Launching applicaitons via PSEXEC natively

Discussion in 'other security issues & news' started by dlimanov, Jul 27, 2009.

Thread Status:
Not open for further replies.
  1. dlimanov

    dlimanov Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    204
    Gentlemen,

    We are testing PSEXEC in our company to enforce running sensitive applications with reduced privileges. It works well, but for every application we have to configure a shortcut for it to be launched via PSEXEC, and rely on users running it that way and not just executing it directly.

    I am wondering (and please forgive me if this is dumb, I'm not a developer in any shape or form) if it's at all possible to embed PSEXEC into Windows native "launch" process for specific set of applications? I assume Windows is using something to launch an exe, a kernel or shell of some sort (userinit.exe? shell32.exe? again, excuse me if this sounds ridiculous), so I'm wondering if, let's say, to launch IE, shell32.exe is responsible for executing iexplore.exe and that logic is stored somewhere. If these launch parameters are configurable (Registry? HKEY_CLASSES_ROOT?), then I'd modify the execution path for this particular program from "shell32.exe %program files%\internet explorer\iexplore.exe"
    to
    "shell32.exe psexec.exe -l ...\iexplore.exe", and you get the idea -- every time IE is launched, it is done so via PSEXEC.

    Is something like this even remotely possible or should I lay off the pipe?
    Thanks in advance!
     
  2. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    modify windows registry and you will have it working as you describe: where a program (notepad.exe) when launched is actually a command line parameter for psexec.exe (simplistic example).

    You may also change the default application for opening a certain file type. For example, opening document.txt will check associations, and find that %systemroot%\system32\notepad.exe is the parent program for .txt files, and the file you chose, document.txt will be opened with notepad.

    It should not be hard to pilfer through the registry to find a suitable key to modify. Really I think it depends on just what you are executing that you need shortcuts for.

    It should be possible in most any case.

    Provide more specifics, like what you are executing (is it a .lnk, .txt, .exe, ??) and what a shortcut looks like or the script file you are using (batch, cmd, vbs, etc). I will help you.

    Sul.
     
  3. dlimanov

    dlimanov Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    204
    Sully,
    Thank you for your reply. The goal here is to be able to say that when user launches IE, it's is done so via PSEXEC and not directly. I don't want to modify file associations per se, but instead would like to know that when IE is launched (via shortcut, by opening HTML page, via Start->Run->iexplore.exe), system will run it via PSEXEC, and I think the only way to achieve it is via native API calls. When process is launched in Windows, "CreateProcess" API function is executed. In my case it looks like I'll need to alter Windows native calls within those APIs, something I have no expertise or desire to do, as the result may be quite unpredictable.

    Finding the "launching" pad in registry is the problem, I just can't find it, at least the proper key.. I checked HKEY_CLASSES_ROOT\Applications\Acrobat Reader\shell\open\command in my test, and replaced AcroRead32.exe to Notepad.exe there, hoping that when I launch Acrobat, Notepad would launch instead. No such luck, this is not as easy as modifying the Registry, it looks like.

    D
     
    Last edited: Jul 29, 2009
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    You have an easy option for anything but the executable itself, in file associations. You should be able to easily change the default open command to psexec.exe "c:\program files\internet explorer\iexplore.exe" "%l"
    Something like that (if IE is default) put onto for example a .htm file, will go about it's normal measures of starting, but that start line should start psexec, passing parameters. I started psexec this way, to a .htm file. You can use command prompt, and then these
    assoc >> textfile.txt
    ftype >> textfile.txt
    these will give you an overview to look at. You can also
    assoc .extension (get result)
    ftype (result) (shows the command line and parameters)

    For the executable itself, if not started from a shortcut or associated file, you are correct, no amount of fiddling usually will work. But all is not lost. You could easily code up a resident application in AutoIt or other languages. It need only have one job, wait for some .exe to start, and then terminate said .exe and parse it back into psexec. You can even use some C language in there if you please to do API stuff. Not too hard. I just finished working with the SAFER code in AutoIt, works the same as if coded in C.

    I think you can do it, may have to bend the rules a little to find the answer. But then, that is what I find so fun about computers.

    Sul.
     
  5. dlimanov

    dlimanov Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    204
    Thanks Sully! I will look into this and update my post as things progress.
     
Loading...
Thread Status:
Not open for further replies.