Re: Can't copy/rename file using CreateProcessWithLogonW, ImpersonateLoggedOnUser and LogonUser

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: "Mark Yudkin" <myudkinATcompuserveDOTcom@xxxxxxxxx>
Date: Tue, 7 Jun 2005 07:56:02 +0200

"TC" <aatcbbtccctc@xxxxxxxxx> wrote in message
news:1117956640.888740.129410@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
> Sam Hobbs wrote:
>> If the programs you have written are executed without Administrator
>> priviliges then it makes sense that they can't get Administrator
>> priviliges.
>> Use of CreateProcessWithLogonW to grant higher privileges should not work
>> either. If any of that did work, it would be a huge violation of the
>> purpose
>> of security.
>
>
> Nonsense.
>
> I can't speak for the APIs in question, as I have never used them.
>
> But there is absolutely nothing wrong, in principle, with a program
> acquiring higher priviliges, at runtime, if it can provide the
> creditials of a suitable higher-priviliged user.

Actually, there is a restriction that contradicts your "in principle". The
user trying to acquire the higher privileges needs the "Impersonate a user
after logon / impersonate a client after logon" privilege (W2K SP4, XP SP2,
W2K3). Without that, all attempts will be rejected. By default, only
administrators have this privilege. That is, a user can only increase his
privileges if he has the privilege to do so, in addition to having and/or
knowing the credentials.

>
> HTH,
> TC
>

.

Follow-Ups:
- Re: Can't copy/rename file using CreateProcessWithLogonW, ImpersonateLoggedOnUser and LogonUser
  - From: TC

References:
- Can't copy/rename file using CreateProcessWithLogonW, ImpersonateLoggedOnUser and LogonUser
  - From: Ray Greene
- Re: Can't copy/rename file using CreateProcessWithLogonW, ImpersonateLoggedOnUser and LogonUser
  - From: Sam Hobbs
- Re: Can't copy/rename file using CreateProcessWithLogonW, ImpersonateLoggedOnUser and LogonUser
  - From: TC

Prev by Date: Re: Can't copy/rename file using CreateProcessWithLogonW, ImpersonateLoggedOnUser and LogonUser
Next by Date: Re: Camcorder and VB6 application
Previous by thread: Re: Can't copy/rename file using CreateProcessWithLogonW, ImpersonateLoggedOnUser and LogonUser
Next by thread: Re: Can't copy/rename file using CreateProcessWithLogonW, ImpersonateLoggedOnUser and LogonUser
Index(es):
- Date
- Thread

Relevant Pages

Re: Cant copy/rename file using CreateProcessWithLogonW, ImpersonateLoggedOnUser and LogonUser
... >>If the programs you have written are executed without Administrator ... >>priviliges then it makes sense that they can't get Administrator ... When I run Runas, I must enter the password for my Administrator account. ... CreateProcessWithLogonW but you will need to know the password and store the ...
(microsoft.public.vb.winapi)
Re: Error messages on non-administrator log on
... Oursouls wrote: ... > All of the others that log on to my PC do not have administrator ... > have enough priviliges for a program and should contact the ... Most modern office type programs should work just fine in a non admin ...
(microsoft.public.windowsxp.security_admin)
Re: Cant copy/rename file using CreateProcessWithLogonW, ImpersonateLoggedOnUser and LogonUser
... >> If the programs you have written are executed without Administrator ... >> priviliges then it makes sense that they can't get Administrator ... >> Use of CreateProcessWithLogonW to grant higher privileges should not work ... You don't have to say "Nonsense". ...
(microsoft.public.vb.winapi)
write privileges for the NULL directory
... I'm trying to download an update from HR Block's Tax Cut ... priviliges for the NULL directory." ... I'm the administrator and neither I ...
(microsoft.public.windowsxp.newusers)
Re: Cant copy/rename file using CreateProcessWithLogonW, ImpersonateLoggedOnUser and LogonUser
... Sam Hobbs wrote: ... > priviliges then it makes sense that they can't get Administrator priviliges. ... > Use of CreateProcessWithLogonW to grant higher privileges should not work ...
(microsoft.public.vb.winapi)