UNSOLVED PDQ Deploy run as logged on user, how the hell? :)

  • Hi,

    @bob-henderson @PDQ guys how do you realize with your lovely pdq deploy to run a process as logged on user?
    Is it possible to show me the magic?

    I have the following problem, printserver with pdfcreator 1.7.3 running as service, when someone prints a pdf it will directly placed on a client computers share, after this i like to run acrobat reader under the users context with the current created pdf file.

    Therefore i need to run the process under the current logged on user context, how can i realize this?

    Regards X23

  • Senior Developer

    @x23piracy a windows service can impersonate one of the logged in users without their password. Essentially the service grabs a process running as the user you wish to impersonate, and obtains a handle on the process’s access token (OpenProcessToken). The service then needs to duplicate the token so it can “impersonate” the user without affecting the process we lifted the token from (DuplicateToken), activate that token, and then perform the work. Finally the token handle must be closed.

    Its a pretty win32 api heavy approach. The client does not use this technique as there is no guarantee a user is logged in at any given point.

    TL;DR: grab an existing process running as that user, and perform multiple win32 API calls to impersonate that user.

  • @x23piracy USually you’d need to have PDQ fire off a powershell that then calls the installer and such and use the runas option there. PDQ runs as the deployment account to my knowledge