CreateProcessAsUser not from service

I want to run the application under the credentials of a different account (no promotion) while that user is already logged in. Specifically, I want my app installer (which runs under any administrator account) to handle processes in every user desktop session. These processes interact with the windows of the service and display on the desktop to interact with the user.

Usually, from the service operating as LocalSystem

approach WTSQueryUserToken


. However, WTSQueryUserToken

it will not run outside of an account LocalSystem

(with privilege SE_TCB_NAME

), making this approach unsuccessful.

If the user was not already logged in, I could simply register the app to run under HKLM\...\Run

so that any user logged in will get a copy of the app when they log in. But if the user is not already working (at least until they log out and log in again).

I see two possible answers:

  • You cannot do this. Unfortunately.

  • You can get the token from somewhere else (maybe list the explorer.exe processes and pull the access token out of each), call DuplicateTokenEx

    , then go to CreateProcessAsUser

    . I tried this approach and consistently got "access denied" when trying OpenProcessToken

    in a process running under a different user session, even with debug privilege enabled and a process opened with PROCESS_ALL_ACCESS


What do you think?

If the answer is # 1 ("you can't do that"), then what is the recommended recommendation for spawning un-raised processes to mediate between the service and the user? Is it better to use this service to run these processes in every session via CreateProcessAsUser? Or is it best to have unhooked processes run separately (e.g. via HKLM\...\Run

or HKCU\...\Run



source to share

All Articles