In my local system service I may start a UI process that should run with credentials of the logged on Windows user, but at times, when there's no logged on user, it should be able to start in the Winlogon
or "secure desktop" as well.
Thus, I'm using the following construct to prep the user token for it:
//The following pseudo-code snippet is run from the local system service
HANDLE hSelfToken = NULL;
HANDLE hToken2 = NULL;
::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, &hSelfToken);
//Remove most of privileges & create restricted token
::CreateRestrictedToken(hSelfToken,
DISABLE_MAX_PRIVILEGE | LUA_TOKEN,
0, NULL,
0, NULL, 0, NULL,
&hToken2);
//Set user session ID for the token where the process will run
::SetTokenInformation(hToken2, TokenSessionId, &dwSessionId, sizeof(dwSessionId));
//The 'hToken2' is later used to call CreateProcessAsUser() to start a user UI process
This works great, except that in despite of having pretty much no privileges and no elevation, my UI process that is started with this method still receives too many of the system service's "rights." For instance, it can create a file in C:\
root folder, or open HKLM
registry key for writing.
So I'm curious, what else shall I do to lower the child process' privileges?