User Account Control and Split Tokens.

 

QUICK QUESTION - I am a member of the local administrators group on a Windows Vista Machine. How can I check whether a process launched under my context is running under UAC or running elevated?

QUICK ANSWER -

  1. Launch the debugger in elevated mode.
  2. Attach to process and fix symbols.
  3. Dump the process token and check if the group sid S-1-5-32-544 (Builtin\Administrators) has 'deny' attributes.
  4. If yes, then the process is running under UAC. Else it is running elevated.

0:001> !token -n
Thread is not impersonating. Using process token...
TS Session ID: 0x2
User: S-1-5-21-397955417-626881126-188441444-3417686 (User: DOMAIN\mithuns)
Groups:
00 S-1-5-21-397955417-626881126-188441444-513 (Group: DOMAIN\Domain Users)
Attributes - Mandatory Default Enabled
01 S-1-1-0 (Well Known Group: localhost\Everyone)
Attributes - Mandatory Default Enabled
02 S-1-5-21-2509036279-1584907351-1836241972-1001 (Alias: MITHUNS7\Debugger Users)
Attributes - Mandatory Default Enabled
03 S-1-5-32-544 (Alias: BUILTIN\Administrators)
Attributes - DenyOnly
04 S-1-5-32-545 (Alias: BUILTIN\Users)
Attributes - Mandatory Default Enabled

:

:

:

QUICK QUESTION – When people talk about UAC, I often hear the term “split token”. What exactly is it?

QUICK ANSWER - When a process runs under UAC, some privileges are completely stripped out of the process token. Which also means that you cannot call AdjustTokenPrivileges() to enable them. See below -

 

Token for elevated process

Privs:
00 0x000000005 SeIncreaseQuotaPrivilege Attributes -
01 0x000000008 SeSecurityPrivilege Attributes -
02 0x000000009 SeTakeOwnershipPrivilege Attributes -
03 0x00000000a SeLoadDriverPrivilege Attributes -
04 0x00000000b SeSystemProfilePrivilege Attributes -
05 0x00000000c SeSystemtimePrivilege Attributes -
06 0x00000000d SeProfileSingleProcessPrivilege Attributes -
07 0x00000000e SeIncreaseBasePriorityPrivilege Attributes -
08 0x00000000f SeCreatePagefilePrivilege Attributes -
09 0x000000011 SeBackupPrivilege Attributes -
10 0x000000012 SeRestorePrivilege Attributes -
11 0x000000013 SeShutdownPrivilege Attributes -
12 0x000000014 SeDebugPrivilege Attributes -
13 0x000000016 SeSystemEnvironmentPrivilege Attributes -
14 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default
15 0x000000018 SeRemoteShutdownPrivilege Attributes -
16 0x000000019 SeUndockPrivilege Attributes -
17 0x00000001c SeManageVolumePrivilege Attributes -
18 0x00000001d SeImpersonatePrivilege Attributes - Enabled Default
19 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default
20 0x000000021 SeIncreaseWorkingSetPrivilege Attributes -
21 0x000000022 SeTimeZonePrivilege Attributes -
22 0x000000023 SeCreateSymbolicLinkPrivilege Attributes -

"SPLIT" token for process under UAC

Privs:
00 0x000000013 SeShutdownPrivilege Attributes -
01 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default
02 0x000000019 SeUndockPrivilege Attributes -
03 0x000000021 SeIncreaseWorkingSetPrivilege Attributes -
04 0x000000022 SeTimeZonePrivilege Attributes -

All the highlighted privileges are missing in the UAC split token (Note that 'SeDebugPrivilege' is absent too. Hence the need to launch a debugger elevated).

Related Post - https://blogs.msdn.com/greggm/archive/2006/03/30/565303.aspx