Solved

WMI - Executing external Programs

Posted on 2006-11-01
3
2,390 Views
Last Modified: 2012-05-05
hello, im using this function to execute external program, running as windows Administrator user
It runs successfuly using administrator user, I checked using Task Manager. But it runs hidden. The window is not shown

help!



        public string RunWMI(string domain, string userID, string pwd, string appString, string argString)
        {
            string rc = "";
            ConnectionOptions options = new ConnectionOptions();
            string serverName = System.Net.Dns.GetHostName();
            // because we are impersonating and running against the local machine
            // we do not validate
            //options.Username = domain + @"\" + userID;
            //options.Password = pwd;
            //Create a scope to work in
            ManagementScope WmiScope = new ManagementScope(@"\\" + serverName, options);
            WmiScope.Connect();
            ManagementClass processClass = new ManagementClass("Win32_Process");
            processClass.Scope = WmiScope;
            ManagementClass startup;
            startup = new ManagementClass("WIN32_ProcessStartup");
            startup.Scope = WmiScope;
            startup["ShowWindow"] = 3;
            startup["X"] = 10;
            startup["Y"] = 10;
            //Get an input parameters object for this method
            ManagementBaseObject inParams = processClass.GetMethodParameters("Create");
            //Fill in input parameter values
            inParams["CommandLine"] = appString + " " + argString; //' Or whatever application you want
            inParams["ProcessStartupInformation"] = startup;
            //Note: The return code of the method is provided in the "returnValue" property of the outParams object
            ManagementBaseObject outParams = processClass.InvokeMethod("Create",inParams, null);
            return rc;
        }
0
Comment
Question by:dynamicrevolutions
  • 2
3 Comments
 
LVL 8

Accepted Solution

by:
plq earned 500 total points
ID: 17856281
It will. You are launching under the SYSTEM account, which cannot interact with the desktop. It will always be a hidden process.

I don't see a way around that other than launching another EXE from your command line program.

WMI on your box >> Launches EXE1 on xyz Box which launches EXE2 on xyz box with different credentials and interact with desktop. Have a look at System.Diagnostics.Process.Start(sExe)

You could use the NT AT command to launch it instead, but thats very goofy compared to wmi

Or you could use the techniques used by sysinternals psexec to launch a process on another machine via services - again, very goofy and high impact

thanks
0
 
LVL 5

Author Comment

by:dynamicrevolutions
ID: 17856329
I tried launcing the service using SYSTEM account + Interact with desktop. its hidden
I also tried using Administrator account, and impersonating as Administrator to execute that process, even though that external process is runned under Administrator account, it is still hidden.

combination of WMI (Impersonation+Executing) + Psexec does the trick. thanks  a lot !
(I suspect WMI is not necessary, because of having psexec now)
0
 
LVL 8

Expert Comment

by:plq
ID: 17856353
OK. But be aware that psexec puts a service on the target machine which could be a vulnerability since it opens up another way to launch malware on a remote box
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Article by: Ivo
C# And Nullable Types Since 2.0 C# has Nullable(T) Generic Structure. The idea behind is to allow value type objects to have null values just like reference types have. This concerns scenarios where not all data sources have values (like a databa…
Introduction This article series is supposed to shed some light on the use of IDisposable and objects that inherit from it. In essence, a more apt title for this article would be: using (IDisposable) {}. I’m just not sure how many people would ge…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now