Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Graphical user interface problems #16

Open
candogg opened this issue Dec 10, 2024 · 4 comments
Open

Graphical user interface problems #16

candogg opened this issue Dec 10, 2024 · 4 comments

Comments

@candogg
Copy link

candogg commented Dec 10, 2024
edited
Loading

When a user interface occurs with --bypass-uac, its like an old version of windows like 98. Is there any solution?

Thanks.
@antonioCoco
Copy link
Owner

Hello,

I need more info to troubleshoot, because i'm aware of some issues with UI programs and it might be related to some missing permissions in the Window Station\Desktop, but i want to make sure your scenario is reproducible.

What windows version are you testing? What is the user account and its permission the one who runs the RunasCs.exe process?
What permissions and groups have "testaccount" instead? Is UAC enabled ? Is the EnableLUA regkey enabled?

Also please attach a screenshot of a malfunctioning user interface.

@candogg
Copy link
Author

candogg commented Dec 13, 2024
edited
Loading

I am using some functionality of RunasCs project. Always running bypass uac. Just testing.

Environment: Windows 10
Scenario: A windows service communicates with a user interacted application and adds user to administrators group temporarily then removes after uac bypass. EnableUA regkey enabled.

Project is working there is no problem about functionality. Just visual styles of windows are problem. Windows are opening like Windows 98. What am i doing wrong?

image

My simplified methods are below;

public bool RunAsElevated(string domain, string userName, string password, string applicationPath)
{
    var logonType = 2;
    var logonFlags = 1;
    var startupInfo = new STARTUPINFO();
    startupInfo.cb = Marshal.SizeOf(startupInfo);
    startupInfo.lpReserved = null;
    var processInfo = new ProcessInformation();
    stationDaclObj = new WindowStationDACL();

    startupInfo.lpDesktop = stationDaclObj.AddAclToActiveWindowStation(domain, userName, logonType);

    try
    {
        RunasCreateProcessWithLogonW(userName, domain, password, logonType, (uint)logonFlags, applicationPath, ref startupInfo, ref processInfo);

        return true;
    }
    catch (Exception)
    {
        return false;
    }
}

private void RunasCreateProcessWithLogonW(string username, string domainName, string password, int logonType, uint logonFlags, string applicationPath, ref STARTUPINFO startupInfo, ref ProcessInformation processInfo)
{
    var logonTypeBypassUac = logonType == SharedConstants.LOGON32_LOGON_NETWORK || logonType == SharedConstants.LOGON32_LOGON_BATCH || logonType == SharedConstants.LOGON32_LOGON_SERVICE || logonType == SharedConstants.LOGON32_LOGON_NETWORK_CLEARTEXT
        ? logonType
        : SharedConstants.LOGON32_LOGON_NETWORK_CLEARTEXT;

    if (!CreateProcessWithLogonWUacBypass(logonTypeBypassUac, logonFlags, username, domainName, password, @"C:\windows\system32\cmd.exe", $"\"{applicationPath}\"", ref startupInfo, out processInfo))
    {
        throw new RunasCsException("CreateProcessWithLogonWUacBypass", true);
    }
}

`private bool CreateProcessWithLogonWUacBypass(int logonType, uint logonFlags, string username, string domainName, string password, string processPath, string commandLine, ref STARTUPINFO startupInfo, out ProcessInformation processInfo)
{
var hToken = IntPtr.Zero;
var profileInfo = new PROFILEINFO();
profileInfo.dwSize = Marshal.SizeOf(profileInfo);
profileInfo.lpUserName = username;

var result = Win32.LoadUserProfile(hToken, ref profileInfo);

if (!Win32.LogonUser(username, domainName, password, logonType, SharedConstants.LOGON32_PROVIDER_DEFAULT, ref hToken))
{
    throw new RunasCsException("CreateProcessWithLogonWUacBypass: LogonUser", true);
}

AccessToken.SetTokenIntegrityLevel(hToken, AccessToken.GetTokenIntegrityLevel(WindowsIdentity.GetCurrent().Token));

Win32.SetSecurityInfo((IntPtr)SharedConstants.GetCurrentProcess, SE_OBJECT_TYPE.SE_KERNEL_OBJECT, SharedConstants.DACL_SECURITY_INFORMATION, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);

using (var impersonatedUser = WindowsIdentity.Impersonate(hToken))
{
    result = Win32.CreateProcessWithLogonW(username, domainName, password, logonFlags | SharedConstants.LOGON_NETCREDENTIALS_ONLY, processPath, $"/c {commandLine}", SharedConstants.CREATE_NO_WINDOW, IntPtr.Zero, null, ref startupInfo, out processInfo);
}

Win32.CloseHandle(hToken);
return result;

}`

@candogg
Copy link
Author

candogg commented Dec 30, 2024

Hello, @antonioCoco did you find any solution about this question? Thanks.

@antonioCoco
Copy link
Owner

@candogg there are no solutions neither i was able to reproduce the issue.

I will keep this issue open and will try to work on it in the next release, but please consider that there are no plans for a new release right now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@antonioCoco @candogg