dynamicrevolutions
asked on
WMI - Executing external Programs
hello, im using this function to execute external program, running as windows Administrator user
It runs successfuly using administrator user, I checked using Task Manager. But it runs hidden. The window is not shown
help!
public string RunWMI(string domain, string userID, string pwd, string appString, string argString)
{
string rc = "";
ConnectionOptions options = new ConnectionOptions();
string serverName = System.Net.Dns.GetHostName ();
// because we are impersonating and running against the local machine
// we do not validate
//options.Username = domain + @"\" + userID;
//options.Password = pwd;
//Create a scope to work in
ManagementScope WmiScope = new ManagementScope(@"\\" + serverName, options);
WmiScope.Connect();
ManagementClass processClass = new ManagementClass("Win32_Pro cess");
processClass.Scope = WmiScope;
ManagementClass startup;
startup = new ManagementClass("WIN32_Pro cessStartu p");
startup.Scope = WmiScope;
startup["ShowWindow"] = 3;
startup["X"] = 10;
startup["Y"] = 10;
//Get an input parameters object for this method
ManagementBaseObject inParams = processClass.GetMethodPara meters("Cr eate");
//Fill in input parameter values
inParams["CommandLine"] = appString + " " + argString; //' Or whatever application you want
inParams["ProcessStartupIn formation" ] = startup;
//Note: The return code of the method is provided in the "returnValue" property of the outParams object
ManagementBaseObject outParams = processClass.InvokeMethod( "Create",i nParams, null);
return rc;
}
It runs successfuly using administrator user, I checked using Task Manager. But it runs hidden. The window is not shown
help!
public string RunWMI(string domain, string userID, string pwd, string appString, string argString)
{
string rc = "";
ConnectionOptions options = new ConnectionOptions();
string serverName = System.Net.Dns.GetHostName
// because we are impersonating and running against the local machine
// we do not validate
//options.Username = domain + @"\" + userID;
//options.Password = pwd;
//Create a scope to work in
ManagementScope WmiScope = new ManagementScope(@"\\" + serverName, options);
WmiScope.Connect();
ManagementClass processClass = new ManagementClass("Win32_Pro
processClass.Scope = WmiScope;
ManagementClass startup;
startup = new ManagementClass("WIN32_Pro
startup.Scope = WmiScope;
startup["ShowWindow"] = 3;
startup["X"] = 10;
startup["Y"] = 10;
//Get an input parameters object for this method
ManagementBaseObject inParams = processClass.GetMethodPara
//Fill in input parameter values
inParams["CommandLine"] = appString + " " + argString; //' Or whatever application you want
inParams["ProcessStartupIn
//Note: The return code of the method is provided in the "returnValue" property of the outParams object
ManagementBaseObject outParams = processClass.InvokeMethod(
return rc;
}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
OK. But be aware that psexec puts a service on the target machine which could be a vulnerability since it opens up another way to launch malware on a remote box
ASKER
I also tried using Administrator account, and impersonating as Administrator to execute that process, even though that external process is runned under Administrator account, it is still hidden.
combination of WMI (Impersonation+Executing) + Psexec does the trick. thanks a lot !
(I suspect WMI is not necessary, because of having psexec now)