I am creating an application where I use EasyHook to hook into the explorer.exe process and listen for the CreateProcessW method call from kernel32.dll. The program intercepts CreateProcessW only if the user runs the file by double-clicking on it (without administrator privileges) while when I try to run the application as administrator the process is created while my program does not intercept CreateProcessW. I tried hooking CreateProcessAsUser and CreateProcessWithLogonW but that didn't help. I even tried hooking ShellExecuteEx but that didn't help either. My question is why my program does not capture this method. Does running the file as administrator call a different method than CreateProcessW?
My program runs with the "highestAvailable" permissions contained in the app.manifest
What I have tried:
// Install hooks
// CreateProcess https://msdn.microsoft.com/en-us/library/windows/desktop/aa365747(v=vs.85).aspx
var createProcessHook = EasyHook.LocalHook.Create(
EasyHook.LocalHook.GetProcAddress("kernel32.dll", "CreateProcessW"),
new DCreateProcess(CreateProcess_HookedAsync),
this);
// CreateProcessAsUserA https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessasusera
var createProcessAsUserHook = EasyHook.LocalHook.Create(EasyHook.LocalHook.GetProcAddress("advapi32.dll", "CreateProcessAsUserA"),
new DCreateProcessAsUser(CreateProcessAsUser_Hooked),
this);
// CreateProcessWithLogonW https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithlogonw
var createProcessWithLogonW = EasyHook.LocalHook.Create(EasyHook.LocalHook.GetProcAddress("advapi32.dll", "CreateProcessWithLogonW"),
new DCreateProcessWithLogonW(CreateProcessWithLogonW_Hooked),
this);
// ShellExecuteEx https://msdn.microsoft.com/en-us/library/windows/desktop/aa365747(v=vs.85).aspx
var createShellProcessHook = EasyHook.LocalHook.Create(EasyHook.LocalHook.GetProcAddress("shell32.dll", "ShellExecuteEx"),
new DShellExecuteEx(ShellExecuteEx_Hooked),
this);
createProcessHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
createProcessAsUserHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
createProcessWithLogonW.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
createShellProcessHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });