Styris
/
trusted-uninstaller-cli
1
0
Fork 0
Code Issues 1 Pull Requests 0 Projects 1 Releases 10 Wiki Activity
CLI tool for running Playbooks
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
17 Commits
1 Branch
55 MiB
Tree: 63739db83a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '63739db83a'
${ noResults }
trusted-uninstaller-cli/TrustedUninstaller.Shared/ProcessPrivilege.cs

505 lines
25 KiB
Raw Normal View History

Update to v0.7.3
6 months ago
Update to v0.7.4
6 months ago
Update to v0.7.3
6 months ago
Update to v0.7.4
6 months ago
Update to v0.7.3
6 months ago
 
  1. using System;
  2. using System.Collections.Generic;
  3. using System.ComponentModel;
  4. using System.Diagnostics;
  5. using System.IO;
  6. using System.Linq;
  7. using System.Reflection;
  8. using System.Runtime.ConstrainedExecution;
  9. using System.Runtime.InteropServices;
  10. using System.Security;
  11. using System.Text;
  12. using System.Threading;
  13. using System.Threading.Tasks;
  14. using Microsoft.Win32.SafeHandles;
  15. using TrustedUninstaller.Shared.Actions;
  16. 

  17. namespace TrustedUninstaller.Shared
  18. {
  19.     public class ProcessPrivilege
  20.     {
  21.         private static Win32.TokensEx.SafeTokenHandle userToken = new Win32.TokensEx.SafeTokenHandle(IntPtr.Zero);
  22.         private static Win32.TokensEx.SafeTokenHandle elevatedUserToken = new Win32.TokensEx.SafeTokenHandle(IntPtr.Zero);
  23.         private static Win32.TokensEx.SafeTokenHandle systemToken = new Win32.TokensEx.SafeTokenHandle(IntPtr.Zero);
  24.         private static Win32.TokensEx.SafeTokenHandle impsersonatedSystemToken = new Win32.TokensEx.SafeTokenHandle(IntPtr.Zero);
  25.         private static Win32.TokensEx.SafeTokenHandle lsassToken = new Win32.TokensEx.SafeTokenHandle(IntPtr.Zero);
  26. 

  27.         internal static void ResetTokens()
  28.         {
  29.             elevatedUserToken = new Win32.TokensEx.SafeTokenHandle(IntPtr.Zero);
  30.             lsassToken = new Win32.TokensEx.SafeTokenHandle(IntPtr.Zero);
  31.             systemToken = new Win32.TokensEx.SafeTokenHandle(IntPtr.Zero);
  32.             impsersonatedSystemToken = new Win32.TokensEx.SafeTokenHandle(IntPtr.Zero);
  33.             userToken = new Win32.TokensEx.SafeTokenHandle(IntPtr.Zero);
  34.         }
  35.         
  36.         public static void StartPrivilegedTask(AugmentedProcess.Process process, Privilege privilege)
  37.         {
  38.             var tcs = StartThread(process, privilege);
  39.             tcs.Task.Wait();
  40.             for (int i = 0; tcs.Task.Result != null && i <= 3; i++)
  41.             {
  42.                 ErrorLogger.WriteToErrorLog("Error launching privileged process: " + tcs.Task.Result.Message, tcs.Task.Result.StackTrace, "PrivilegedProcess Warning",
  43.                     Path.GetFileName(process.StartInfo.FileName));
  44.                 ResetTokens();
  45.                 Thread.Sleep(500 * i);
  46.                 tcs = StartThread(process, privilege);
  47.                 tcs.Task.Wait();
  48.             }
  49. 

  50.             if (tcs.Task.Result != null)
  51.                 throw new SecurityException("Error launching privileged process.", tcs.Task.Result);
  52.         }
  53. 

  54.         private static TaskCompletionSource<Exception> StartThread(AugmentedProcess.Process process, Privilege privilege)
  55.         {
  56.             var tcs = new TaskCompletionSource<Exception>();
  57.             var thread = new Thread(() =>
  58.             {
  59.                 try
  60.                 {
  61.                     switch (privilege)
  62.                     {
  63.                         case (Privilege.System):
  64.                             GetSystemToken();
  65.                             process.Start(AugmentedProcess.Process.CreateType.RawToken, ref systemToken);
  66.                             break;
  67.                         case (Privilege.CurrentUser):
  68.                             GetUserToken(true);
  69.                             process.Start(AugmentedProcess.Process.CreateType.UserToken, ref userToken);
  70.                             break;
  71.                         case (Privilege.CurrentUserElevated):
  72.                             GetElevatedUserToken();
  73.                             process.Start(AugmentedProcess.Process.CreateType.RawToken, ref elevatedUserToken);
  74.                             break;
  75.                         default:
  76.                             throw new ArgumentException("Unexpected.");
  77.                     }
  78.                 }
  79.                 catch (Exception e)
  80.                 {
  81.                     tcs.SetResult(e);
  82.                     return;
  83.                 }
  84. 

  85.                 tcs.SetResult(null);
  86.             });
  87.             thread.Start();
  88.             return tcs;
  89.         }
  90. 

  91.         private static uint GetUserSession()
  92.         {
  93.             var sessionId = Win32.WTS.WTSGetActiveConsoleSessionId();
  94.             if (sessionId != 0xFFFFFFFF) return sessionId;
  95.             IntPtr pSessionInfo = IntPtr.Zero;
  96.             Int32 count = 0;
  97.             if (Win32.WTS.WTSEnumerateSessions((IntPtr)null, 0, 1, ref pSessionInfo, ref count) == 0)
  98.                 throw new Win32Exception(Marshal.GetLastWin32Error(), "Error enumerating user sessions.");
  99.             Int32 dataSize = Marshal.SizeOf(typeof(Win32.WTS.WTS_SESSION_INFO));
  100.             Int64 current = (Int64)pSessionInfo;
  101.             for (int i = 0; i < count; i++)
  102.             {
  103.                 Win32.WTS.WTS_SESSION_INFO si =
  104.                     (Win32.WTS.WTS_SESSION_INFO)Marshal.PtrToStructure((System.IntPtr)current,
  105.                         typeof(Win32.WTS.WTS_SESSION_INFO));
  106.                 current += dataSize;
  107.                 if (si.State == Win32.WTS.WTS_CONNECTSTATE_CLASS.WTSActive)
  108.                 {
  109.                     sessionId = (uint)si.SessionID;
  110.                     break;
  111.                 }
  112.             }
  113.             Win32.WTS.WTSFreeMemory(pSessionInfo);
  114.             return sessionId;
  115.         }
  116. 

  117.         private static void GetUserToken(bool getPrivileges)
  118.         {
  119.             if (getPrivileges)
  120.             {
  121.                 GetSystemToken();
  122.                 var result = Win32.Tokens.ImpersonateLoggedOnUser(systemToken);
  123.                 if (!result)
  124.                     throw new Win32Exception(Marshal.GetLastWin32Error(), "Error impersonating system process token.");
  125.                 
  126.                 Win32.TokensEx.AdjustCurrentPrivilege(Win32.Tokens.SE_ASSIGNPRIMARYTOKEN_NAME);
  127.                 Win32.TokensEx.AdjustCurrentPrivilege(Win32.Tokens.SE_INCREASE_QUOTA_NAME);
  128.             }
  129.             
  130.             if (userToken.DangerousGetHandle() != IntPtr.Zero)
  131.                 return;
  132.             
  133.             var sessionId = GetUserSession();
  134. 

  135.             if (Win32.WTS.WTSQueryUserToken(sessionId, out Win32.TokensEx.SafeTokenHandle wtsToken))
  136.             {
  137.                 if (!Win32.Tokens.DuplicateTokenEx(wtsToken, Win32.Tokens.TokenAccessFlags.TOKEN_ALL_ACCESS,
  138.                         IntPtr.Zero,
  139.                         Win32.Tokens.SECURITY_IMPERSONATION_LEVEL.SecurityIdentification,
  140.                         Win32.Tokens.TOKEN_TYPE.TokenPrimary, out userToken))
  141.                 {
  142.                     throw new Win32Exception(Marshal.GetLastWin32Error(),
  143.                         "Failed to duplicate process token for lsass.");
  144.                 }
  145.                 return;
  146.             }
  147.             throw new Win32Exception(Marshal.GetLastWin32Error(), "Error fetching active user session token.");
  148.         }
  149. 

  150.         private static void GetElevatedUserToken()
  151.         {
  152.             GetSystemToken();
  153.             var result = Win32.Tokens.ImpersonateLoggedOnUser(systemToken);
  154. 

  155.             if (!result)
  156.                 throw new Win32Exception(Marshal.GetLastWin32Error(), "Error impersonating system process token.");
  157.             
  158.             if (lsassToken.DangerousGetHandle() == IntPtr.Zero)
  159.             {
  160.                 var processHandle = Win32.Process.OpenProcess(Win32.Process.ProcessAccessFlags.QueryLimitedInformation, false, Process.GetProcessesByName("lsass").First().Id);
  161.                 if (!Win32.Tokens.OpenProcessToken(processHandle,
  162.                         Win32.Tokens.TokenAccessFlags.TOKEN_DUPLICATE |
  163.                         Win32.Tokens.TokenAccessFlags.TOKEN_ASSIGN_PRIMARY |
  164.                         Win32.Tokens.TokenAccessFlags.TOKEN_QUERY | Win32.Tokens.TokenAccessFlags.TOKEN_IMPERSONATE,
  165.                         out var tokenHandle))
  166.                 {
  167.                     Win32.CloseHandle(processHandle);
  168.                     throw new Win32Exception(Marshal.GetLastWin32Error(), "Failed to open process token for lsass.");
  169.                 }
  170. 

  171.                 if (!Win32.Tokens.DuplicateTokenEx(tokenHandle, Win32.Tokens.TokenAccessFlags.TOKEN_ALL_ACCESS,
  172.                         IntPtr.Zero,
  173.                         Win32.Tokens.SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
  174.                         Win32.Tokens.TOKEN_TYPE.TokenImpersonation, out lsassToken))
  175.                 {
  176.                     Win32.CloseHandle(processHandle);
  177.                     throw new Win32Exception(Marshal.GetLastWin32Error(),
  178.                         "Failed to duplicate process token for lsass.");
  179.                 }
  180. 

  181.                 Win32.CloseHandle(processHandle);
  182.             }
  183. 

  184.             
  185.             result = Win32.Tokens.ImpersonateLoggedOnUser(lsassToken);
  186.             if (!result)
  187.                 throw new Win32Exception(Marshal.GetLastWin32Error(), "Error impersonating lsass process token.");
  188.             
  189.             
  190.             Win32.TokensEx.AdjustCurrentPrivilege(Win32.Tokens.SE_ASSIGNPRIMARYTOKEN_NAME);
  191.             Win32.TokensEx.AdjustCurrentPrivilege(Win32.Tokens.SE_INCREASE_QUOTA_NAME);
  192.             
  193.             
  194.             if (elevatedUserToken.DangerousGetHandle() != IntPtr.Zero)
  195.                 return;
  196.             
  197.             
  198.             var privileges = new[]
  199.             {
  200.                 Win32.Tokens.SE_INCREASE_QUOTA_NAME,
  201.                 Win32.Tokens.SE_MACHINE_ACCOUNT_NAME, Win32.Tokens.SE_SECURITY_NAME,
  202.                 Win32.Tokens.SE_TAKE_OWNERSHIP_NAME, Win32.Tokens.SE_LOAD_DRIVER_NAME,
  203.                 Win32.Tokens.SE_SYSTEM_PROFILE_NAME, Win32.Tokens.SE_SYSTEMTIME_NAME,
  204.                 Win32.Tokens.SE_PROFILE_SINGLE_PROCESS_NAME, Win32.Tokens.SE_INCREASE_BASE_PRIORITY_NAME,
  205.                 Win32.Tokens.SE_CREATE_PERMANENT_NAME,
  206.                 Win32.Tokens.SE_BACKUP_NAME, Win32.Tokens.SE_RESTORE_NAME, Win32.Tokens.SE_SHUTDOWN_NAME,
  207.                 Win32.Tokens.SE_DEBUG_NAME, Win32.Tokens.SE_AUDIT_NAME, Win32.Tokens.SE_SYSTEM_ENVIRONMENT_NAME,
  208.                 Win32.Tokens.SE_CHANGE_NOTIFY_NAME,
  209.                 Win32.Tokens.SE_UNDOCK_NAME, Win32.Tokens.SE_SYNC_AGENT_NAME,
  210.                 Win32.Tokens.SE_ENABLE_DELEGATION_NAME, Win32.Tokens.SE_MANAGE_VOLUME_NAME,
  211.                 Win32.Tokens.SE_IMPERSONATE_NAME, Win32.Tokens.SE_CREATE_GLOBAL_NAME,
  212.                 Win32.Tokens.SE_TRUSTED_CREDMAN_ACCESS_NAME, Win32.Tokens.SE_RELABEL_NAME,
  213.                 Win32.Tokens.SE_TIME_ZONE_NAME,
  214.                 Win32.Tokens.SE_CREATE_SYMBOLIC_LINK_NAME, Win32.Tokens.SE_DELEGATE_SESSION_USER_IMPERSONATE_NAME
  215.             };
  216.             var authId = Win32.Tokens.SYSTEM_LUID;
  217.             
  218.             GetUserToken(false);
  219. 

  220.             Win32.Tokens.DuplicateTokenEx(userToken,
  221.                 Win32.Tokens.TokenAccessFlags.TOKEN_ALL_ACCESS, IntPtr.Zero,
  222.                 Win32.Tokens.SECURITY_IMPERSONATION_LEVEL.SecurityIdentification, Win32.Tokens.TOKEN_TYPE.TokenPrimary,
  223.                 out Win32.TokensEx.SafeTokenHandle dupedUserToken);
  224.  
  225.             Win32.SID.AllocateAndInitializeSid(
  226.                 ref Win32.SID.SECURITY_MANDATORY_LABEL_AUTHORITY,
  227.                 1,
  228.                 (int)Win32.SID.SECURITY_MANDATORY_LABEL.High,
  229.                 0,
  230.                 0,
  231.                 0,
  232.                 0,
  233.                 0,
  234.                 0,
  235.                 0,
  236.                 out IntPtr integritySid);
  237.             
  238.             var tokenMandatoryLabel = new Win32.Tokens.TOKEN_MANDATORY_LABEL() {
  239.                 Label = default(Win32.SID.SID_AND_ATTRIBUTES)
  240.             };
  241. 

  242.             tokenMandatoryLabel.Label.Attributes = (uint)Win32.Tokens.SE_GROUP_ATTRIBUTES.SE_GROUP_INTEGRITY;
  243.             tokenMandatoryLabel.Label.Sid        = integritySid;
  244. 

  245.             var integritySize = Marshal.SizeOf(tokenMandatoryLabel);
  246.             var tokenInfo = Marshal.AllocHGlobal(integritySize);
  247. 

  248.             Marshal.StructureToPtr(tokenMandatoryLabel, tokenInfo, false);
  249.             
  250.             Win32.Tokens.SetTokenInformation(
  251.                 dupedUserToken,
  252.                 Win32.Tokens.TOKEN_INFORMATION_CLASS.TokenIntegrityLevel,
  253.                 tokenInfo,
  254.                 integritySize + Win32.SID.GetLengthSid(integritySid));
  255.             
  256.             
  257.             var pTokenUser = Win32.TokensEx.GetInfoFromToken(dupedUserToken, Win32.Tokens.TOKEN_INFORMATION_CLASS.TokenUser);
  258.             var pTokenOwner =
  259.                 Win32.TokensEx.GetInfoFromToken(dupedUserToken, Win32.Tokens.TOKEN_INFORMATION_CLASS.TokenOwner);
  260.             var pTokenPrivileges =
  261.                 Win32.TokensEx.GetInfoFromToken(dupedUserToken, Win32.Tokens.TOKEN_INFORMATION_CLASS.TokenPrivileges);
  262.             var pTokenGroups =
  263.                 Win32.TokensEx.GetInfoFromToken(dupedUserToken, Win32.Tokens.TOKEN_INFORMATION_CLASS.TokenGroups);
  264.             var pTokenPrimaryGroup =
  265.                 Win32.TokensEx.GetInfoFromToken(dupedUserToken, Win32.Tokens.TOKEN_INFORMATION_CLASS.TokenPrimaryGroup);
  266.             var pTokenDefaultDacl =
  267.                 Win32.TokensEx.GetInfoFromToken(dupedUserToken, Win32.Tokens.TOKEN_INFORMATION_CLASS.TokenDefaultDacl);
  268.             var pTokenSource =
  269.                 Win32.TokensEx.GetInfoFromToken(dupedUserToken, Win32.Tokens.TOKEN_INFORMATION_CLASS.TokenSource);
  270.             
  271.             var tokenUser =
  272.                 (Win32.Tokens.TOKEN_USER)Marshal.PtrToStructure(pTokenUser, typeof(Win32.Tokens.TOKEN_USER));
  273.             if (!Win32.TokensEx.CreateTokenPrivileges(privileges, out var tokenPrivileges))
  274.                 tokenPrivileges =
  275.                     (Win32.Tokens.TOKEN_PRIVILEGES)Marshal.PtrToStructure(pTokenPrivileges,
  276.                         typeof(Win32.Tokens.TOKEN_PRIVILEGES));
  277.             var tokenGroups = (Win32.Tokens.TOKEN_GROUPS)Marshal.PtrToStructure(
  278.                 pTokenGroups, typeof(Win32.Tokens.TOKEN_GROUPS));
  279.             var tokenOwner =
  280.                 (Win32.Tokens.TOKEN_OWNER)Marshal.PtrToStructure(pTokenOwner, typeof(Win32.Tokens.TOKEN_OWNER));
  281.             var tokenPrimaryGroup =
  282.                 (Win32.Tokens.TOKEN_PRIMARY_GROUP)Marshal.PtrToStructure(pTokenPrimaryGroup,
  283.                     typeof(Win32.Tokens.TOKEN_PRIMARY_GROUP));
  284.             var tokenDefaultDacl = (Win32.Tokens.TOKEN_DEFAULT_DACL)Marshal.PtrToStructure(
  285.                 pTokenDefaultDacl, typeof(Win32.Tokens.TOKEN_DEFAULT_DACL));
  286.             var tokenSource = (Win32.Tokens.TOKEN_SOURCE)Marshal.PtrToStructure(
  287.                 pTokenSource, typeof(Win32.Tokens.TOKEN_SOURCE));
  288.             /*
  289.             for (var idx = 0; idx < tokenPrivileges.PrivilegeCount - 1; idx++)
  290.             {
  291.                 if ((tokenPrivileges.Privileges[idx].Attributes &
  292.                      (uint)Win32.Tokens.SE_PRIVILEGE_ATTRIBUTES.SE_PRIVILEGE_ENABLED) != 0)
  293.                 {
  294.                 }
  295. 

  296.                 if ((tokenPrivileges.Privileges[idx].Attributes &
  297.                      (uint)Win32.Tokens.SE_PRIVILEGE_ATTRIBUTES.SE_PRIVILEGE_ENABLED_BY_DEFAULT) != 0)
  298.                 {
  299.                 }
  300.             }
  301.             */
  302.             
  303.             IntPtr adminsSid = IntPtr.Zero;
  304.             IntPtr localAndAdminSid = IntPtr.Zero;
  305. 

  306.             bool adminsFound = false;
  307.             bool localAndAdminFound = false;
  308. 

  309.             for (var idx = 0; idx < tokenGroups.GroupCount - 1; idx++)
  310.             {
  311.                 Win32.SID.ConvertSidToStringSid(tokenGroups.Groups[idx].Sid, out string strSid);
  312.                 if (string.Compare(strSid, Win32.SID.DOMAIN_ALIAS_RID_ADMINS, StringComparison.OrdinalIgnoreCase) == 0)
  313.                 {
  314.                     adminsFound = true;
  315.                     tokenGroups.Groups[idx].Attributes = (uint)Win32.Tokens.SE_GROUP_ATTRIBUTES.SE_GROUP_ENABLED |
  316.                                                          (uint)Win32.Tokens.SE_GROUP_ATTRIBUTES
  317.                                                              .SE_GROUP_ENABLED_BY_DEFAULT | (uint)Win32.Tokens.SE_GROUP_ATTRIBUTES.SE_GROUP_MANDATORY | (uint)Win32.Tokens.SE_GROUP_ATTRIBUTES.SE_GROUP_OWNER;
  318.                 } else if (string.Compare(strSid, Win32.SID.DOMAIN_ALIAS_RID_LOCAL_AND_ADMIN_GROUP, StringComparison.OrdinalIgnoreCase) == 0)
  319.                 {
  320.                     localAndAdminFound = true;
  321.                     tokenGroups.Groups[idx].Attributes = (uint)Win32.Tokens.SE_GROUP_ATTRIBUTES.SE_GROUP_ENABLED |
  322.                                                          (uint)Win32.Tokens.SE_GROUP_ATTRIBUTES
  323.                                                              .SE_GROUP_ENABLED_BY_DEFAULT | (uint)Win32.Tokens.SE_GROUP_ATTRIBUTES.SE_GROUP_MANDATORY;
  324.                 }
  325.             }
  326.             
  327.             if (!adminsFound)
  328.             {
  329.                 Win32.SID.ConvertStringSidToSid(Win32.SID.DOMAIN_ALIAS_RID_ADMINS, out adminsSid);
  330.                 tokenGroups.Groups[tokenGroups.GroupCount].Sid = adminsSid;
  331.                 tokenGroups.Groups[tokenGroups.GroupCount].Attributes =
  332.                     (uint)Win32.Tokens.SE_GROUP_ATTRIBUTES.SE_GROUP_ENABLED |
  333.                     (uint)Win32.Tokens.SE_GROUP_ATTRIBUTES.SE_GROUP_ENABLED_BY_DEFAULT;
  334.                 tokenGroups.GroupCount++;
  335.             }
  336.             if (!localAndAdminFound)
  337.             {
  338.                 Win32.SID.ConvertStringSidToSid(Win32.SID.DOMAIN_ALIAS_RID_LOCAL_AND_ADMIN_GROUP, out localAndAdminSid);
  339.                 tokenGroups.Groups[tokenGroups.GroupCount].Sid = localAndAdminSid;
  340.                 tokenGroups.Groups[tokenGroups.GroupCount].Attributes =
  341.                     (uint)Win32.Tokens.SE_GROUP_ATTRIBUTES.SE_GROUP_ENABLED |
  342.                     (uint)Win32.Tokens.SE_GROUP_ATTRIBUTES.SE_GROUP_ENABLED_BY_DEFAULT;
  343.                 tokenGroups.GroupCount++;
  344.             }
  345.             
  346.             var expirationTime = new Win32.LARGE_INTEGER() { QuadPart = -1L };
  347.             var sqos = new Win32.Tokens.SECURITY_QUALITY_OF_SERVICE(
  348.                 Win32.Tokens.SECURITY_IMPERSONATION_LEVEL.SecurityIdentification, Win32.Tokens.SECURITY_STATIC_TRACKING,
  349.                 0);
  350.             var oa = new Win32.Tokens.OBJECT_ATTRIBUTES(string.Empty, 0) { };
  351.             var pSqos = Marshal.AllocHGlobal(Marshal.SizeOf(sqos));
  352.             Marshal.StructureToPtr(sqos, pSqos, true);
  353.             oa.SecurityQualityOfService = pSqos;
  354.             
  355.             var status = Win32.Tokens.ZwCreateToken(out elevatedUserToken,
  356.                 Win32.Tokens.TokenAccessFlags.TOKEN_ALL_ACCESS, ref oa,  Win32.Tokens.TOKEN_TYPE.TokenPrimary,
  357.                 ref authId, ref expirationTime, ref tokenUser, ref tokenGroups, ref tokenPrivileges, ref tokenOwner,
  358.                 ref tokenPrimaryGroup, ref tokenDefaultDacl, ref tokenSource);
  359.             
  360.             Win32.LocalFree(pTokenUser);
  361.             Win32.LocalFree(pTokenOwner);
  362.             Win32.LocalFree(pTokenGroups);
  363.             Win32.LocalFree(pTokenDefaultDacl);
  364.             Win32.LocalFree(pTokenPrivileges);
  365.             Win32.LocalFree(pTokenPrimaryGroup);
  366. 

  367.             if (adminsSid != IntPtr.Zero)
  368.                 Win32.SID.FreeSid(adminsSid);
  369.             if (localAndAdminSid != IntPtr.Zero)
  370.                 Win32.SID.FreeSid(localAndAdminSid);
  371.             if (integritySid != IntPtr.Zero)
  372.                 Win32.SID.FreeSid(integritySid);
  373.             
  374.             if (status != 0)
  375.                 throw new Win32Exception(Marshal.GetLastWin32Error(), "Error creating elevated user token: " + status);
  376.         }
  377. 

  378.         public static void GetSystemToken()
  379.         {
  380.             if (systemToken.DangerousGetHandle() != IntPtr.Zero)
  381.                 return;
  382.             
  383.             try
  384.             {
  385.                 var processHandle = Win32.Process.OpenProcess(Win32.Process.ProcessAccessFlags.QueryLimitedInformation, false, Process.GetProcessesByName("winlogon").First().Id);
  386.                 if (!Win32.Tokens.OpenProcessToken(processHandle,
  387.                         Win32.Tokens.TokenAccessFlags.TOKEN_DUPLICATE | Win32.Tokens.TokenAccessFlags.TOKEN_ASSIGN_PRIMARY |
  388.                         Win32.Tokens.TokenAccessFlags.TOKEN_QUERY | Win32.Tokens.TokenAccessFlags.TOKEN_IMPERSONATE,
  389.                         out var tokenHandle))
  390.                 {
  391.                     Win32.CloseHandle(processHandle);
  392.                     throw new Win32Exception(Marshal.GetLastWin32Error(), "Failed to open process token for winlogon.");
  393.                 }
  394. 

  395.                 if (!Win32.Tokens.DuplicateTokenEx(tokenHandle, Win32.Tokens.TokenAccessFlags.TOKEN_ALL_ACCESS, IntPtr.Zero,
  396.                         Win32.Tokens.SECURITY_IMPERSONATION_LEVEL.SecurityIdentification,
  397.                         Win32.Tokens.TOKEN_TYPE.TokenPrimary, out systemToken))
  398.                 {
  399.                     Win32.CloseHandle(processHandle);
  400.                     throw new Win32Exception(Marshal.GetLastWin32Error(),
  401.                         "Failed to duplicate process token for winlogon.");
  402.                 }
  403. 

  404.                 Win32.CloseHandle(processHandle);
  405.             }
  406.             catch (Exception e)
  407.             {
  408.                 var sessionId = GetUserSession();
  409.                 int dwLsassPID = -1;
  410.                 int dwWinLogonPID = -1;
  411.                 Win32.WTS.WTS_PROCESS_INFO[] pProcesses;
  412.                 IntPtr pProcessInfo = IntPtr.Zero;
  413.                 int dwProcessCount = 0;
  414.                 if (Win32.WTS.WTSEnumerateProcesses((IntPtr)null, 0, 1, ref pProcessInfo, ref dwProcessCount))
  415.                 {
  416.                     IntPtr pMemory = pProcessInfo;
  417.                     pProcesses = new Win32.WTS.WTS_PROCESS_INFO[dwProcessCount];
  418.                     for (int i = 0; i < dwProcessCount; i++)
  419.                     {
  420.                         pProcesses[i] =
  421.                             (Win32.WTS.WTS_PROCESS_INFO)Marshal.PtrToStructure(pProcessInfo,
  422.                                 typeof(Win32.WTS.WTS_PROCESS_INFO));
  423.                         pProcessInfo = (IntPtr)((long)pProcessInfo + Marshal.SizeOf(pProcesses[i]));
  424.                         var processName = Marshal.PtrToStringAnsi(pProcesses[i].ProcessName);
  425.                         Win32.SID.ConvertSidToStringSid(pProcesses[i].UserSid, out string sid);
  426.                         string strSid;
  427.                         if (processName == null || pProcesses[i].UserSid == default || sid != "S-1-5-18") continue;
  428.                         if ((-1 == dwLsassPID) && (0 == pProcesses[i].SessionID) && (processName == "lsass.exe"))
  429.                         {
  430.                             dwLsassPID = pProcesses[i].ProcessID;
  431.                             continue;
  432.                         }
  433. 

  434.                         if ((-1 == dwWinLogonPID) && (sessionId == pProcesses[i].SessionID) &&
  435.                             (processName == "winlogon.exe"))
  436.                         {
  437.                             dwWinLogonPID = pProcesses[i].ProcessID;
  438.                             continue;
  439.                         }
  440.                     }
  441. 

  442.                     Win32.WTS.WTSFreeMemory(pMemory);
  443.                 }
  444. 

  445.                 IntPtr systemProcessHandle = IntPtr.Zero;
  446.                 try
  447.                 {
  448.                     systemProcessHandle = Process.GetProcessById(dwLsassPID).Handle;
  449.                 }
  450.                 catch
  451.                 {
  452.                     systemProcessHandle = Process.GetProcessById(dwWinLogonPID).Handle;
  453.                 }
  454. 

  455.                 if (!Win32.Tokens.OpenProcessToken(systemProcessHandle, Win32.Tokens.TokenAccessFlags.TOKEN_DUPLICATE,
  456.                         out Win32.TokensEx.SafeTokenHandle token))
  457.                 {
  458.                     Win32.CloseHandle(systemProcessHandle);
  459.                     throw new Win32Exception(Marshal.GetLastWin32Error(), "Failed to open process token.");
  460.                 }
  461. 

  462.                 if (!Win32.Tokens.DuplicateTokenEx(token, Win32.Tokens.TokenAccessFlags.MAXIMUM_ALLOWED, IntPtr.Zero,
  463.                         Win32.Tokens.SECURITY_IMPERSONATION_LEVEL.SecurityIdentification,
  464.                         Win32.Tokens.TOKEN_TYPE.TokenPrimary, out systemToken))
  465.                 {
  466.                     Win32.CloseHandle(systemProcessHandle);
  467.                     throw new Win32Exception(Marshal.GetLastWin32Error(), "Failed to duplicate process token.");
  468.                 }
  469. 

  470.                 Win32.CloseHandle(systemProcessHandle);
  471.             }
  472.         }
  473.         
  474.         public static Win32.TokensEx.SafeTokenHandle GetCurrentProcessToken()
  475.         {
  476.             if (!Win32.Tokens.OpenProcessToken(Win32.Process.GetCurrentProcess(),
  477.                     Win32.Tokens.TokenAccessFlags.TOKEN_READ, out Win32.TokensEx.SafeTokenHandle token))
  478.                 throw new Win32Exception(Marshal.GetLastWin32Error(), "Error opening token for current process.");
  479.             return token;
  480.         }
  481. 

  482.         private static Win32.TokensEx.SafeTokenHandle GetProcessTokenByName(string name, bool impersonation)
  483.         {
  484.             var processHandle = Process.GetProcessesByName(name).First().Handle;
  485.             if (!Win32.Tokens.OpenProcessToken(processHandle,
  486.                     Win32.Tokens.TokenAccessFlags.TOKEN_DUPLICATE | Win32.Tokens.TokenAccessFlags.TOKEN_ASSIGN_PRIMARY |
  487.                     Win32.Tokens.TokenAccessFlags.TOKEN_QUERY | Win32.Tokens.TokenAccessFlags.TOKEN_IMPERSONATE,
  488.                     out var tokenHandle))
  489.             {
  490.                 Win32.CloseHandle(processHandle);
  491.                 throw new Win32Exception(Marshal.GetLastWin32Error(), "Failed to open process token for " + name + ".");
  492.             }
  493. 

  494.             if (!Win32.Tokens.DuplicateTokenEx(tokenHandle, Win32.Tokens.TokenAccessFlags.TOKEN_ALL_ACCESS, IntPtr.Zero,
  495.                     impersonation ? Win32.Tokens.SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation : Win32.Tokens.SECURITY_IMPERSONATION_LEVEL.SecurityIdentification,
  496.                     impersonation ? Win32.Tokens.TOKEN_TYPE.TokenImpersonation : Win32.Tokens.TOKEN_TYPE.TokenPrimary, out Win32.TokensEx.SafeTokenHandle handle))
  497.             {
  498.                 Win32.CloseHandle(processHandle);
  499.                 throw new Win32Exception(Marshal.GetLastWin32Error(),
  500.                     "Failed to duplicate process token for " + name + ".");
  501.             }
  502. 

  503.             Win32.CloseHandle(processHandle);
  504.             return handle;
  505.         }    }
  506. }