Skip to content

Commit

Permalink
Run host UI without linked token (elevation).
Browse files Browse the repository at this point in the history
  • Loading branch information
@dchapyshev
dchapyshev committed Nov 14, 2023
1 parent aaae7c7 commit 6cd1431
Showing 1 changed file with 1 addition and 53 deletions.
54 changes: 1 addition & 53 deletions source/host/user_session_manager.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,7 @@ const wchar_t kDefaultDesktopName[] = L"winsta0\\default";
//--------------------------------------------------------------------------------------------------
bool createLoggedOnUserToken(DWORD session_id, base::win::ScopedHandle* token_out)
{
base::win::ScopedHandle user_token;

if (!WTSQueryUserToken(session_id, user_token.recieve()))
if (!WTSQueryUserToken(session_id, token_out->recieve()))
{
DWORD error_code = GetLastError();
if (error_code == ERROR_NO_TOKEN)
Expand All @@ -74,56 +72,6 @@ bool createLoggedOnUserToken(DWORD session_id, base::win::ScopedHandle* token_ou
return false;
}

TOKEN_ELEVATION_TYPE elevation_type;
DWORD returned_length;

if (!GetTokenInformation(user_token,
TokenElevationType,
&elevation_type,
sizeof(elevation_type),
&returned_length))
{
PLOG(LS_ERROR) << "GetTokenInformation failed";
return false;
}

switch (elevation_type)
{
// The token is a limited token.
case TokenElevationTypeLimited:
{
TOKEN_LINKED_TOKEN linked_token_info;

// Get the unfiltered token for a silent UAC bypass.
if (!GetTokenInformation(user_token,
TokenLinkedToken,
&linked_token_info,
sizeof(linked_token_info),
&returned_length))
{
PLOG(LS_ERROR) << "GetTokenInformation failed";
return false;
}

// Attach linked token.
token_out->reset(linked_token_info.LinkedToken);
}
break;

case TokenElevationTypeDefault: // The token does not have a linked token.
case TokenElevationTypeFull: // The token is an elevated token.
default:
token_out->reset(user_token.release());
break;
}

DWORD ui_access = 1;
if (!SetTokenInformation(token_out->get(), TokenUIAccess, &ui_access, sizeof(ui_access)))
{
PLOG(LS_ERROR) << "SetTokenInformation failed";
return false;
}

return true;
}

Expand Down

0 comments on commit 6cd1431

Please sign in to comment.