On Windows 8.1 I have a service that starts PowerShell scripts. The service runs as “nt authority\system” in Session 0 Isolation. Any process that I spawn from PowerShell runs as “nt authority\system” in Session 0 Isolation.
I need to run a script that is under a user account out of session 0 and not the system account. I have tried this
Start-Process "$PsHome\PowerShell.exe" -Credential $pp -ArgumentList $script -wait
and PsExec specifying which session I want with "-I 1" argument.
& PsExec.exe "Install.bat" -i 1 -accepteula -u "domain\user" -p "awesomePassword" -w "startdir" -h
I have tried setting "Allow service to interact with desktop".
I keep getting Access is denied errors when I try and start the process either from PowerShell or from the c# service.
Here is an example exception when I try to escape using c# on the service.
System.ComponentModel.Win32Exception (0x80004005): Access is denied
at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo)
How do I escape from session 0?
I can re-write the c# code to start a process under a different user. or I can re-write the called PowerShell script to start another process as a user. No matter what I try, I can't seem to break out of session 0.
Using the example I found at code project I got a partial solution. The example in the link above will launch a process as the user who is running the "winlogon" process. In order to launch a process as the user who is logged in I just changed the process to look for "explorer" instead.
Here is a snippet of the original code
I just change the process to look for explorer.
Now the process launches as domain/me in Session 3 as a user not admin.
There has to be issues with this approach, such as Remote Desktop, but for what I want this will ultimately do.
Here is the final code for completeness in case the original link evaporates.
Here is how to launch it
Here is the code