RunasCs icon indicating copy to clipboard operation
RunasCs copied to clipboard
verified publisher icon antonioCoco

Graphical user interface problems

Open candogg opened this issue 1 year ago • 4 comments

When a user interface occurs with --bypass-uac, its like an old version of windows like 98. Is there any solution?

Thanks.

candogg avatar Dec 10 '24 11:12 candogg

Hello,

I need more info to troubleshoot, because i'm aware of some issues with UI programs and it might be related to some missing permissions in the Window Station\Desktop, but i want to make sure your scenario is reproducible.

What windows version are you testing? What is the user account and its permission the one who runs the RunasCs.exe process? What permissions and groups have "testaccount" instead? Is UAC enabled ? Is the EnableLUA regkey enabled?

Also please attach a screenshot of a malfunctioning user interface.

antonioCoco avatar Dec 13 '24 01:12 antonioCoco

I am using some functionality of RunasCs project. Always running bypass uac. Just testing.

Environment: Windows 10 Scenario: A windows service communicates with a user interacted application and adds user to administrators group temporarily then removes after uac bypass. EnableUA regkey enabled.

Project is working there is no problem about functionality. Just visual styles of windows are problem. Windows are opening like Windows 98. What am i doing wrong?

image

My simplified methods are below;

public bool RunAsElevated(string domain, string userName, string password, string applicationPath)
{
    var logonType = 2;
    var logonFlags = 1;
    var startupInfo = new STARTUPINFO();
    startupInfo.cb = Marshal.SizeOf(startupInfo);
    startupInfo.lpReserved = null;
    var processInfo = new ProcessInformation();
    stationDaclObj = new WindowStationDACL();

    startupInfo.lpDesktop = stationDaclObj.AddAclToActiveWindowStation(domain, userName, logonType);

    try
    {
        RunasCreateProcessWithLogonW(userName, domain, password, logonType, (uint)logonFlags, applicationPath, ref startupInfo, ref processInfo);

        return true;
    }
    catch (Exception)
    {
        return false;
    }
}

private void RunasCreateProcessWithLogonW(string username, string domainName, string password, int logonType, uint logonFlags, string applicationPath, ref STARTUPINFO startupInfo, ref ProcessInformation processInfo)
{
    var logonTypeBypassUac = logonType == SharedConstants.LOGON32_LOGON_NETWORK || logonType == SharedConstants.LOGON32_LOGON_BATCH || logonType == SharedConstants.LOGON32_LOGON_SERVICE || logonType == SharedConstants.LOGON32_LOGON_NETWORK_CLEARTEXT
        ? logonType
        : SharedConstants.LOGON32_LOGON_NETWORK_CLEARTEXT;

    if (!CreateProcessWithLogonWUacBypass(logonTypeBypassUac, logonFlags, username, domainName, password, @"C:\windows\system32\cmd.exe", $"\"{applicationPath}\"", ref startupInfo, out processInfo))
    {
        throw new RunasCsException("CreateProcessWithLogonWUacBypass", true);
    }
}

`private bool CreateProcessWithLogonWUacBypass(int logonType, uint logonFlags, string username, string domainName, string password, string processPath, string commandLine, ref STARTUPINFO startupInfo, out ProcessInformation processInfo) { var hToken = IntPtr.Zero; var profileInfo = new PROFILEINFO(); profileInfo.dwSize = Marshal.SizeOf(profileInfo); profileInfo.lpUserName = username;

var result = Win32.LoadUserProfile(hToken, ref profileInfo);

if (!Win32.LogonUser(username, domainName, password, logonType, SharedConstants.LOGON32_PROVIDER_DEFAULT, ref hToken))
{
    throw new RunasCsException("CreateProcessWithLogonWUacBypass: LogonUser", true);
}

AccessToken.SetTokenIntegrityLevel(hToken, AccessToken.GetTokenIntegrityLevel(WindowsIdentity.GetCurrent().Token));

Win32.SetSecurityInfo((IntPtr)SharedConstants.GetCurrentProcess, SE_OBJECT_TYPE.SE_KERNEL_OBJECT, SharedConstants.DACL_SECURITY_INFORMATION, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);

using (var impersonatedUser = WindowsIdentity.Impersonate(hToken))
{
    result = Win32.CreateProcessWithLogonW(username, domainName, password, logonFlags | SharedConstants.LOGON_NETCREDENTIALS_ONLY, processPath, $"/c {commandLine}", SharedConstants.CREATE_NO_WINDOW, IntPtr.Zero, null, ref startupInfo, out processInfo);
}

Win32.CloseHandle(hToken);
return result;

}`

candogg avatar Dec 13 '24 05:12 candogg

Hello, @antonioCoco did you find any solution about this question? Thanks.

candogg avatar Dec 30 '24 08:12 candogg

@candogg there are no solutions neither i was able to reproduce the issue.

I will keep this issue open and will try to work on it in the next release, but please consider that there are no plans for a new release right now.

antonioCoco avatar Jan 05 '25 18:01 antonioCoco