Environment: Windows NT 4.0 (and upwards) VC6
This is a complete console utility to start a command as a specified user on Windows NT. This uses the
LogonUserWindows API to programmatically logon to NT as a specified user with a given password. If this succeeds
CreateProcessAsUseris used to spawn a specified process as the
The main problem with LogonUser is that it requires the caller to possess a fairly high level privilege “Act as part of the operating system” to function. This is a powerful privilege which should not be freely given – the local adminstrators
may often not have this privilege. As a work around for this, the utility first checks to see whether the user has the required privilege and if not the following occurs:
- The utility installs itself temporarily as a service running under the system account.
- The new service is started and the parameters (required user, process) are passed to the service via shared memory.
- The service then attempts to logon as the specified user and start the process. Results are returned back to the utility via shared memory.
- The utility then ends the service, uninstalls the service and displays results.
This works because the system account has high level privileges and usually the local admins group has permission to install services. For usage instructions type the executable with no parameters.
The source code also demonstrates the following topics:
- Windows security APIs (including lightweight template classes for dealing with SIDs, ACEs, ACLS, Security Descriptors, Privileges and Access tokens).
- Installing/configuring services programmatically using the service control manager.
- Writing an NT service (including a service template class which can implement a simple service in less than 20 lines of code).
- Using memory mapped files for sharing memory (including template class for automatic management of memory mapped files and other lightwieght kernel objects).