges:

SeTcbPrivilege

"Act as part of the operating system"

SeIncreateQuotaPrivilege

"Increase Quotas"

SeAssignPrimaryTokenPrivilege

"Replace a process level token"

SeRestorePrivilege

"Restore files and directories"

This privilege is required only for preparation of user Registry hive.

The above privileges are no longer required when using SU. In order to support this, the user

must install a new service based component used by SU. The service component is encapsulated in

the executable suss.exe, and this is installed by issuing the following command line at a Windows NT

command prompt (cmd.exe):

suss.exe -install

You need to be an administrator in order to install the service in this manner. Once the service

is installed, and user may use SU without having the four privileges mentioned above. If you are

upgrading over an previous installation of SU, we recommend that you revoke the above mentioned

privileges from any users/groups they were granted to previously. This can be accomplished by

using User Manager (usrmgr.exe or musrmgr.exe).


Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish