Skip to main content

Starting Processes on Microsoft Windows in a Completely Brand New Way

I recently came up with a completely brand new way to start processes on Microsoft Windows that's never been done before. Specifically, starting a child process of a non-elevated user as a completely different user. For those who want to understand and learn new things, here's an in-depth video on how it all works:

The video covers the complex topic of Microsoft Windows security objects, moves into looking at security objects with the CubicleSoft GetTokenInformation tool, trash talks Microsoft a few times, gets into a very brief demo of some major enhancements of the CubicleSoft CreateProcess command-line tool, and finally covers how the new enhancements to the CreateProcess command-line tool work under the hood.

In the video though, I only briefly demo the CreateProcess tool. That may be a slight disservice to the work that was done. So in this post, I want to cover some of the really cool things that were hand-waved over.

First off, did you know that an Administrator user is NOT the most powerful user account in Microsoft Windows? Yup. It's true. Most people don't know that NT AUTHORITY\SYSTEM is a far more powerful account. However, even that account is NOT the most powerful user account in the system! Microsoft Windows, by design, prevents most security tokens from having every privilege available. For example, very few processes get SeCreateTokenPrivilege. However, NT AUTHORITY\SYSTEM is sufficiently powerful to do almost anything.

What makes the method described in the video for starting processes unique and original is that the started processes are a child process of the original process regardless of elevation level. Elevation was introduced in Windows Vista with UAC elevation prompts. That is, those boxes that ask if an Administrator wants to start a program. Basically, even if you are logged in as an Administrator, your account runs as a slightly less privileged user on the system aka a non-elevated security token. Elevation is the process whereby the user tells Windows they want to start a program with an Administrator's fully privileged security token. The resulting newly created process runs within a different security context in the same session. However, the bog-standard elevation method has several problems with it that are covered in the video.

Elevation, though, is nothing new or special. What is new and special is the ability to start child processes as completely different users with completely different security tokens in the same session (and console) as the original process even if that process is not elevated. Here's the example usage from the CreateProcess repository:

C:\>whoami
my-pc\john-doh

C:\>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

C:\>set MYVAR=123

C:\>createprocess /w /systemtoken /mergeenv C:\Windows\System32\cmd.exe
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\>whoami
nt authority\system

C:\>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== ========
SeAssignPrimaryTokenPrivilege             Replace a process level token                                      Enabled
SeLockMemoryPrivilege                     Lock pages in memory                                               Enabled
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeTcbPrivilege                            Act as part of the operating system                                Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Disabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Disabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Disabled
SeDebugPrivilege                          Debug programs                                                     Enabled
...  [It's a fairly lengthy list of powerful privileges]
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

C:\>set MYVAR
MYVAR=123

A command prompt goes from a non-elevated user to NT AUTHORITY\SYSTEM! That's pretty wild. The same procedure can also elevate to Administrator with /elevatedtoken instead of /systemtoken.

If you've ever been annoyed with having to right-click to start a Command Prompt/Powershell window and then "Start as Administrator" to get an Administrator prompt, well now you don't have to. With a simple command-line script + the CreateProcess tool, this can effectively be 'sudo' for Windows. Plus using /mergeenv passes a merged environment of the parent process to the target process, which preserves things like the current drive and directory you are in.

Overall, this is a huge deal. This has never been done before and enables some rather powerful functionality in Windows and it's accomplished without any bypasses/hacks/exploits. That is, it's baked into the Windows core. The procedure is just so complex that no one's bothered to implement it until now. Of course, with great power comes greater responsibility to wield that power appropriately.

Comments