问题
I'm trying to create a Medium or Low integrity process from a elevated process. I know there are other questions like this but they mostly focus on the workarounds like using Explorer or the Task Scheduler and I want to stick with CreateRestrictedToken()+CreateProcessAsUser().
I assume it must be possible to do this somehow since I believe UAC does it when you log in but I have not been able to get everything in the token to look like the normal UAC Medium IL token.
You can get 80% there by creating the token with CreateRestrictedToken(hThisProcessToken, LUA_TOKEN, ...) and then setting TokenOwner, TokenDefaultDacl and TokenIntegrityLevel before calling CreateProcessAsUser().
The remaining issues are TokenVirtualizationAllowed, TokenVirtualizationEnabled, TokenElevation, TokenElevationType and TokenMandatoryPolicy where SetTokenInformation() fails with ERROR_PRIVILEGE_NOT_HELD or ERROR_INVALID_PARAMETER.
If I run as SYSTEM @ SECURITY_MANDATORY_SYSTEM_RID with all privileges enabled as opposed to an Administrator @ SECURITY_MANDATORY_HIGH_RID then I'm able to set TokenMandatoryPolicy and TokenVirtualization* but setting TokenElevation* still fails! (Only tested on Windows 8 so far)
Not having the correct TokenElevation* values in the token is a big issue because Internet Explorer fails to start in Protected Mode because it thinks the token is elevated.
The documentation for SetTokenInformation() does not say which TOKEN_INFORMATION_CLASS items it is possible to set and which privileges, if any, are required and I don't understand why you would not be allowed to set these to lower security values that match the actual integrity level (TokenIntegrityLevel) of the token.
Using the Safer API to create a SAFER_LEVELID_NORMALUSER token does not fix any of these issues and also creates a token that is more restricted than the normal Medium IL token.
I found somebody with a similar issue from the early Vista/Longhorn days, has nothing changed since then?
来源:https://stackoverflow.com/questions/36752182/create-a-low-medium-process-from-a-elevated-process-with-createrestrictedtokenl