Friday, 25 September 2015


I still find things around UAC confusing sometimes, so I'll put up here some notes. This paragraph in Wikipedia explains pretty clearly what UAC means:

When logging in as a user in the Administrators group, two separate tokens are assigned. The first token contains all privileges typically awarded to an administrator, and the second is a restricted token similar to what a standard user would receive. User applications, including the Windows Shell, then start with the restricted token, resulting in a reduced-privilege environment - even under an Administrator account. When an application requests higher privileges or when a user clicks a "Run as administrator" option, UAC will prompt standard users to enter the credentials of an Administrator account and prompt Administrators for confirmation and, if consent is given, continue or start the process using an unrestricted token

The restricted Access Token is also called "filtered" token. We say that an application is running elevated when it is running with the unrestricted (full) token. As far as I know a running process can not be elevated, is something that can only happen when the process is started (same as you can not switch the user under which a process runs). So when a process is started it gets assigned an Access Token for a given user (and if that user is an Administrator it can be the restricted or the unrestricted one). Of course a process can use impersonation, but that's something at the thread level (impersonation token). One important point that I tend to forget is that if you are an Admin you can force a process to be started with the elevated token (rather than wait to see if windows offers you that with its UAC promp) by launching it with Run As Administrator

What does this restricted token really mean? Well, Access Tokens contain information about the Identity and the privileges of a User, as in Windows security works at 2 levels, on one side you have ACL's for securable resources (files, folders, registry keys), your permissions on these resources come determined by your user/group, so in this sense a restricted and unrestricted token for the same user behave just the same. On the other side we have privileges to perform certain actions (for example create Global Objects or use impersonation). Thanks to this pretty good article I learnt about the whoami /priv /user command that you can use to see the permissions associated to your current token.

Checking if a process is running elevated is pretty simple, you just have to enable the elevated column in Task Manager. There you can check that if you run a process elevated (for example cmd) and from it you start a new process (for example notepad) the child process will also be run elevated.

And, how do UAC and impersonation play together? Let's say you are running a process as a normal user and you impersonate one of its threads to run with the token of an Administrator (that you have obtained via the LogonUser API function), will it obtain an elevated or a restricted impersonation token?

I have not tested it myself, but from this StackOveflow discussion it seems like if you are in an interactive session you will get a restricted token, but if you are in a non interactive session you will get an elevated token.

By the way, reading over this post about Impersonation that I wrote time ago has been quite useful to refresh some concepts.

No comments:

Post a Comment