/// <exception cref="System.IO.IOException"></exception>
internal static void ResolveSids0(string authorityServerName, NtlmPasswordAuthentication
auth, Sid[] sids)
{
DcerpcHandle handle = null;
LsaPolicyHandle policyHandle = null;
lock (SidCache)
{
try
{
handle = DcerpcHandle.GetHandle("ncacn_np:" + authorityServerName + "[\\PIPE\\lsarpc]"
, auth);
string server = authorityServerName;
int dot = server.IndexOf('.');
if (dot > 0 && char.IsDigit(server[0]) == false)
{
server = Runtime.Substring(server, 0, dot);
}
policyHandle = new LsaPolicyHandle(handle, "\\\\" + server, unchecked (0x00000800));
ResolveSids(handle, policyHandle, sids);
}
finally
{
if (handle != null)
{
if (policyHandle != null)
{
policyHandle.Close();
}
handle.Close();
}
}
}
}
public static extern NtStatus LsaEnumerateAccountRights
(
LsaPolicyHandle policyHandle,
IntPtr accountSid,
out IntPtr userRights,
out uint countOfRights
);
public static extern NtStatus LsaOpenPolicy
(
ref LsaUnicodeString systemName,
ref LsaObjectAttributes objectAttributes,
Kernel32.Kernel32.AccessMask.PolicySpecificRights accessMask,
out LsaPolicyHandle policyHandle
);
public static extern NtStatus LsaAddAccountRights
(
LsaPolicyHandle policyHandle,
IntPtr accountSid,
LsaUnicodeString[] userRights,
long countOfRights
);
public MsrpcLsarOpenPolicy2(string server, int access, LsaPolicyHandle policyHandle
) : base(server, new Lsarpc.LsarObjectAttributes(), access, policyHandle)
{
ObjectAttributes.Length = 24;
Lsarpc.LsarQosInfo qos = new Lsarpc.LsarQosInfo();
qos.Length = 12;
qos.ImpersonationLevel = 2;
qos.ContextMode = 1;
qos.EffectiveOnly = 0;
ObjectAttributes.SecurityQualityOfService = qos;
Ptype = 0;
Flags = DcerpcConstants.DcerpcFirstFrag | DcerpcConstants.DcerpcLastFrag;
}
public MsrpcLsarOpenPolicy2(string server, int access, LsaPolicyHandle policyHandle
) : base(server, new Lsarpc.LsarObjectAttributes(), access, policyHandle)
{
ObjectAttributes.Length = 24;
Lsarpc.LsarQosInfo qos = new Lsarpc.LsarQosInfo();
qos.Length = 12;
qos.ImpersonationLevel = 2;
qos.ContextMode = 1;
qos.EffectiveOnly = 0;
ObjectAttributes.SecurityQualityOfService = qos;
Ptype = 0;
Flags = DcerpcConstants.DcerpcFirstFrag | DcerpcConstants.DcerpcLastFrag;
}
/// <exception cref="System.IO.IOException"></exception>
internal static void ResolveSids(DcerpcHandle handle, LsaPolicyHandle policyHandle
, Sid[] sids)
{
MsrpcLookupSids rpc = new MsrpcLookupSids(policyHandle, sids);
handle.Sendrecv(rpc);
switch (rpc.Retval)
{
case 0:
case NtStatus.NtStatusNoneMapped:
case unchecked (0x00000107):
{
// NT_STATUS_SOME_NOT_MAPPED
break;
}
default:
{
throw new SmbException(rpc.Retval, false);
}
}
for (int si = 0; si < sids.Length; si++)
{
sids[si].Type = rpc.Names.Names[si].SidType;
sids[si].DomainName = null;
switch (sids[si].Type)
{
case SidTypeUser:
case SidTypeDomGrp:
case SidTypeDomain:
case SidTypeAlias:
case SidTypeWknGrp:
{
int sidIndex = rpc.Names.Names[si].SidIndex;
Rpc.Unicode_string ustr = rpc.Domains.Domains[sidIndex].Name;
sids[si].DomainName = (new UnicodeString(ustr, false)).ToString();
break;
}
}
sids[si].AcctName = (new UnicodeString(rpc.Names.Names[si].Name, false)).ToString
();
sids[si].OriginServer = null;
sids[si].OriginAuth = null;
}
}
/// <exception cref="System.IO.IOException"></exception>
public static Sid GetServerSid(string server,
NtlmPasswordAuthentication auth)
{
DcerpcHandle handle = null;
LsaPolicyHandle policyHandle = null;
Lsarpc.LsarDomainInfo info = new Lsarpc.LsarDomainInfo();
MsrpcQueryInformationPolicy rpc;
lock (SidCache)
{
try
{
handle = DcerpcHandle.GetHandle("ncacn_np:" + server + "[\\PIPE\\lsarpc]", auth);
// NetApp doesn't like the 'generic' access mask values
policyHandle = new LsaPolicyHandle(handle, null, unchecked (0x00000001));
rpc = new MsrpcQueryInformationPolicy(policyHandle,
Lsarpc.PolicyInfoAccountDomain,
info);
handle.Sendrecv(rpc);
if (rpc.Retval != 0)
{
throw new SmbException(rpc.Retval, false);
}
return(new Sid(info.Sid,
SidTypeDomain,
(new UnicodeString(info.Name, false)).ToString(),
null,
false));
}
finally
{
if (handle != null)
{
if (policyHandle != null)
{
policyHandle.Close();
}
handle.Close();
}
}
}
}
public RunWindow()
{
InitializeComponent();
this.SetTopMost();
textSessionID.Text = Program.CurrentSessionId.ToString();
comboType.SelectedItem = "Interactive";
if (Program.ElevationType == TokenElevationType.Limited)
{
buttonOK.SetShieldIcon(true);
}
List <string> users = new List <string>
{
"NT AUTHORITY\\SYSTEM",
"NT AUTHORITY\\LOCAL SERVICE",
"NT AUTHORITY\\NETWORK SERVICE"
};
try
{
using (LsaPolicyHandle phandle = new LsaPolicyHandle(LsaPolicyAccess.ViewLocalInformation))
{
foreach (Sid sid in phandle.Accounts)
{
if (sid.NameUse == SidNameUse.User)
{
users.Add(sid.GetFullName(true));
}
}
}
}
catch
{ }
users.Sort();
comboUsername.Items.AddRange(users.ToArray());
}
public RunWindow()
{
InitializeComponent();
this.SetTopMost();
textSessionID.Text = Program.CurrentSessionId.ToString();
comboType.SelectedItem = "Interactive";
if (Program.ElevationType == TokenElevationType.Limited)
buttonOK.SetShieldIcon(true);
List<string> users = new List<string>
{
"NT AUTHORITY\\SYSTEM",
"NT AUTHORITY\\LOCAL SERVICE",
"NT AUTHORITY\\NETWORK SERVICE"
};
try
{
using (LsaPolicyHandle phandle = new LsaPolicyHandle(LsaPolicyAccess.ViewLocalInformation))
{
foreach (Sid sid in phandle.Accounts)
{
if (sid.NameUse == SidNameUse.User)
users.Add(sid.GetFullName(true));
}
}
}
catch
{ }
users.Sort();
comboUsername.Items.AddRange(users.ToArray());
}
public LsaPolicy(LsaPolicyHandle handle)
{
_handle = handle;
}
private void ApplyConfiguration()
{
try
{
//Only set right it is not a build in account
if (!Equals(_tempServiceConfig.Credentials, ServiceCredentials.LocalSystem) &&
!Equals(_tempServiceConfig.Credentials, ServiceCredentials.LocalService) &&
!Equals(_tempServiceConfig.Credentials, ServiceCredentials.NetworkService) &&
!Equals(_tempServiceConfig.Credentials, ServiceCredentials.NoChange) &&
!ServiceCredentials.IsVirtualAccount(_tempServiceConfig.Credentials)) //Normally all NT SERVICE\\... service has that right, so no need to add it.
{
string username = _tempServiceConfig.Credentials.Username;
if (string.IsNullOrWhiteSpace(username))
{
username = TextBoxUsername.Text;
}
using (LsaPolicyHandle lsaWrapper = LsaPolicyHandle.OpenPolicyHandle())
{
bool hasRightToStartAsService = lsaWrapper.EnumeratePrivileges(username).Any(x => x.Buffer == "SeServiceLogonRight");
if (!hasRightToStartAsService)
{
MessageBoxResult result = MessageBox.Show(_resManager.GetString("logon_as_a_service", CultureInfo.CurrentUICulture), _resManager.GetString("question", CultureInfo.CurrentUICulture), MessageBoxButton.YesNo, MessageBoxImage.Question);
if (result != MessageBoxResult.Yes)
{
return;
}
//Give the account the right to start as service
lsaWrapper.AddPrivileges(username, "SeServiceLogonRight");
}
}
}
if (_createNewService)
{
using (ServiceControlManager scm = ServiceControlManager.Connect(Advapi32.ServiceControlManagerAccessRights.CreateService))
{
scm.CreateService(_tempServiceConfig);
////When no exception has been throwed show up a message (no longer)
//MessageBox.Show(
// _resManager.GetString("the_service_installation_was_successful", CultureInfo.CurrentUICulture),
// _resManager.GetString("success", CultureInfo.CurrentUICulture), MessageBoxButton.OK, MessageBoxImage.Information);
}
}
else
{
using (ServiceControlManager scm = ServiceControlManager.Connect(Advapi32.ServiceControlManagerAccessRights.Connect))
{
using (ServiceHandle serviceHandle = scm.OpenService(_tempServiceConfig.ServiceName, Advapi32.ServiceAccessRights.AllAccess))
{
serviceHandle.ChangeConfig(_tempServiceConfig);
}
}
}
//Save settings in registry after no error is occured
RegistryManagement.SaveInRegistry(_tempServiceConfig);
DialogResult = true;
Close();
}
catch (Exception ex)
{
MessageBox.Show(
_resManager.GetString("the_service_installation_was_unsuccessful",
CultureInfo.CurrentUICulture) + "\n" + ex.Message, "Error", MessageBoxButton.OK,
MessageBoxImage.Error);
}
}
private static void CheckAndSetCommonArguments(ref DmServiceDefinition serviceDefinition, CommonEditInstallOptions opts)
{
serviceDefinition.Description = opts.Description ?? serviceDefinition.Description;
serviceDefinition.Arguments = opts.Arguments ?? serviceDefinition.Arguments;
serviceDefinition.LoadOrderGroup = opts.LoadOrderGroup ?? serviceDefinition.LoadOrderGroup;
serviceDefinition.CanInteractWithDesktop = opts.CanInteractWithDesktop ?? serviceDefinition.CanInteractWithDesktop;
serviceDefinition.ProcessMaxRestarts = opts.MaxRestarts ?? serviceDefinition.ProcessMaxRestarts;
serviceDefinition.ProcessTimeoutTime = opts.ProcessTimeoutTime ?? serviceDefinition.ProcessTimeoutTime;
serviceDefinition.ProcessRestartDelay = opts.ProcessRestartDelay ?? serviceDefinition.ProcessRestartDelay;
serviceDefinition.CounterResetTime = opts.CounterResetTime ?? serviceDefinition.CounterResetTime;
serviceDefinition.IsConsoleApplication = opts.ConsoleApplication ?? serviceDefinition.IsConsoleApplication;
serviceDefinition.UseCtrlC = opts.UseCtrlC ?? serviceDefinition.UseCtrlC;
serviceDefinition.Credentials = new ServiceCredentials(opts.Username, opts?.Password?.ConvertStringToSecureString());
if (opts.StartType != null)
{
switch (opts.StartType)
{
case 0:
serviceDefinition.StartType = Advapi32.ServiceStartType.Disabled;
serviceDefinition.DelayedStart = false;
break;
case 1:
serviceDefinition.StartType = Advapi32.ServiceStartType.StartOnDemand;
serviceDefinition.DelayedStart = false;
break;
case 2:
serviceDefinition.StartType = Advapi32.ServiceStartType.AutoStart;
serviceDefinition.DelayedStart = false;
break;
case 4:
serviceDefinition.StartType = Advapi32.ServiceStartType.AutoStart;
serviceDefinition.DelayedStart = true;
break;
default:
throw new ArgumentException("The StartType can only be between 0-4 (0 = Disabled / 1 = Demand start / 2 = Auto start / 4 = Delayed auto start).");
}
}
if (opts.ProcessPriority != null)
{
switch (opts.ProcessPriority)
{
case -2:
serviceDefinition.ProcessPriority = ProcessPriorityClass.Idle;
break;
case -1:
serviceDefinition.ProcessPriority = ProcessPriorityClass.BelowNormal;
break;
case 0:
serviceDefinition.ProcessPriority = ProcessPriorityClass.Normal;
break;
case 1:
serviceDefinition.ProcessPriority = ProcessPriorityClass.AboveNormal;
break;
case 2:
serviceDefinition.ProcessPriority = ProcessPriorityClass.High;
break;
case 3:
serviceDefinition.ProcessPriority = ProcessPriorityClass.RealTime;
break;
default:
throw new ArgumentException("The ProcessPriority can only be between -2<->3 (-2 = Idle / -1 = Below normal / 0 = Normal / 1 = Above normal / 2 = High / 3 = Real time (not recommended to use)).");
}
}
if (serviceDefinition.CanInteractWithDesktop && !DaemonMasterUtils.IsSupportedWindows10VersionForIwd)
{
throw new ArgumentException("CanInteractWithDesktop is not supported in this windows version.");
}
if (serviceDefinition.CanInteractWithDesktop && (!string.IsNullOrWhiteSpace(serviceDefinition.Credentials.Username) || serviceDefinition.Credentials.Password != null))
{
throw new ArgumentException("CanInteractWithDesktop is not supported with custom user.");
}
if ((string.IsNullOrWhiteSpace(serviceDefinition.Credentials.Username) && serviceDefinition.Credentials.Password != null) || (!string.IsNullOrWhiteSpace(serviceDefinition.Credentials.Username) && serviceDefinition.Credentials == null))
{
throw new ArgumentException("Password/username parameter is missing!");
}
//Custom user
//Create new ServiceCredentials instance
if (!string.IsNullOrWhiteSpace(serviceDefinition.Credentials.Username) && serviceDefinition.Credentials.Password != null && !ServiceCredentials.IsVirtualAccount(serviceDefinition.Credentials))
{
//Check if he has the right to start as service
using (LsaPolicyHandle lsaWrapper = LsaPolicyHandle.OpenPolicyHandle())
{
bool hasRightToStartAsService = lsaWrapper.EnumeratePrivileges(serviceDefinition.Credentials.Username).Any(x => x == "SeServiceLogonRight");
if (!hasRightToStartAsService)
{
Console.WriteLine("The user doesn't have the right to start as service. Do you want to give him that right? [Yes/No]");
switch (Console.ReadLine())
{
case "yes":
case "Yes":
case "y":
case "Y":
//Give the account the right to start as service
lsaWrapper.AddPrivilege(serviceDefinition.Credentials.Username, "SeServiceLogonRight");
break;
default:
throw new ArgumentException("Cannot create the service without that right.");
}
}
}
}
}
public ILsaPolicy Open(LsaAccessPolicy accessPolicy)
{
return(new LsaPolicy(LsaPolicyHandle.Open(accessPolicy)));
}
public LsaPolicy(LsaPolicyHandle handle)
{
_handle = handle;
}
