Skip to content

Commit 306f50f

Browse files
fcharliefcharlie
committed
try fix start ti process on Windows11 22623.1250
1 parent d7b3f38 commit 306f50f

File tree

3 files changed

+47
-27
lines changed

3 files changed

+47
-27
lines changed

lib/exec/elevator.cc

Lines changed: 24 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -100,11 +100,11 @@ inline auto IsSystemProcessName(std::wstring_view name) {
100100
}
101101

102102
constexpr DWORD INVALID_PROCESS_ID = 0xFFFFFFFF;
103-
DWORD LookupSystemProcess() {
103+
bool SearchSystemProcess(std::vector<DWORD> &pss) {
104104
PWTS_PROCESS_INFOW pi{nullptr};
105105
DWORD count{0};
106106
if (::WTSEnumerateProcessesW(WTS_CURRENT_SERVER_HANDLE, 0, 1, &pi, &count) != TRUE) {
107-
return INVALID_PROCESS_ID;
107+
return false;
108108
}
109109
auto closer = bela::finally([&] {
110110
if (pi != nullptr) {
@@ -115,10 +115,10 @@ DWORD LookupSystemProcess() {
115115
for (auto it = pi; it != end; it++) {
116116
if (it->SessionId == 0 && IsSystemProcessName(it->pProcessName) &&
117117
IsWellKnownSid(it->pUserSid, WinLocalSystemSid) == TRUE) {
118-
return it->ProcessId;
118+
pss.emplace_back(it->ProcessId);
119119
}
120120
}
121-
return INVALID_PROCESS_ID;
121+
return !pss.empty();
122122
}
123123

124124
// Get Current Process SessionID and Enable SeDebugPrivilege
@@ -214,24 +214,24 @@ bool privileges_view_enabled(HANDLE hToken, const privilege_entries *pv) {
214214
return true;
215215
}
216216

217-
bool Elavator::impersonation_system_token(bela::error_code &ec) {
217+
bool Elavator::impersonation_system_token(DWORD systemProcessId, bela::error_code &ec) {
218218
HANDLE hExistingToken = INVALID_HANDLE_VALUE;
219219
auto hProcess = ::OpenProcess(MAXIMUM_ALLOWED, FALSE, systemProcessId);
220220
if (hProcess == INVALID_HANDLE_VALUE) {
221221
ec = bela::make_system_error_code(
222-
bela::StringCat(L"Elavator::impersonation_system_token<OpenProcess> ", systemProcessId, L" "));
222+
bela::StringCat(L"impersonation_system_token<OpenProcess> ", systemProcessId, L" "));
223223
return false;
224224
}
225225
auto hpdeleter = bela::finally([&] { CloseHandle(hProcess); });
226226
if (OpenProcessToken(hProcess, MAXIMUM_ALLOWED, &hExistingToken) != TRUE) {
227227
ec = bela::make_system_error_code(
228-
bela::StringCat(L"Elavator::impersonation_system_token<OpenProcessToken> ", systemProcessId, L" "));
228+
bela::StringCat(L"impersonation_system_token<OpenProcessToken> ", systemProcessId, L" "));
229229
return false;
230230
}
231231
auto htdeleter = bela::finally([&] { CloseHandle(hExistingToken); });
232232
if (DuplicateTokenEx(hExistingToken, MAXIMUM_ALLOWED, nullptr, SecurityImpersonation, TokenImpersonation, &hToken) !=
233233
TRUE) {
234-
ec = bela::make_system_error_code(L"Elavator::impersonation_system_token<DuplicateTokenEx> ");
234+
ec = bela::make_system_error_code(L"impersonation_system_token<DuplicateTokenEx> ");
235235
return false;
236236
}
237237
return true;
@@ -242,20 +242,31 @@ bool Elavator::ImpersonationSystemPrivilege(const privilege_entries *pv, bela::e
242242
if (!EnableSeDebugPrivilege(currentSessionId, ec)) {
243243
return false;
244244
}
245-
if (systemProcessId = LookupSystemProcess(); systemProcessId == INVALID_PROCESS_ID) {
246-
ec = bela::make_error_code(1, L"Elevator::ImpersonationSystemPrivilege unable lookup system process pid");
245+
if (!SearchSystemProcess(systemProcesses)) {
246+
ec = bela::make_error_code(1, L"ImpersonationSystemPrivilege search system process error");
247247
return false;
248248
}
249-
if (!impersonation_system_token(ec)) {
249+
250+
auto impersonation_system_token_all = [&]() -> bool {
251+
for (auto pid : systemProcesses) {
252+
if (impersonation_system_token(pid, ec)) {
253+
return true;
254+
}
255+
}
256+
return false;
257+
};
258+
259+
if (!impersonation_system_token_all()) {
250260
return false;
251261
}
262+
252263
if (!privileges_view_enabled(hToken, pv)) {
253-
ec = bela::make_error_code(1, L"Elevator::ImpersonationSystemPrivilege unable enable privileges: ",
264+
ec = bela::make_error_code(1, L"ImpersonationSystemPrivilegeunable enable privileges: ",
254265
pv == nullptr ? L"all" : pv->format());
255266
return false;
256267
}
257268
if (SetThreadToken(nullptr, hToken) != TRUE) {
258-
ec = bela::make_error_code(1, L"Elevator::ImpersonationSystemPrivilege<SetThreadToken> ");
269+
ec = bela::make_error_code(1, L"ImpersonationSystemPrivilege<SetThreadToken> ");
259270
return false;
260271
}
261272
return true;

lib/exec/execinternal.hpp

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -44,18 +44,17 @@ class Elavator {
4444
Elavator(const Elavator &) = delete;
4545
Elavator &operator=(const Elavator &) = delete;
4646
~Elavator() { FreeToken(hToken); }
47-
// System Process PID
48-
DWORD SystemPID() const { return systemProcessId; }
4947
// Session ID
5048
DWORD SessionID() const { return currentSessionId; }
49+
const auto &SystemProcesses() const { return systemProcesses; }
5150
bool ImpersonationSystemPrivilege(const privilege_entries *pv, bela::error_code &ec);
5251

5352
private:
54-
bool impersonation_system_token(bela::error_code &ec);
53+
bool impersonation_system_token(DWORD systemProcessId, bela::error_code &ec);
5554
HANDLE hToken{nullptr};
5655
DWORD currentSessionId{0};
57-
// system process id
58-
DWORD systemProcessId{0};
56+
// system process list
57+
std::vector<DWORD> systemProcesses;
5958
};
6059
bool execute_basic(command &cmd, bela::error_code &ec);
6160
bool execute_with_ti(command &cmd, bela::error_code &ec);

lib/exec/system.cc

Lines changed: 19 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -122,16 +122,26 @@ bool execute_with_system(command &cmd, bela::error_code &ec) {
122122
FreeToken(hToken);
123123
FreeToken(hPrimary);
124124
});
125-
if ((hProcess = OpenProcess(MAXIMUM_ALLOWED, FALSE, eo.SystemPID())) == nullptr) {
126-
ec = bela::make_system_error_code(L"execute_with_system<OpenProcess> ");
127-
return false;
128-
}
129-
if (OpenProcessToken(hProcess, MAXIMUM_ALLOWED, &hToken) != TRUE) {
130-
ec = bela::make_system_error_code(L"execute_with_system<OpenProcessToken> ");
125+
126+
auto impersonation_system_token_all = [&]() -> bool {
127+
for (auto pid : eo.SystemProcesses()) {
128+
if ((hProcess = OpenProcess(MAXIMUM_ALLOWED, FALSE, pid)) == nullptr) {
129+
ec = bela::make_system_error_code(L"execute_with_system<OpenProcess> ");
130+
continue;
131+
}
132+
if (OpenProcessToken(hProcess, MAXIMUM_ALLOWED, &hToken) != TRUE) {
133+
ec = bela::make_system_error_code(L"execute_with_system<OpenProcessToken> ");
134+
continue;
135+
}
136+
if (DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, nullptr, SecurityImpersonation, TokenPrimary, &hPrimary) != TRUE) {
137+
ec = bela::make_system_error_code(L"execute_with_system<DuplicateTokenEx> ");
138+
continue;
139+
}
140+
return true;
141+
}
131142
return false;
132-
}
133-
if (DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, nullptr, SecurityImpersonation, TokenPrimary, &hPrimary) != TRUE) {
134-
ec = bela::make_system_error_code(L"execute_with_system<DuplicateTokenEx> ");
143+
};
144+
if (!impersonation_system_token_all()) {
135145
return false;
136146
}
137147
auto session = eo.SessionID();

0 commit comments

Comments
 (0)