locked
CreateProcessAsUser Error 1314 RRS feed

  • Question

  • Hi,
      I have this service running under a non-administrative user which will call CreateProcessAsUser to create another process. This new process needs to be created with elevated token.

    In the service i have code like this to call CreateProcessAsUser. As you can see i have hardcoded the username and password for now. But that is ok.

    public static void CreateMyProcess() {
    
                const int LOGON32_PROVIDER_DEFAULT = 0;
                const int LOGON32_LOGON_INTERACTIVE = 2;
                const int LOGON32_LOGON_BATCH = 4;
    
                string domainName = "."; // local computer
                string userName = "adminuser"; //administrative user
                string password = "password";
    
                IntPtr tokenHandle = IntPtr.Zero;
    
                bool returnValue = LogonUser(
                       userName,
                       domainName,
                       password,
                       LOGON32_LOGON_BATCH,
                       LOGON32_PROVIDER_DEFAULT,
                       ref tokenHandle);
    
                PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
    
                SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES();
                sa.Length = Marshal.SizeOf(sa);
    
    
                STARTUPINFO si = new STARTUPINFO();
                si.cb = Marshal.SizeOf(si);
                si.lpDesktop = String.Empty;
    
                returnValue = CreateProcessAsUser(
                               tokenHandle,
                               @"c:\windows\system32\calc.exe",
                               String.Empty,
                               ref sa, ref sa,
                               false, 0, IntPtr.Zero,
                               @"C:\", ref si, ref pi
                         );
    
                
                int errCode = Marshal.GetLastWin32Error();
    
            }
    


    However, after the call to CreateProcessAsUser i get the error 1314 : "A required privilege is not held by client". I read in the same forumn from other users that 1314 means SeTCBPrivilege. Any idea how this issue can be resolved? How do i give the SeTCBPrivilege to the nonAdminUser ?

    Note that, if the Service is run as an Administrative user, the call succeeds.

    Thanks
    Santhosh

    Thursday, November 19, 2009 7:37 AM

All replies

  • Hi – I think my information can help you:

    I have looked at your code here, and I have re-modified it to fit your needs.
    I hope you like this and, I hope it works well for you.

    I’ve used the SecureString Class which you can find under System.Security; namespace, this gives higher protection for secure password storage.


    Check the code-snippet below:



    1.         /// <summary>

              /// Executes a program using a none-administratior account

              /// by P/Invoking some Windows built-in APIs.

              /// </summary>

              /// <param name="domain"></param>

              /// <param name="username"> A username must be provided.</param>

              /// <param name="password"> A password must be entered if exist on account.</param>

              /// <param name="programPath"></param>

              /// <param name="currentDirectory"></param>

              public static void CreateMyProcess(string domain, string username, string password, string programPath,

                  string currentDirectory)

              {

                  //SecureString protects the password stored

                  //with very high security.

                  SecureString pass = new SecureString();

                  for(int i = 0; i<password.Length; i++){

                      pass.AppendChar(password[i]); 

                  }

       

                  //Clean up the password string variable

                  //for security reason.

                  password = "";

       

                  IntPtr tokenHandle = IntPtr.Zero;

       

                  bool returnValue = LogonUser(username, domain, pass.ToString(), (int)  LOGON_TYPE.LOGON32_LOGON_BATCH,

                        (int)LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, out tokenHandle);

       

                  PROCESS_INFORMATION pi = new PROCESS_INFORMATION();

       

                  SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES();

                  sa.nLength = Marshal.SizeOf(sa);

       

                  STARTUPINFO si = new STARTUPINFO();

                  si.cb = Marshal.SizeOf(si);

                  si.lpDesktop = String.Empty;

       

                  returnValue = CreateProcessAsUser(

                                 tokenHandle,

                                 programPath,

                                 String.Empty,

                                 ref sa, ref sa,

                                 false, 0, IntPtr.Zero,

                                 currentDirectory, ref si, out pi);

       

                  int errCode = Marshal.GetLastWin32Error();

              }

              

      }


    The above code is very dynamic compared with the one you posted.

    The P/Invoke methods:
    CreateProcessAsUser()
    LogonUser()

    You'll need these defined types:

    SECURITY_ATTRIBUTES

    PROCESS_INFORMATION

    STARTUPINFO

    LOGON_TYPE

    LOGON_PROVIDER

    CREATE_PROCESS_FLAGS



    Investigation of the 1314 error, please check the Microsoft Support links below:
    http://support.microsoft.com/kb/285879
    http://support.microsoft.com/kb/248391

    I hope this information was helpful…

    Have a nice day…

    Best regards,
    Fisnik  


    Coder24.com
    Sunday, January 3, 2010 6:00 PM
  • It would be a security violation if a non-administrator could acquire that right and impersonate other users. You must get an administrator to assign that right "act as part of the operating system" to the non-admin user.


    Phil Wilson
    Sunday, January 3, 2010 7:39 PM
  • Hi Santhosh:

    Is this thread solved or NOT?
    Please tell me!

    Have a nice day...

    Best regards,
    Fisnik

    Coder24.com
    Monday, January 11, 2010 9:02 AM
  • Hi Santhosh:

    Is this thread solved or NOT?
    Please tell me!

    Have a nice day...

    Best regards,
    Fisnik

    Coder24.com
    Monday, January 11, 2010 9:02 AM