Solved

WMI - Executing external Programs

Posted on 2006-11-01
3
2,392 Views
Last Modified: 2012-05-05
hello, im using this function to execute external program, running as windows Administrator user
It runs successfuly using administrator user, I checked using Task Manager. But it runs hidden. The window is not shown

help!



        public string RunWMI(string domain, string userID, string pwd, string appString, string argString)
        {
            string rc = "";
            ConnectionOptions options = new ConnectionOptions();
            string serverName = System.Net.Dns.GetHostName();
            // because we are impersonating and running against the local machine
            // we do not validate
            //options.Username = domain + @"\" + userID;
            //options.Password = pwd;
            //Create a scope to work in
            ManagementScope WmiScope = new ManagementScope(@"\\" + serverName, options);
            WmiScope.Connect();
            ManagementClass processClass = new ManagementClass("Win32_Process");
            processClass.Scope = WmiScope;
            ManagementClass startup;
            startup = new ManagementClass("WIN32_ProcessStartup");
            startup.Scope = WmiScope;
            startup["ShowWindow"] = 3;
            startup["X"] = 10;
            startup["Y"] = 10;
            //Get an input parameters object for this method
            ManagementBaseObject inParams = processClass.GetMethodParameters("Create");
            //Fill in input parameter values
            inParams["CommandLine"] = appString + " " + argString; //' Or whatever application you want
            inParams["ProcessStartupInformation"] = startup;
            //Note: The return code of the method is provided in the "returnValue" property of the outParams object
            ManagementBaseObject outParams = processClass.InvokeMethod("Create",inParams, null);
            return rc;
        }
0
Comment
Question by:dynamicrevolutions
  • 2
3 Comments
 
LVL 8

Accepted Solution

by:
plq earned 500 total points
ID: 17856281
It will. You are launching under the SYSTEM account, which cannot interact with the desktop. It will always be a hidden process.

I don't see a way around that other than launching another EXE from your command line program.

WMI on your box >> Launches EXE1 on xyz Box which launches EXE2 on xyz box with different credentials and interact with desktop. Have a look at System.Diagnostics.Process.Start(sExe)

You could use the NT AT command to launch it instead, but thats very goofy compared to wmi

Or you could use the techniques used by sysinternals psexec to launch a process on another machine via services - again, very goofy and high impact

thanks
0
 
LVL 5

Author Comment

by:dynamicrevolutions
ID: 17856329
I tried launcing the service using SYSTEM account + Interact with desktop. its hidden
I also tried using Administrator account, and impersonating as Administrator to execute that process, even though that external process is runned under Administrator account, it is still hidden.

combination of WMI (Impersonation+Executing) + Psexec does the trick. thanks  a lot !
(I suspect WMI is not necessary, because of having psexec now)
0
 
LVL 8

Expert Comment

by:plq
ID: 17856353
OK. But be aware that psexec puts a service on the target machine which could be a vulnerability since it opens up another way to launch malware on a remote box
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction                                                 Was the var keyword really only brought out to shorten your syntax? Or have the VB language guys got their way in C#? What type of variable is it? All will be revealed.   Also called…
Exception Handling is in the core of any application that is able to dignify its name. In this article, I'll guide you through the process of writing a DRY (Don't Repeat Yourself) Exception Handling mechanism, using Aspect Oriented Programming.
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now