Jump to content

- - - - -


  • Please log in to reply
No replies to this topic

#1 joakim


    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen

Posted 14 November 2012 - 11:18 PM

Posted Image

File Name: RunInSessionX
File Submitter: joakim
File Submitted: 15 Nov 2012
File Category: Tools

This is example of how to run a program in any session from any session on nt6.x (Vista - Winodws 8)

Normally it is a matter of duplicating a token of for instance winlogon.exe in order to start a process in your current session as LocalSystem. However you will not be able to start a process into a different session even if you are LocalSystem when outside of session 0. The old workaround has been to temporarily install and start a Windows service and launch the application from there. Then you will get to permission to launch across sessions. For instance PsExec uses this trick.

Now instead of using that workaround, my tool named RunInSession.exe will start a remote thread. It will inject binary code into the virtual address space of a given process running in session 0, and execute it there, thus inheriting whatever the host process had permission to. Techinically this method is the same as dll injection.

It is very similar to a previous application I made named Session0Cmd. It's just expanded upon.

Because you start a process inside session 0, you can't easily interact with it directly from your own session after process has started. For that reason another application has been included, called RunInAnySession.exe. It takes some parameters in order to tweak how and what is executed from RunInSession.

Syntax is:

RunInAnySession HiddenFlag SessionId account command

  • Hiddenflag can be 0 or 1.
  • SessionId is the sessionId to start process in. A value of 0 does not indicate session 0, but means all sessions (ie also all currently logged terminal sessions + console logins).
  • Account can be "user" or "system".
  • Command is the program + parameter to launch.

Example to start calc in all sessions as the currently logged in user in that session:

RunInSession "%CD%\RunInAnySession 0 0 user calc"

Example to start cmd as LocalSystem inside session 2

RunInSession "%CD%\RunInAnySession 0 2 system cmd"

Notice that RunInsession.exe is the loader for RunInAnySession.exe.

Also notice that it is possible to execute an application to run in any session (as the name should suggest) all at once. That means into any console and/or RDP session, either individually or collectively in one go. And you can choose the user account from which to run the program under in a given session (either LocalSystem or current user in the target session).

Has been tested on Windows 7 x64. Should work on any 32-bit/64-bit of nt6.x (Vista and later).

Click here to download this file

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users