@@ -25,32 +25,54 @@ fn main() -> anyhow::Result<()> {
2525 . context ( "open current process token" ) ?;
2626
2727 // Verify that the current account is assigned with the SE_CREATE_TOKEN_NAME privilege.
28- let account_username = get_username ( Security :: Authentication :: Identity :: NameSamCompatible ) . unwrap ( ) ;
28+ println ! ( "Attempting to verify whether the current account is assigned with the SE_CREATE_TOKEN_NAME privilege" ) ;
29+ let account_username =
30+ get_username ( Security :: Authentication :: Identity :: NameSamCompatible ) . context ( "retrieve account username" ) ?;
2931 println ! ( "Account name: {account_username:?}" ) ;
30- let account = lookup_account_by_name ( & account_username) . unwrap ( ) ;
31- let rights = enumerate_account_rights ( & account. sid ) . unwrap ( ) ;
32- let has_create_token_right = rights. iter ( ) . any ( |right| right == u16cstr ! ( "SeCreateTokenPrivilege" ) ) ;
3332
34- if expect_elevation {
35- assert ! ( has_create_token_right) ;
36-
37- // SE_CREATE_TOKEN_NAME is required for performing the elevation.
38- let se_create_token_name_luid = privilege:: lookup_privilege_value ( None , privilege:: SE_CREATE_TOKEN_NAME )
39- . context ( "lookup SE_CREATE_TOKEN_NAME privilege" ) ?;
40- token
41- . adjust_privileges ( & TokenPrivilegesAdjustment :: Enable ( vec ! [ se_create_token_name_luid] ) )
42- . context ( "enable SE_CREATE_TOKEN_NAME privilege" ) ?;
43-
44- // Verify the SE_CREATE_TOKEN_NAME privilege is actually enabled.
45- let se_create_token_name_is_enabled = token
46- . privileges ( )
47- . context ( "list token privileges" ) ?
48- . as_slice ( )
49- . iter ( )
50- . find ( |privilege| privilege. Luid == se_create_token_name_luid)
51- . is_some ( ) ;
52-
53- assert ! ( se_create_token_name_is_enabled) ;
33+ match lookup_account_by_name ( & account_username) {
34+ Ok ( account) => {
35+ let rights = enumerate_account_rights ( & account. sid )
36+ . with_context ( || format ! ( "enumerate account rights for {account_username:?}" ) ) ;
37+ let has_create_token_right = rights. iter ( ) . any ( |right| right == u16cstr ! ( "SeCreateTokenPrivilege" ) ) ;
38+
39+ if expect_elevation {
40+ assert ! ( has_create_token_right) ;
41+
42+ // SE_CREATE_TOKEN_NAME is required for performing the elevation.
43+ let se_create_token_name_luid =
44+ privilege:: lookup_privilege_value ( None , privilege:: SE_CREATE_TOKEN_NAME )
45+ . context ( "lookup SE_CREATE_TOKEN_NAME privilege" ) ?;
46+ token
47+ . adjust_privileges ( & TokenPrivilegesAdjustment :: Enable ( vec ! [ se_create_token_name_luid] ) )
48+ . context ( "enable SE_CREATE_TOKEN_NAME privilege" ) ?;
49+
50+ // Verify the SE_CREATE_TOKEN_NAME privilege is actually enabled.
51+ let se_create_token_name_is_enabled = token
52+ . privileges ( )
53+ . context ( "list token privileges" ) ?
54+ . as_slice ( )
55+ . iter ( )
56+ . find ( |privilege| privilege. Luid == se_create_token_name_luid)
57+ . is_some ( ) ;
58+
59+ assert ! ( se_create_token_name_is_enabled) ;
60+ }
61+ }
62+ Err ( e) => {
63+ eprintln ! ( "Failed at looking up account for {account_username:?}: {e}" ) ;
64+
65+ // Possible issue when running this program using psexec -s, under `NT AUTHORITY\SYSTEM` (LocalSystem):
66+ // - There is no direct domain credentials by default, unless the machine is domain joined and has a line-of-sight to the DC.
67+ // - This context may not be able to see the same network resources or DC that the interactive user.
68+ // Causing LookupAccountNameW to fail with a "no mapping" error.
69+ // Let’s just go ahead with the elevation in this case, assuming LocalSystem is enough for all intents and purposes at this point.
70+ if e. code ( ) . 0 == 0x80070534 {
71+ println ! ( "Got the 'no mapping' error; continuing..." )
72+ } else {
73+ return Err ( anyhow:: Error :: new ( e) , "an unexpected error" ) ;
74+ }
75+ }
5476 }
5577
5678 let token_source = build_token_source ( LADM_SRC_NAME , LADM_SRC_LUID ) ;
0 commit comments