While playing with starting processes in the winlogon secure desktop and unlocking a machine without a password (remoteunlock.exe), I experimented with using ZwCreateToken through ztokenman.exe to start a process as a user without knowing their password.
Combined with psexec, this allows you to run something as a user that’s interactively logged on, while their workstation is locked and without knowing their password.
Start a process on the winlogon desktop, used when the machine is locked:
- psexec /s \\%computer% cmd /c c:\windows\temp\psexec /accepteula /x /d /s cmd
From this command prompt, run ztokenman.exe and:
- In the Process drop-down, select a process owned by the user (eg explorer.exe)
- Click DumpProcessToken
- In the 'Create a Process With the Current Token' text-box, type cmd.exe
- Click 'CreateProcessAsUser with Current Token'
From the cmd.exe that opens, this should be under the context of the interactive user of the workstation. For example, if you run net use, you should see the connections the user has.
This uses an undocumented API - ZwCreateToken, after calling OpenProcessToken to duplicate a token from an existing process.
Is this actually useful for anything? Probably not, but it’s interesting nonetheless. Note that remoteunlock.exe will actually provide access to the desktop for the interactive winlogon session, even if the machine is locked.
RunAsEx and ztokenman:
Unlocking XP/2003 without passwords