Disclaimer: I'm asking specifically on Stackoverflow because I want to know how to re-implement this feature.
We recently noticed that the Sysinternals tool pskill can kill an elevated process from a non-elevated context.
Specifically, if you open a program with Run-As-Administrator and then run a normal shell (non-elevated) and try to kill that RunAs programm (e.g. another cmd.exe) via pskill, it will succeed.
Note: Both Powershell Stop-Process and the taskkill.exe utility cannot do this.
Killing Windows Services running as NT-Auth/System ~ Session 0 still gives access denied from a non-elevated context though, even with pskill, which is fine.
Which Windows API is used here? Our tooling uses OpenProcess(PROCESS_ALL_ACCESS... and TerminateProcess but this only works on the same elevation level.
really nothing strange. pskill try open process with
PROCESS_TERMINATE|SYNCHRONIZEaccess. which is ok. by default elevated process grantPROCESS_ALL_ACCESStoBUILTIN\Administrators(S-1-5-32-544) andNT AUTHORITY\SYSTEM(S-1-5-18)and
SYNCHRONIZE|READ_CONTROL|PROCESS_QUERY_LIMITED_INFORMATION|PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_TERMINATEfor the LogonSession sid (S-1-5-5-0-ID)also mandatory label set for
SYSTEM_MANDATORY_LABEL_NO_WRITE_UP | SYSTEM_MANDATORY_LABEL_NO_READ_UPforMandatory Label\High Mandatory Level- this disable all generic read and generic write access for tokens with low integrity level than High. so this label disableREAD_CONTROL|PROCESS_QUERY_INFORMATION|PROCESS_VM_READas part of general read access for process. but we still haveSYNCHRONIZE|PROCESS_QUERY_LIMITED_INFORMATION|PROCESS_TERMINATEas maximum access. and this is enough for terminate.so even if we run as low integrity process, but in the same logon session - we still can kill elevated process