Running in the system account

[sapero]

This is the second version of the additional verb "Run as System" for .exe files. It does not use the task scheduler, but directly is executing given application using a system token.

Run it once without parameters to register additional verb in the registry.
Run it with executable path as a parameter, to start the application with the highest privileges, or just click "Run as System" in the shell context menu for any .exe file.
System permissions are usefull if you need (for example) to open the System Volume Information diectory without changing directory permissions (and zip the oldest restore points), or when you need to view or modify some registry keys like \CurrentControlSet\Enum\Root.

Code Select Expand

#include "shlwapi.inc"
#include "Sddl.inc"
#include "Aclapi.inc"
#include "tchar.inc"


sub main()
{
HANDLE hToken;
HANDLE hProcess = 0;
PROCESS_INFORMATION pi;
STARTUPINFO si;

TCHAR *pszArgs = PathGetArgs(GetCommandLine());
if (*pszArgs == ' ') pszArgs += sizeof(TCHAR);
if (*pszArgs != 0)
{
// open the "System" process
hProcess = OpenProcess(MAXIMUM_ALLOWED, FALSE, 4);
}
else
{
Register();
}

if (hProcess)
{
if (ModifyTokenAccess(hProcess))
{
if (OpenProcessToken(hProcess, MAXIMUM_ALLOWED, &hToken))
{
if (ImpersonateLoggedOnUser(hToken))
{
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
if (CreateProcessAsUser(hToken, NULL, pszArgs, 0, 0, 0, 0, 0, 0, &si, &pi))
{
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
}
RevertToSelf();
}
CloseHandle(hToken);
}
}
CloseHandle(hProcess);
}
}

#ifdef UNICODE
#define SZ_EVERYONE_SID L"S-1-1-0"
#define SZ_EXE          L".exe"
#define SZ_KEYNAME      L"\\shell\\Run as System\\command"
#define SZ_SUCCESSMSG   L"Installation completed"
#define SZ_FAILMSG      L"Installation failed"
#define SZ_CMDARGS      L" \"%1\" %*"
#else
#define SZ_EVERYONE_SID "S-1-1-0"
#define SZ_EXE          ".exe"
#define SZ_KEYNAME      "\\shell\\Run as System\\command"
#define SZ_SUCCESSMSG   "Installation completed"
#define SZ_FAILMSG      "Installation failed"
#define SZ_CMDARGS      " \"%1\" %*"
#endif

sub ModifyTokenAccess(HANDLE hProcess),BOOL
{
ACL *pAcl;
ACL *pAclMod;
EXPLICIT_ACCESS ea;
HANDLE hToken;

BOOL success = FALSE;

if (OpenProcessToken(hProcess, READ_CONTROL | WRITE_DAC, &hToken))
{
if (!GetSecurityInfo(hToken, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, &pAcl, 0, 0))
{
ZeroMemory(&ea, sizeof(ea));
ea.grfAccessPermissions = TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY;
ea.grfAccessMode        = GRANT_ACCESS; // fEnable
ea.Trustee.TrusteeForm  = TRUSTEE_IS_SID;

if (ConvertStringSidToSid(SZ_EVERYONE_SID, &ea.Trustee.ptstrName))
{
if (!SetEntriesInAcl(1, &ea, pAcl, &pAclMod))
{
success = !SetSecurityInfo(hToken, SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION, 0, 0, pAclMod, 0);
}
LocalFree(ea.Trustee.ptstrName);
}
}
CloseHandle(hToken);
}
return success;
}

sub Register()
{
TCHAR tszRegExe[64];
DWORD type, cb= 64*sizeof(TCHAR);
BOOL success = FALSE;

// query registry path for .exe
if (!SHGetValue(HKEY_CLASSES_ROOT, SZ_EXE, NULL, &type, tszRegExe, &cb))
{
// append path for verbs
_tcscat(tszRegExe, SZ_KEYNAME);

// query path to this programm
TCHAR tszMainPath[MAX_PATH + 10];
GetModuleFileName(0, tszMainPath, MAX_PATH);

//  add quotes if the path contains spaces
PathQuoteSpaces(tszMainPath);

// append "%1" %*
_tcscat(tszMainPath, SZ_CMDARGS);

// add new verb - Run as System
success = !SHSetValue(HKEY_CLASSES_ROOT, tszRegExe,
NULL, REG_SZ, tszMainPath, _tcslen(tszMainPath)*sizeof(TCHAR));
}
_MessageBox(0, IIFP(success, SZ_SUCCESSMSG, SZ_FAILMSG), L"", MB_ICONINFORMATION);
}