Re: OT (Sorta): DLL Registration under Restricted User Mode

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance


"MikeD" <nobody@xxxxxxxxxxx> wrote in message
news:OKehrHrnFHA.1948@xxxxxxxxxxxxxxxxxxxxxxx
>
> "Bryan Dickerson" <txprphan@xxxxxxxxxxxx> wrote in message
> news:eQNsVuqnFHA.632@xxxxxxxxxxxxxxxxxxxxxxx
> > This is sorta OT, but how can I get DLLs to Register in Restricted User
> > mode?
>
>
> To the best of my knowledge, you can't. A Restricted User does not have
> write permissions for the parts of the Registy necessary for registering
> ActiveX components (requires write permission for both HKEY_CLASSES_ROOT
and
> HKEY_LOCAL_MACHINE).
>
> With that said, from the Restricted User login, you could run regsvr32.exe
> (or any other program) in the context of a different login that has admin
> rights. Here's a function to start a process under a different user
> account:
>
> -----BEGIN CODE
> Private Type PROCESS_INFORMATION
> hProcess As Long
> hThread As Long
> dwProcessId As Long
> dwThreadId As Long
> End Type
>
> Private Type STARTUPINFO
> cb As Long
> lpReserved As Long
> lpDesktop As Long
> lpTitle As Long
> dwX As Long
> dwY As Long
> dwXSize As Long
> dwYSize As Long
> dwXCountChars As Long
> dwYCountChars As Long
> dwFillAttribute As Long
> dwFlags As Long
> wShowWindow As Integer
> cbReserved2 As Integer
> lpReserved2 As Byte
> hStdInput As Long
> hStdOutput As Long
> hStdError As Long
> End Type
>
> Private Declare Function CreateProcessWithLogonW Lib "Advapi32" (ByVal
> lpUsername As Long, ByVal lpDomain As Long, ByVal lpPassword As Long,
ByVal
> dwLogonFlags As Long, ByVal lpApplicationName As Long, ByVal lpCommandLine
> As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal
> lpCurrentDirectory As Long, lpStartupInfo As STARTUPINFO, lpProcessInfo As
> PROCESS_INFORMATION) As Long
>
> Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As
Long)
> As Long
>
> Private Const INFINITE As Long = -1&
> Private Const STATUS_WAIT_0 As Long = &H0
> Private Const WAIT_OBJECT_0 As Long = STATUS_WAIT_0
>
> Private Const LOGON_WITH_PROFILE As Long = &H1&
> Private Const LOGON_NETCREDENTIALS_ONLY As Long = &H2&
> Private Const CREATE_DEFAULT_ERROR_MODE As Long = &H4000000
> Private Const CREATE_NEW_CONSOLE As Long = &H10&
> Private Const CREATE_NEW_PROCESS_GROUP As Long = &H200&
> Private Const CREATE_SEPARATE_WOW_VDM As Long = &H800&
> Private Const CREATE_SUSPENDED As Long = &H4&
> Private Const CREATE_UNICODE_ENVIRONMENT As Long = &H400&
> Private Const ABOVE_NORMAL_PRIORITY_CLASS As Long = &H8000&
> Private Const BELOW_NORMAL_PRIORITY_CLASS As Long = &H4000&
> Private Const HIGH_PRIORITY_CLASS As Long = &H80&
> Private Const IDLE_PRIORITY_CLASS As Long = &H40&
> Private Const NORMAL_PRIORITY_CLASS As Long = &H20&
> Private Const REALTIME_PRIORITY_CLASS As Long = &H100&
>
> Public Function RunAsUser(sLoginName As string, sPassword As String) As
> Boolean
>
> Dim lpUsername As String
> Dim lpDomain As String
> Dim lpPassword As String
> Dim lpApplicationName As String
> Dim lpCommandLine As String
> Dim lpCurrentDirectory As String
> Dim StartInfo As STARTUPINFO
> Dim ProcessInfo As PROCESS_INFORMATION
>
> lpUsername = sLoginName
> lpDomain = "YourDomainName"
> lpPassword = sPassword
> lpApplicationName = <pathtofile>\program.exe"
> lpCommandLine = vbNullString 'use the same as lpApplicationName
> lpCurrentDirectory = vbNullString 'use standard directory
>
> If IsWin2K Then
> StartInfo.cb = LenB(StartInfo) 'initialize structure
> StartInfo.dwFlags = 0&
>
> CreateProcessWithLogonW StrPtr(lpUsername), StrPtr(lpDomain),
> StrPtr(lpPassword), _
> 0&, StrPtr(lpApplicationName), StrPtr(lpCommandLine), _
> CREATE_DEFAULT_ERROR_MODE Or CREATE_NEW_CONSOLE Or
> CREATE_NEW_PROCESS_GROUP, _
> ByVal 0&, StrPtr(lpCurrentDirectory), StartInfo, ProcessInfo
>
> CloseHandle ProcessInfo.hThread 'close the handle to the main
thread
> since we don't use it
> CloseHandle ProcessInfo.hProcess 'close the handle to the process
> since we don't use it
> 'note that closing the handles of the main thread and the process
do
> not terminate the process
>
> If ProcessInfo.hProcess > 0 Then
> RunAsUser = True
> End If
> Else
> If Shell(lpApplicationName) Then
> RunAsUser = True
> End If
> End If
> End Function
> -----END CODE
>
> Note that I made some on-the-fly changes from the actual function I use.
> It's possible I missed something or screwed something up, but that's the
> gist of it. If I missed any function, structure, or constant
declarations,
> let me know. You'll need to write your own IsWin2K function (mine returns
> True for Win2K and greater, so the above will work correctly with WinXP
and
> Windows Server 2003).
>
> --
> Mike
> Microsoft MVP Visual Basic
>

You also could just use "runas /user:<user> regsvr32 <dll>".

As a sidenote, one of the first things one does after having gained access
to a box is to go looking for executables that call
CreateProcessWithLogonW() and I know kids that can rattle off its offset
like their girlfriend's phone number. From there you back track - 90% of the
time you find the password or location of the password hardcoded.

If there is a reason to restrict a user then restrict them - don't say "now
don't touch" then put the key under the flower pot. <g>

-ralph


.

Quantcast