Why does PSEXEC -i -s work in Windows 7 as services can no longer interact with the desktop?

1

According to this MSDN article:

Important Services cannot directly interact with a user as of Windows Vista. Therefore, the techniques mentioned in the section titled Using an Interactive Service should not be used in new code.

Why does psexec \\REMOTEPCNAME -i -s cmd still actually work properly and launch a command prompt in the NT AUTHORITY\SYSTEM context? Does SysInternals have Windows cheat codes?

slashp

Posted 2015-04-16T15:25:39.970

Reputation: 515

2Does SysInternals have Windows cheat codes? - Yes, Its Microsoft Software. – Ramhound – 2015-04-16T15:35:48.913

Answers

1

The psexec service has sufficient privileges (SeTcbPrivilege) to obtain tokens for other sessions with WTSQueryUserToken (which it then gives to CreateProcessAsUser or something similar).

See also: http://www.remkoweijnen.nl/blog/2007/10/20/how-to-launch-a-process-in-a-terminal-session/

user1686

Posted 2015-04-16T15:25:39.970

Reputation: 283 655

Asked: 2015-04-16T15:25:39.970

Viewed: 458 times

Active: 2015-04-19T18:09:48.700