First, thanks for sharing this project! It's one of only a few available Windows "run as" implementations online.
JetBrains.runAs.exe seem to work fine for command-line applications. However, GUI application process are started but doesn't seem to appear on screen if using a different account than the currently logged-on user.
Example to reproduce JetBrains.runAs.exe -u:<username> -p:<password> C:\Windows\regedit.exe:
I suspect that the reason for this problem is that the logged on user doesn't have access to the window station and desktop. These permissions need to be explicitly granted for the logon SID (SE_GROUP_LOGON_ID) of the logged in user as described in Starting an Interactive Client Process in C++
Is there any interest for extending this project to also support GUI applications? If so, then I might be willing to help out.
Suggested implementation
The GrantWindowStationDesktopAccess function below can be used to grant the logged on user access to the current window station and desktop:
/** Add a DACL entry to the window station or desktop security descriptor. */
void AddWindowDaclRight(HANDLE ws, EXPLICIT_ACCESS_W& ea) {
PSID owner = nullptr;
PSID group = nullptr;
ACL* dacl = nullptr;
ACL* sacl = nullptr;
PSECURITY_DESCRIPTOR sd = nullptr;
DWORD ret = GetSecurityInfo(ws, SE_WINDOW_OBJECT, DACL_SECURITY_INFORMATION, &owner, &group, &dacl, &sacl, &sd);
assert(ret == ERROR_SUCCESS);
ACL* newDacl = nullptr;
ret = SetEntriesInAclW(1, &ea, /*oldAcl*/dacl, &newDacl);
assert(ret == ERROR_SUCCESS);
ret = SetSecurityInfo(ws, SE_WINDOW_OBJECT, DACL_SECURITY_INFORMATION, owner, group, newDacl, sacl);
assert(ret == ERROR_SUCCESS);
LocalFree(newDacl);
LocalFree(sd);
}
/** Grant "logonSid" access to the current window station and desktop. */
void GrantWindowStationDesktopAccess(PSID logonSid) {
{
// https://learn.microsoft.com/en-us/windows/win32/winstation/window-station-security-and-access-rights
HWINSTA ws = OpenWindowStationW(L"winsta0", /*inherit*/false, READ_CONTROL | WRITE_DAC);
assert(ws);
{
// Grant GENERIC_ALL to "logonSid" which grants:
// STANDARD_RIGHTS_REQUIRED WINSTA_ACCESSCLIPBOARD WINSTA_ACCESSGLOBALATOMS WINSTA_CREATEDESKTOP WINSTA_ENUMDESKTOPS
// WINSTA_ENUMERATE WINSTA_EXITWINDOWS WINSTA_READATTRIBUTES WINSTA_READSCREEN WINSTA_WRITEATTRIBUTES
EXPLICIT_ACCESS_W ea{
.grfAccessPermissions = GENERIC_ALL,
.grfAccessMode = GRANT_ACCESS,
.grfInheritance = false,
};
ea.Trustee = {
.pMultipleTrustee = NULL,
.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE,
.TrusteeForm = TRUSTEE_IS_SID,
.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP,
.ptstrName = (wchar_t*)logonSid,
};
AddWindowDaclRight(ws, ea);
}
CloseWindowStation(ws);
}
{
// https://learn.microsoft.com/en-us/windows/win32/winstation/desktop-security-and-access-rights
HDESK desk = OpenDesktopW(L"default", 0, /*inherit*/false, READ_CONTROL | WRITE_DAC);
assert(desk);
{
// Grant GENERIC_ALL to "logonSid" which grants:
// DESKTOP_CREATEMENU DESKTOP_CREATEWINDOW DESKTOP_ENUMERATE DESKTOP_HOOKCONTROL DESKTOP_JOURNALPLAYBACK
// DESKTOP_JOURNALRECORD DESKTOP_READOBJECTS DESKTOP_SWITCHDESKTOP DESKTOP_WRITEOBJECTS STANDARD_RIGHTS_REQUIRED
EXPLICIT_ACCESS_W ea{
.grfAccessPermissions = GENERIC_ALL,
.grfAccessMode = GRANT_ACCESS,
.grfInheritance = false,
};
ea.Trustee = {
.pMultipleTrustee = NULL,
.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE,
.TrusteeForm = TRUSTEE_IS_SID,
.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP,
.ptstrName = (wchar_t*)logonSid,
};
AddWindowDaclRight(desk, ea);
}
CloseDesktop(desk);
}
}
Microsoft Getting the Logon SID in C++ documents how to get the "logon sid" from the user token.
First, thanks for sharing this project! It's one of only a few available Windows "run as" implementations online.
JetBrains.runAs.exeseem to work fine for command-line applications. However, GUI application process are started but doesn't seem to appear on screen if using a different account than the currently logged-on user.Example to reproduce
JetBrains.runAs.exe -u:<username> -p:<password> C:\Windows\regedit.exe:I suspect that the reason for this problem is that the logged on user doesn't have access to the window station and desktop. These permissions need to be explicitly granted for the logon SID (
SE_GROUP_LOGON_ID) of the logged in user as described in Starting an Interactive Client Process in C++Is there any interest for extending this project to also support GUI applications? If so, then I might be willing to help out.
Suggested implementation
The
GrantWindowStationDesktopAccessfunction below can be used to grant the logged on user access to the current window station and desktop:Microsoft Getting the Logon SID in C++ documents how to get the "logon sid" from the user token.