Yeah, it's possible. Here's an example I did a few years ago. My main
goal here was impersonating the user who made the call, but the rest of
the stuff should work about the same. It's a little different from the
way to do it in standalone apps. There's probably a better way to do it
if you don't have to worry about impersonating, either.
Imports System.Diagnostics
Imports Microsoft.Win32
Imports System.ComponentModel
Imports System.Security.Principal
Imports System.Runtime.InteropServices
Imports System.Security.Permissions
Public Module ImpersonateUser
Structure SECURITY_ATTRIBUTES
Dim nLength As Int32
Dim lpSecurityDescriptor As Int32
Dim bInheritHandle As Int32
End Structure
Enum SECURITY_IMPERSONATION_LEVEL
SecurityAnonymous = 0
SecurityIdentification = 1
SecurityImpersonation = 2
SecurityDelegation = 3
End Enum
Enum TOKEN_TYPE
TokenPrimary = 1
TokenImpersonation
End Enum
Structure PROCESS_INFORMATION
Dim hProcess As Int32
Dim hThread As Int32
Dim dwProcessId As Int32
Dim dwThreadId As Int32
End Structure
Structure STARTUPINFO
Dim cb As Int32
Dim lpReserved As Int32
Dim lpDesktop As Int32
Dim lpTitle As Int32
Dim dwX As Int32
Dim dwY As Int32
Dim dwXSize As Int32
Dim dwYSize As Int32
Dim dwXCountChars As Int32
Dim dwYCountChars As Int32
Dim dwFillAttribute As Int32
Dim dwFlags As Int32
Dim wShowWindow As Int16
Dim cbReserved2 As Int16
Dim lpReserved2 As Int32
Dim hStdInput As Int32
Dim hStdOutput As Int32
Dim hStdError As Int32
End Structure
Const INFINITE As Int32 = &HFFFFFFFF
Const WAIT_FAILED As Int32 = &HFFFFFFFF
Const WAIT_TIMEOUT As Int32 = 258I
Const STARTF_USESHOWWINDOW As Int32 = &H1
Const SW_HIDE As Int32 = 0
Const SW_SHOWNORMAL As Int32 = 1
Const SLEEP_DELAY As Int32 = 100&
Const STATUS_PENDING As Int32 = &H103&
Const STILL_ACTIVE As Int32 = STATUS_PENDING
Const CREATE_DEFAULT_ERROR_MODE As Int32 = &H4000000
Const CREATE_NEW_CONSOLE As Int32 = &H10
Const CREATE_NEW_PROCESS_GROUP As Int32 = &H200
Const STARTF_USESTDHANDLES As Int32 = &H100
Const MAXIMUM_ALLOWED As Int32 = &H2000000
Const CREATE_NO_WINDOW As Int32 = &H8000000
Const ANYSIZE_ARRAY As Int32 = 1
Const ERROR_SUCCESS As Int32 = 0I
' Misc input flags
Const TOKEN_QUERY As Int32 = &H8
Const TOKEN_ADJUST_PRIVILEGES As Int32 = &H20
Const STANDARD_RIGHTS_REQUIRED As Int32 = &HF0000
Const TOKEN_ASSIGN_PRIMARY As Int32 = &H1
Const TOKEN_DUPLICATE As Int32 = &H2
Const TOKEN_IMPERSONATE As Int32 = &H4
Const TOKEN_QUERY_SOURCE As Int32 = &H10
Const TOKEN_ADJUST_GROUPS As Int32 = &H40
Const TOKEN_ADJUST_SESSIONID As Int32 = &H100
Const TOKEN_ADJUST_DEFAULT As Int32 = &H80
Const TOKEN_ALL_ACCESS As Int32 = (STANDARD_RIGHTS_REQUIRED Or
TOKEN_ASSIGN_PRIMARY Or TOKEN_DUPLICATE Or TOKEN_IMPERSONATE Or
TOKEN_QUERY Or TOKEN_QUERY_SOURCE Or TOKEN_ADJUST_PRIVILEGES Or
TOKEN_ADJUST_GROUPS Or TOKEN_ADJUST_SESSIONID Or TOKEN_ADJUST_DEFAULT)
Declare Auto Function DuplicateTokenEx Lib "advapi32.dll" ( _
ByVal hExistingToken As IntPtr, _
ByVal dwDesiredAccess As Int32, _
ByRef lpTokenAttributes As SECURITY_ATTRIBUTES, _
ByVal ImpersonationLevel As SECURITY_IMPERSONATION_LEVEL, _
ByVal TokenType As TOKEN_TYPE, _
ByRef phNewToken As IntPtr) _
As Int32
Declare Auto Function CreateProcessAsUserW Lib "advapi32.dll" ( _
ByVal hToken As IntPtr, _
ByVal lpApplicationName As String, _
ByVal lpCommandLine As String, _
ByRef lpProcessAttributes As SECURITY_ATTRIBUTES, _
ByRef lpThreadAttributes As SECURITY_ATTRIBUTES, _
ByVal bInheritHandles As Int32, _
ByVal dwCreationFlags As Int32, _
ByVal lpEnvironment As Int32, _
ByVal lpCurrentDirectory As String, _
ByRef lpStartupInfo As STARTUPINFO, _
ByRef lpProcessInformation As PROCESS_INFORMATION) _
As Int32
Declare Auto Function CloseHandle Lib "kernel32.dll" ( _
ByVal hObject As Int32) _
As Int32
Declare Auto Function WaitForInputIdle Lib "user32.dll" ( _
ByVal hProcess As Int32, _
ByVal dwMilliseconds As Int32) _
As Int32
Declare Auto Function CreatePipe Lib "kernel32.dll" ( _
ByRef phReadPipe As Int32, _
ByRef phWritePipe As Int32, _
ByRef lpPipeAttributes As SECURITY_ATTRIBUTES, _
ByVal nSize As Int32) _
As Int32
Declare Auto Function ReadFile Lib "kernel32.dll" ( _
ByVal hFile As Int32, _
ByRef lpBuffer As Byte, _
ByVal nNumberOfBytesToRead As Int32, _
ByRef lpNumberOfBytesRead As Int32, _
ByVal lpOverlapped As Int32) _
As Int32
Declare Auto Function PeekNamedPipe Lib "kernel32.dll" ( _
ByVal hNamedPipe As Int32, _
ByRef lpBuffer As String, _
ByVal nBufferSize As Int32, _
ByRef lpBytesRead As Int32, _
ByRef lpTotalBytesAvail As Int32, _
ByRef lpBytesLeftThisMessage As Int32) _
As Int32
Declare Auto Function GetExitCodeProcess Lib "kernel32" ( _
ByVal hProcess As Int32, _
ByRef lpExitCode As Int32) _
As Int32
Declare Auto Function Sleep Lib "kernel32" ( _
ByVal dwMilliseconds As Int32) _
As Int32
Function OnClick() As String
Dim Token As New IntPtr(0)
Dim TokenDuplicate As New IntPtr(0)
Dim TokenAttributes As SECURITY_ATTRIBUTES
Dim Result As Int32
Dim i, x, y As Integer
Dim arrStr() As String
Dim arrStrSub() As String
Dim strOut As String
'####################################EXTERNAL PROCESSING DONE
IN HERE################################
'Create new Impersonation Token For External Processes
Token = WindowsIdentity.GetCurrent.Token()
'Result = DuplicateTokenEx(Token, MAXIMUM_ALLOWED,
TokenAttributes, SECURITY_IMPERSONATION_LEVEL.SecurityDelegation,
TOKEN_TYPE.TokenPrimary, TokenDuplicate)
Result = DuplicateTokenEx(Token, MAXIMUM_ALLOWED,
TokenAttributes, SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
TOKEN_TYPE.TokenPrimary, TokenDuplicate)
If Result <> 0 Then
'Test 1.1.1 Get
Hotfixes********************************************************
'AddRow("Test 1.1.1 Windows Hotfixes", , True)
' strOut = ShellExe( _
' "dheath", _
' TokenDuplicate, _
' "C:\sayMyName.exe " &
"\\cimarron\techview") ' _'/hf -h " & "" & " -s 2 -z" _
strOut = ShellExe("dheath", TokenDuplicate,
"C:\remoteTest.exe")
Else
'AddRow("Error Creating Duplicate Impersonation Token: " &
Err.LastDllError.ToString)
End If
CloseHandle(Token.ToInt64)
CloseHandle(TokenDuplicate.ToInt64)
Return strOut
'####################################END EXTERNAL
PROCESSING#########################################
End Function
Function ShellExe(ByVal sname As String, ByRef TokenDuplicate As
IntPtr, ByVal strCommandLine As String) As String
Dim hReadPipe, hWritePipe As Int32
Dim Result, ret, bSuccess As Int32
Dim si As STARTUPINFO
Dim pi As PROCESS_INFORMATION
Dim strCurrentDirectory As String
Dim strAppName As String
Dim sa As SECURITY_ATTRIBUTES
Dim bytesread As Int32
Dim bytestoget As Int32
Dim bytesavail As Int32
Dim bytesleft As Int32
Dim strOutT As String
Dim mybuff() As Byte
Dim intReturnValue As Int32
Dim intExitCode As Int32
Dim i As Int32
sa.nLength = Len(sa)
sa.bInheritHandle = True
sa.lpSecurityDescriptor = 0
ret = CreatePipe(hReadPipe, hWritePipe, sa, 0)
If ret = 0 Then
ShellExe = "CreatePipeOut failed. Error: " &
Err.LastDllError
Exit Function
End If
strCurrentDirectory = "C:\" 'inetpub\wwwroot\asat\utilities"
si.cb = Len(si)
si.dwFlags = STARTF_USESTDHANDLES Or STARTF_USESHOWWINDOW
si.hStdOutput = hWritePipe
si.wShowWindow = SW_HIDE
Result = CreateProcessAsUserW( _
TokenDuplicate, _
vbNullString, _
strCommandLine, _
sa, _
sa, _
1, _
CREATE_NEW_CONSOLE, _
0, _
strCurrentDirectory, _
si, _
pi)
If Result <> 0 Then
Do
intReturnValue = GetExitCodeProcess(pi.hProcess,
intExitCode)
Sleep(SLEEP_DELAY)
Loop While (intExitCode = STILL_ACTIVE) And Not
(intReturnValue = 0)
Else
ShellExe = "Create Process Failed With Error " &
Err.LastDllError.ToString
End If
PeekNamedPipe(hReadPipe, 0, 0, 0, bytesavail, 0)
ReDim mybuff(bytesavail)
bytestoget = CInt(bytesavail)
bSuccess = ReadFile(hReadPipe, mybuff(0), bytestoget,
bytesread, 0)
If bSuccess = 1 Then
For i = 0 To bytesavail
strOutT = strOutT & Chr(CType(mybuff(i), Integer))
'strOutC = strOutC & CType(mybuff(i), Integer) & ","
ShellExe = strOutT
Next
Else
ShellExe = "ReadFile failed. Error: " & Err.LastDllError
End If
CloseHandle(pi.hProcess)
CloseHandle(pi.hThread)
CloseHandle(hReadPipe)
CloseHandle(hWritePipe)
End Function
End Module
