Refreshing User Access Token Without Logging Off

[Umer Mian]

I want to be able to add a user to the Administrators group and have the
change take effect without having the user logoff. I know that the user
access token gets created upon login, but I've also heard that there's a way
to have it re-created using an API call. I've done a lot of searching, but
haven't found anything so far.

Does anyone know which API call you need to make to refresh the user access
token? Has anyone written a tool or script to do this? The reason you'd want
to do this is because it would allow you to elevate a user's privileges
without having the user logoff. I know that runas and 'su.exe' (from the
resource kit) are the standard privilege-escalation tools, BUT there are
issues with both.

Let me know if anyone knows how to do this. Thanks in advance.

--Umer

PS:
If responding via email, remove NOSPAM from the email address.

 

[Kirk Ferdmann]

I want to be able to add a user to the Administrators group and have the
change take effect without having the user logoff. I know that the user
access token gets created upon login, but I've also heard that there's a way
to have it re-created using an API call. I've done a lot of searching, but
haven't found anything so far.

Theoretically you could use undocumented NtCreateToken to forge a token and
launch a new process with it. But obviously it will not have any effect on
already running processes. Also I would highly recommend to stay away from
this solution as it has so many issue under the surface. Many people
reported trying this road an yet I haven't seen even one successful
implementation.

Does anyone know which API call you need to make to refresh the user access
token?

I believe there is none as it contradicts the model.

Has anyone written a tool or script to do this? The reason you'd want
to do this is because it would allow you to elevate a user's privileges
without having the user logoff. I know that runas and 'su.exe' (from the
resource kit) are the standard privilege-escalation tools, BUT there are
issues with both.

What kind of issues? I hope you are not referring to the fact that they
require the password, because it's a good thing.

-Kirk

 

[Karl Levinson [x y] mvp]

Why would you need to do that?

You might consider utilities such as Runas instead:

http://securityadmin.info/faq.asp#runas

 

[Umer Mian]

What kind of issues? I hope you are not referring to the fact that they

require the password, because it's a good thing.

The issue with runas is that it activates the HKCU hive of the elevated
privileges user (i.e. it doesn't keep the HKCU hive of the currently logged
in user). This is a problem when using runas to elevate privileges for
software installation because now the installer will put user registry
entries in the wrong place. 'Su.exe' from the resource kit is supposed to
get around this with the '-e' switch:

"-e disables environment preparation. The parent environment is inherited.
This option prevents preparation of the user environment for the new
process, instead causing the environment to be inherited from SU."

However, I haven't gotten this to work quite right.

Being to able to refresh the user access token would allow you give a user
Administrator privileges and still keep user's environment. However, as you
said, this is probably not possible because it violates the security model.

Thanks for your help.

--Umer