1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "remoting/host/win/launch_process_with_token.h"
12 #include "base/logging.h"
13 #include "base/memory/scoped_ptr.h"
14 #include "base/rand_util.h"
15 #include "base/scoped_native_library.h"
16 #include "base/strings/string16.h"
17 #include "base/strings/stringprintf.h"
18 #include "base/strings/utf_string_conversions.h"
19 #include "base/win/scoped_handle.h"
20 #include "base/win/scoped_process_information.h"
21 #include "base/win/windows_version.h"
23 using base::win::ScopedHandle;
27 const char kCreateProcessDefaultPipeNameFormat[] =
28 "\\\\.\\Pipe\\TerminalServer\\SystemExecSrvr\\%d";
30 // Undocumented WINSTATIONINFOCLASS value causing
31 // winsta!WinStationQueryInformationW() to return the name of the pipe for
32 // requesting cross-session process creation.
33 const WINSTATIONINFOCLASS kCreateProcessPipeNameClass =
34 static_cast<WINSTATIONINFOCLASS>(0x21);
36 const int kPipeBusyWaitTimeoutMs = 2000;
37 const int kPipeConnectMaxAttempts = 3;
39 // Terminates the process and closes process and thread handles in
40 // |process_information| structure.
41 void CloseHandlesAndTerminateProcess(PROCESS_INFORMATION* process_information) {
42 if (process_information->hThread) {
43 CloseHandle(process_information->hThread);
44 process_information->hThread = NULL;
47 if (process_information->hProcess) {
48 TerminateProcess(process_information->hProcess, CONTROL_C_EXIT);
49 CloseHandle(process_information->hProcess);
50 process_information->hProcess = NULL;
54 // Connects to the executor server corresponding to |session_id|.
55 bool ConnectToExecutionServer(uint32 session_id,
56 base::win::ScopedHandle* pipe_out) {
57 base::string16 pipe_name;
59 // Use winsta!WinStationQueryInformationW() to determine the process creation
60 // pipe name for the session.
61 base::FilePath winsta_path(
62 base::GetNativeLibraryName(base::UTF8ToUTF16("winsta")));
63 base::ScopedNativeLibrary winsta(winsta_path);
64 if (winsta.is_valid()) {
65 PWINSTATIONQUERYINFORMATIONW win_station_query_information =
66 reinterpret_cast<PWINSTATIONQUERYINFORMATIONW>(
67 winsta.GetFunctionPointer("WinStationQueryInformationW"));
68 if (win_station_query_information) {
69 wchar_t name[MAX_PATH];
71 if (win_station_query_information(0,
73 kCreateProcessPipeNameClass,
77 pipe_name.assign(name);
82 // Use the default pipe name if we couldn't query its name.
83 if (pipe_name.empty()) {
84 pipe_name = base::UTF8ToUTF16(
85 base::StringPrintf(kCreateProcessDefaultPipeNameFormat, session_id));
88 // Try to connect to the named pipe.
89 base::win::ScopedHandle pipe;
90 for (int i = 0; i < kPipeConnectMaxAttempts; ++i) {
91 pipe.Set(CreateFile(pipe_name.c_str(),
92 GENERIC_READ | GENERIC_WRITE,
102 // Cannot continue retrying if error is something other than
104 if (GetLastError() != ERROR_PIPE_BUSY) {
108 // Cannot continue retrying if wait on pipe fails.
109 if (!WaitNamedPipe(pipe_name.c_str(), kPipeBusyWaitTimeoutMs)) {
114 if (!pipe.IsValid()) {
115 PLOG(ERROR) << "Failed to connect to '" << pipe_name << "'";
119 *pipe_out = pipe.Pass();
123 // Copies the process token making it a primary impersonation token.
124 // The returned handle will have |desired_access| rights.
125 bool CopyProcessToken(DWORD desired_access, ScopedHandle* token_out) {
127 if (!OpenProcessToken(GetCurrentProcess(),
128 TOKEN_DUPLICATE | desired_access,
130 PLOG(ERROR) << "Failed to open process token";
133 ScopedHandle process_token(temp_handle);
135 if (!DuplicateTokenEx(process_token.Get(),
138 SecurityImpersonation,
141 PLOG(ERROR) << "Failed to duplicate the process token";
145 token_out->Set(temp_handle);
149 // Creates a copy of the current process with SE_TCB_NAME privilege enabled.
150 bool CreatePrivilegedToken(ScopedHandle* token_out) {
151 ScopedHandle privileged_token;
152 DWORD desired_access = TOKEN_ADJUST_PRIVILEGES | TOKEN_IMPERSONATE |
153 TOKEN_DUPLICATE | TOKEN_QUERY;
154 if (!CopyProcessToken(desired_access, &privileged_token)) {
158 // Get the LUID for the SE_TCB_NAME privilege.
159 TOKEN_PRIVILEGES state;
160 state.PrivilegeCount = 1;
161 state.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
162 if (!LookupPrivilegeValue(NULL, SE_TCB_NAME, &state.Privileges[0].Luid)) {
163 PLOG(ERROR) << "Failed to lookup the LUID for the SE_TCB_NAME privilege";
167 // Enable the SE_TCB_NAME privilege.
168 if (!AdjustTokenPrivileges(privileged_token.Get(), FALSE, &state, 0, NULL,
170 PLOG(ERROR) << "Failed to enable SE_TCB_NAME privilege in a token";
174 *token_out = privileged_token.Pass();
178 // Fills the process and thread handles in the passed |process_information|
179 // structure and resume the process if the caller didn't want to suspend it.
180 bool ProcessCreateProcessResponse(DWORD creation_flags,
181 PROCESS_INFORMATION* process_information) {
182 // The execution server does not return handles to the created process and
184 if (!process_information->hProcess) {
185 // N.B. PROCESS_ALL_ACCESS is different in XP and Vista+ versions of
186 // the SDK. |desired_access| below is effectively PROCESS_ALL_ACCESS from
187 // the XP version of the SDK.
188 DWORD desired_access =
189 STANDARD_RIGHTS_REQUIRED |
192 PROCESS_CREATE_THREAD |
193 PROCESS_SET_SESSIONID |
194 PROCESS_VM_OPERATION |
198 PROCESS_CREATE_PROCESS |
200 PROCESS_SET_INFORMATION |
201 PROCESS_QUERY_INFORMATION |
202 PROCESS_SUSPEND_RESUME;
203 process_information->hProcess =
204 OpenProcess(desired_access,
206 process_information->dwProcessId);
207 if (!process_information->hProcess) {
208 PLOG(ERROR) << "Failed to open the process "
209 << process_information->dwProcessId;
214 if (!process_information->hThread) {
215 // N.B. THREAD_ALL_ACCESS is different in XP and Vista+ versions of
216 // the SDK. |desired_access| below is effectively THREAD_ALL_ACCESS from
217 // the XP version of the SDK.
218 DWORD desired_access =
219 STANDARD_RIGHTS_REQUIRED |
222 THREAD_SUSPEND_RESUME |
225 THREAD_QUERY_INFORMATION |
226 THREAD_SET_INFORMATION |
227 THREAD_SET_THREAD_TOKEN |
229 THREAD_DIRECT_IMPERSONATION;
230 process_information->hThread =
231 OpenThread(desired_access,
233 process_information->dwThreadId);
234 if (!process_information->hThread) {
235 PLOG(ERROR) << "Failed to open the thread "
236 << process_information->dwThreadId;
241 // Resume the thread if the caller didn't want to suspend the process.
242 if ((creation_flags & CREATE_SUSPENDED) == 0) {
243 if (!ResumeThread(process_information->hThread)) {
244 PLOG(ERROR) << "Failed to resume the thread "
245 << process_information->dwThreadId;
253 // Receives the response to a remote process create request.
254 bool ReceiveCreateProcessResponse(
256 PROCESS_INFORMATION* process_information_out) {
257 struct CreateProcessResponse {
261 PROCESS_INFORMATION process_information;
265 CreateProcessResponse response;
266 if (!ReadFile(pipe, &response, sizeof(response), &bytes, NULL)) {
267 PLOG(ERROR) << "Failed to receive CreateProcessAsUser response";
271 // The server sends the data in one chunk so if we didn't received a complete
272 // answer something bad happend and there is no point in retrying.
273 if (bytes != sizeof(response)) {
274 SetLastError(ERROR_RECEIVE_PARTIAL);
278 if (!response.success) {
279 SetLastError(response.last_error);
283 *process_information_out = response.process_information;
287 // Sends a remote process create request to the execution server.
288 bool SendCreateProcessRequest(
290 const base::FilePath::StringType& application_name,
291 const base::CommandLine::StringType& command_line,
292 DWORD creation_flags,
293 const base::char16* desktop_name) {
294 // |CreateProcessRequest| structure passes the same parameters to
295 // the execution server as CreateProcessAsUser() function does. Strings are
296 // stored as wide strings immediately after the structure. String pointers are
297 // represented as byte offsets to string data from the beginning of
299 struct CreateProcessRequest {
302 BOOL use_default_token;
304 LPWSTR application_name;
306 SECURITY_ATTRIBUTES process_attributes;
307 SECURITY_ATTRIBUTES thread_attributes;
308 BOOL inherit_handles;
309 DWORD creation_flags;
311 LPWSTR current_directory;
312 STARTUPINFOW startup_info;
313 PROCESS_INFORMATION process_information;
316 base::string16 desktop;
318 desktop = desktop_name;
320 // Allocate a large enough buffer to hold the CreateProcessRequest structure
321 // and three NULL-terminated string parameters.
322 size_t size = sizeof(CreateProcessRequest) + sizeof(wchar_t) *
323 (application_name.size() + command_line.size() + desktop.size() + 3);
324 scoped_ptr<char[]> buffer(new char[size]);
325 memset(buffer.get(), 0, size);
327 // Marshal the input parameters.
328 CreateProcessRequest* request =
329 reinterpret_cast<CreateProcessRequest*>(buffer.get());
330 request->size = size;
331 request->process_id = GetCurrentProcessId();
332 request->use_default_token = TRUE;
333 // Always pass CREATE_SUSPENDED to avoid a race between the created process
334 // exiting too soon and OpenProcess() call below.
335 request->creation_flags = creation_flags | CREATE_SUSPENDED;
336 request->startup_info.cb = sizeof(request->startup_info);
338 size_t buffer_offset = sizeof(CreateProcessRequest);
340 request->application_name = reinterpret_cast<LPWSTR>(buffer_offset);
341 std::copy(application_name.begin(),
342 application_name.end(),
343 reinterpret_cast<wchar_t*>(buffer.get() + buffer_offset));
344 buffer_offset += (application_name.size() + 1) * sizeof(wchar_t);
346 request->command_line = reinterpret_cast<LPWSTR>(buffer_offset);
347 std::copy(command_line.begin(),
349 reinterpret_cast<wchar_t*>(buffer.get() + buffer_offset));
350 buffer_offset += (command_line.size() + 1) * sizeof(wchar_t);
352 request->startup_info.lpDesktop =
353 reinterpret_cast<LPWSTR>(buffer_offset);
354 std::copy(desktop.begin(),
356 reinterpret_cast<wchar_t*>(buffer.get() + buffer_offset));
358 // Pass the request to create a process in the target session.
360 if (!WriteFile(pipe, buffer.get(), size, &bytes, NULL)) {
361 PLOG(ERROR) << "Failed to send CreateProcessAsUser request";
368 // Requests the execution server to create a process in the specified session
369 // using the default (i.e. Winlogon) token. This routine relies on undocumented
370 // OS functionality and will likely not work on anything but XP or W2K3.
371 bool CreateRemoteSessionProcess(
373 const base::FilePath::StringType& application_name,
374 const base::CommandLine::StringType& command_line,
375 DWORD creation_flags,
376 const base::char16* desktop_name,
377 PROCESS_INFORMATION* process_information_out) {
378 DCHECK_LT(base::win::GetVersion(), base::win::VERSION_VISTA);
380 base::win::ScopedHandle pipe;
381 if (!ConnectToExecutionServer(session_id, &pipe))
384 if (!SendCreateProcessRequest(pipe.Get(), application_name, command_line,
385 creation_flags, desktop_name)) {
389 PROCESS_INFORMATION process_information;
390 if (!ReceiveCreateProcessResponse(pipe.Get(), &process_information))
393 if (!ProcessCreateProcessResponse(creation_flags, &process_information)) {
394 CloseHandlesAndTerminateProcess(&process_information);
398 *process_information_out = process_information;
406 base::LazyInstance<base::Lock>::Leaky g_inherit_handles_lock =
407 LAZY_INSTANCE_INITIALIZER;
409 // Creates a copy of the current process token for the given |session_id| so
410 // it can be used to launch a process in that session.
411 bool CreateSessionToken(uint32 session_id, ScopedHandle* token_out) {
412 ScopedHandle session_token;
413 DWORD desired_access = TOKEN_ADJUST_DEFAULT | TOKEN_ADJUST_SESSIONID |
414 TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_QUERY;
415 if (!CopyProcessToken(desired_access, &session_token)) {
419 // Temporarily enable the SE_TCB_NAME privilege as it is required by
420 // SetTokenInformation(TokenSessionId).
421 ScopedHandle privileged_token;
422 if (!CreatePrivilegedToken(&privileged_token)) {
425 if (!ImpersonateLoggedOnUser(privileged_token.Get())) {
426 PLOG(ERROR) << "Failed to impersonate the privileged token";
430 // Change the session ID of the token.
431 DWORD new_session_id = session_id;
432 if (!SetTokenInformation(session_token.Get(),
435 sizeof(new_session_id))) {
436 PLOG(ERROR) << "Failed to change session ID of a token";
438 // Revert to the default token.
439 CHECK(RevertToSelf());
443 // Revert to the default token.
444 CHECK(RevertToSelf());
446 *token_out = session_token.Pass();
450 bool LaunchProcessWithToken(const base::FilePath& binary,
451 const base::CommandLine::StringType& command_line,
453 SECURITY_ATTRIBUTES* process_attributes,
454 SECURITY_ATTRIBUTES* thread_attributes,
455 bool inherit_handles,
456 DWORD creation_flags,
457 const base::char16* desktop_name,
458 ScopedHandle* process_out,
459 ScopedHandle* thread_out) {
460 base::FilePath::StringType application_name = binary.value();
462 STARTUPINFOW startup_info;
463 memset(&startup_info, 0, sizeof(startup_info));
464 startup_info.cb = sizeof(startup_info);
466 startup_info.lpDesktop = const_cast<base::char16*>(desktop_name);
468 PROCESS_INFORMATION temp_process_info = {};
469 BOOL result = CreateProcessAsUser(user_token,
470 application_name.c_str(),
471 const_cast<LPWSTR>(command_line.c_str()),
481 // CreateProcessAsUser will fail on XP and W2K3 with ERROR_PIPE_NOT_CONNECTED
482 // if the user hasn't logged to the target session yet. In such a case
483 // we try to talk to the execution server directly emulating what
484 // the undocumented and not-exported advapi32!CreateRemoteSessionProcessW()
485 // function does. The created process will run under Winlogon'a token instead
486 // of |user_token|. Since Winlogon runs as SYSTEM, this suits our needs.
488 GetLastError() == ERROR_PIPE_NOT_CONNECTED &&
489 base::win::GetVersion() < base::win::VERSION_VISTA) {
492 result = GetTokenInformation(user_token,
497 if (result && session_id != 0) {
498 result = CreateRemoteSessionProcess(session_id,
505 // Restore the error status returned by CreateProcessAsUser().
507 SetLastError(ERROR_PIPE_NOT_CONNECTED);
512 PLOG(ERROR) << "Failed to launch a process with a user token";
516 base::win::ScopedProcessInformation process_info(temp_process_info);
518 CHECK(process_info.IsValid());
519 process_out->Set(process_info.TakeProcessHandle());
520 thread_out->Set(process_info.TakeThreadHandle());
524 } // namespace remoting