Solved

WMI - Executing external Programs

Posted on 2006-11-01
3
2,394 Views
Last Modified: 2012-05-05
hello, im using this function to execute external program, running as windows Administrator user
It runs successfuly using administrator user, I checked using Task Manager. But it runs hidden. The window is not shown

help!



        public string RunWMI(string domain, string userID, string pwd, string appString, string argString)
        {
            string rc = "";
            ConnectionOptions options = new ConnectionOptions();
            string serverName = System.Net.Dns.GetHostName();
            // because we are impersonating and running against the local machine
            // we do not validate
            //options.Username = domain + @"\" + userID;
            //options.Password = pwd;
            //Create a scope to work in
            ManagementScope WmiScope = new ManagementScope(@"\\" + serverName, options);
            WmiScope.Connect();
            ManagementClass processClass = new ManagementClass("Win32_Process");
            processClass.Scope = WmiScope;
            ManagementClass startup;
            startup = new ManagementClass("WIN32_ProcessStartup");
            startup.Scope = WmiScope;
            startup["ShowWindow"] = 3;
            startup["X"] = 10;
            startup["Y"] = 10;
            //Get an input parameters object for this method
            ManagementBaseObject inParams = processClass.GetMethodParameters("Create");
            //Fill in input parameter values
            inParams["CommandLine"] = appString + " " + argString; //' Or whatever application you want
            inParams["ProcessStartupInformation"] = startup;
            //Note: The return code of the method is provided in the "returnValue" property of the outParams object
            ManagementBaseObject outParams = processClass.InvokeMethod("Create",inParams, null);
            return rc;
        }
0
Comment
Question by:dynamicrevolutions
  • 2
3 Comments
 
LVL 8

Accepted Solution

by:
plq earned 500 total points
ID: 17856281
It will. You are launching under the SYSTEM account, which cannot interact with the desktop. It will always be a hidden process.

I don't see a way around that other than launching another EXE from your command line program.

WMI on your box >> Launches EXE1 on xyz Box which launches EXE2 on xyz box with different credentials and interact with desktop. Have a look at System.Diagnostics.Process.Start(sExe)

You could use the NT AT command to launch it instead, but thats very goofy compared to wmi

Or you could use the techniques used by sysinternals psexec to launch a process on another machine via services - again, very goofy and high impact

thanks
0
 
LVL 5

Author Comment

by:dynamicrevolutions
ID: 17856329
I tried launcing the service using SYSTEM account + Interact with desktop. its hidden
I also tried using Administrator account, and impersonating as Administrator to execute that process, even though that external process is runned under Administrator account, it is still hidden.

combination of WMI (Impersonation+Executing) + Psexec does the trick. thanks  a lot !
(I suspect WMI is not necessary, because of having psexec now)
0
 
LVL 8

Expert Comment

by:plq
ID: 17856353
OK. But be aware that psexec puts a service on the target machine which could be a vulnerability since it opens up another way to launch malware on a remote box
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In order to hide the "ugly" records selectors (triangles) in the rowheaders, here are some suggestions. Microsoft doesn't have a direct method/property to do it. You can only hide the rowheader column. First solution, the easy way The first sol…
The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question