Issues and workarounds for SESSION0 creation process under Windows platform

Many blogs have a way of documenting how to create processes under Session0, that is, using CreateProcessAsUser. However, the process that requires the service has Se_increase_quota_name and se_assignprimarytoken_name permissions . If you set the login user to be localserver, the default is two permissions. However, if you create an account yourself, you do not have se_assignprimarytoken_name permissions.

Viewing the user's permissions can be viewed in the Gpedit.msc tool, in Computer Configuration-Windows Settings-security settings-Local Policies-user rights assignment. Or, export the local policy through Secedit.exe.

Manual can be set by the above method, but through the program, the process under the login account cannot be set. However, you can use Secedit.exe for export import to set up. The exported information includes the following parts:

1[Privilege Rights]2SeNetworkLogonRight = *s-1-1-0,*s-1-5-32-544,*s-1-5-32-545,*s-1-5-32-551,*s-1-5-32-5813SeBackupPrivilege = *s-1-5-32-544,*s-1-5-32-5514SeChangeNotifyPrivilege = *s-1-1-0,*s-1-5-19,*s-1-5-20,*s-1-5-32-544,*s-1-5-32-545,*s-1-5-32-5515SeSystemtimePrivilege = *s-1-5-19,*s-1-5-32-5446Secreatepagefileprivilege = *s-1-5-32-5447SeDebugPrivilege = *s-1-5-32-5448SeRemoteShutdownPrivilege = *s-1-5-32-5449SeAuditPrivilege = *s-1-5-19,*s-1-5-20TenSeincreasequotaprivilege = *s-1-5-19,*s-1-5-20,*s-1-5-32-544 OneSeIncreaseBasePriorityPrivilege = *s-1-5-32-544 ASeLoadDriverPrivilege = *s-1-5-32-544 -SeBatchLogonRight = *s-1-5-32-544,*s-1-5-32-551,*s-1-5-32-559 -Seservicelogonright = *s-1-5-20,*s-1-5-80-0,*s-1-5-83-0 theSeInteractiveLogonRight = __vmware__,guest,*s-1-5-32-544,*s-1-5-32-545,*s-1-5-32-551,*s-1-5-32-581 -SeSecurityPrivilege = *s-1-5-32-544 -Sesystemenvironmentprivilege = *s-1-5-32-544 -Seprofilesingleprocessprivilege = *s-1-5-32-544 +Sesystemprofileprivilege = *s-1-5-32-544,*s-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420 -SeAssignPrimaryTokenPrivilege = *s-1-5-19,*s-1-5-20 +SeRestorePrivilege = *s-1-5-32-544,*s-1-5-32-551 ASeShutdownPrivilege = *s-1-5-32-544,*s-1-5-32-545,*s-1-5-32-551 atSeTakeOwnershipPrivilege = *s-1-5-32-544 -SeDenyNetworkLogonRight = Guest -SeDenyInteractiveLogonRight = Guest -Seundockprivilege = *s-1-5-32-544,*s-1-5-32-545 -Semanagevolumeprivilege = *s-1-5-32-544 -Seremoteinteractivelogonright = *s-1-5-32-544,*s-1-5-32-555 inSeImpersonatePrivilege = *s-1-5-19,*s-1-5-20,*s-1-5-32-544,*s-1-5-6 -SeCreateGlobalPrivilege = *s-1-5-19,*s-1-5-20,*s-1-5-32-544,*s-1-5-6 toSeincreaseworkingsetprivilege = *s-1-5-32-545 +Setimezoneprivilege = *s-1-5-19,*s-1-5-32-544,*s-1-5-32-545 -Secreatesymboliclinkprivilege = *s-1-5-32-544,*s-1-5-83-0 the 

Using the account's SID, update to the SeAssignPrimaryTokenPrivilege field, the user can have se_assignprimarytoken_name permissions. Gets the SID that can be passed through the lookupaccountname function .

Summarize the process:

First step: Use lookupaccountname, login account name through the service, get the SID of the account;

Step Two: Secedit.exe export the local policy, update the SID obtained in the first step to the seassignprimarytokenprivilege field;

Step three: Use Secedit.exe to import the new configuration file into the system;

Fourth step: Restart the computer;

Fifth step: In the service process, the child process is created using createprocessasuser .

Issues and workarounds for SESSION0 creation process under Windows platform