starred/terminal
1
0
Fork 0
mirror of https://github.com/microsoft/terminal.git synced 2026-02-04 05:35:20 +00:00
Code Issues 19.0k Packages Projects Releases 20 Wiki Activity

Using ConPTY with CreateProcessWithLogon and CreateProcessWithToken #16022

New Issue
Open
opened 2026-01-31 04:55:07 +00:00 by claunia · 4 comments
claunia commented 2026-01-31 04:55:07 +00:00
Owner
Copy Link

Originally created by @sajagi on GitHub (Dec 2, 2021).

The documentation only covers same-user scenario with CreateProcess function. There is no mention whether CreatePseudoConsole also works with CreateProcessWithLogon, CreateProcessWithToken and similar functions.

It seems as if this scenario is not supported. CreateProcessWithLogon fails with ERROR_INVALID_PARAMETER (87) message. However, given how cryptic the message is, the underlying issue might be also elsewhere.

Originally created by @sajagi on GitHub (Dec 2, 2021). The documentation only covers same-user scenario with `CreateProcess` function. There is no mention whether `CreatePseudoConsole` also works with `CreateProcessWithLogon`, `CreateProcessWithToken` and similar functions. It seems as if this scenario is not supported. `CreateProcessWithLogon` fails with `ERROR_INVALID_PARAMETER` (87) message. However, given how cryptic the message is, the underlying issue might be also elsewhere.
claunia added the Issue-FeatureArea-ServerProduct-Conpty labels 2026-01-31 04:55:07 +00:00
claunia commented 2026-01-31 04:55:08 +00:00
Author
Owner
Copy Link

@zadjii-msft commented on GitHub (Dec 2, 2021):

You know, we wrote CreatePseudoConsoleAsUser
f2386de422/src/winconpty/winconpty.cpp (L360)

a while ago, but I don't think we ever added it to the public SDK. We should probably do that.

(this might also be an argument in favor of the conpty nuget package, #3577/#1130 so folks don't need to rely on SDK version updates)

@zadjii-msft commented on GitHub (Dec 2, 2021): You know, we wrote `CreatePseudoConsoleAsUser` https://github.com/microsoft/terminal/blob/f2386de422971488ee8d7cab6ae9afd0bc82b033/src/winconpty/winconpty.cpp#L360 a while ago, but I don't think we ever added it to the public SDK. We should probably do that. (this might also be an argument in favor of the conpty nuget package, #3577/#1130 so folks don't need to rely on SDK version updates)
claunia commented 2026-01-31 04:55:08 +00:00
Author
Owner
Copy Link

@sajagi commented on GitHub (Dec 2, 2021):

Thanks for the quick reply.

Do I read it correctly that such scenario is then not supported and the only way to host another user's process in pseudoconsole is to call CreatePseudoConsole and CreateProcess from a process already running under that user?

@sajagi commented on GitHub (Dec 2, 2021): Thanks for the quick reply. Do I read it correctly that such scenario is then not supported and the only way to host another user's process in pseudoconsole is to call `CreatePseudoConsole` and `CreateProcess` from a process already running under that user?
claunia commented 2026-01-31 04:55:08 +00:00
Author
Owner
Copy Link

@zadjii-msft commented on GitHub (Dec 2, 2021):

Right now, yea, it's not technically supported. All the code is there and ready to be used, we just never exposed the public function signature for it (mostly because we just forgot to).

If we do ever get around to shipping a conpty nuget, then we could ship the updated API surface out-of-band, without needing to wait for the OS to update. That might be a quicker and easier solution than trying to get this exposed in the OS.

@zadjii-msft commented on GitHub (Dec 2, 2021): Right now, yea, it's not technically supported. All the code is there and ready to be used, we just never exposed the public function signature for it (mostly because we just forgot to). If we do ever get around to shipping a conpty nuget, then we could ship the updated API surface out-of-band, without needing to wait for the OS to update. That might be a quicker and easier solution than trying to get this exposed in the OS.
claunia commented 2026-01-31 04:55:08 +00:00
Author
Owner
Copy Link

@eryksun commented on GitHub (Dec 2, 2021):

The linked code just calls CreateProcessAsUserW() to spawn the console host. But CreateProcessWithLogonW() and CreateProcessWithTokenW() are delegated to the Secondary Logon service (seclogon). Delegation is required in order to allow an unprivileged user to spawn a process as another user (e.g. via runas.exe).

Unless the new token is related to the caller's token (e.g. a restricted token, or UWP app token), directly calling CreateProcessAsUserW() requires SeAssignPrimaryTokenPrivilege and possibly SeIncreaseQuotaPrivilege. By default, even administrators don't have SeAssignPrimaryTokenPrivilege.

Also, for CreateProcessWithLogonW(), the Secondary Logon service enables access to the client's interactive window station and desktop by adding the client's logon-session group to the new token. (A logon-session group has the attribute SE_GROUP_LOGON_ID.) Without this access, the spawned process (e.g. conhost.exe) will fail with STATUS_DLL_INIT_FAILED (0xC0000142) when user32.dll loads, since it tries and fails to open the window station and desktop. Creating a token with the client's logon-session group requires calling LsaLogonUser() or LogonUserExExW() with SeTcbPrivilege (act as part of the OS) granted and enabled, which is why seclogon runs as a SYSTEM service. The alternative is to open the client's window station and desktop objects to add a DACL entry that grants all access to the new logon-session group.

@eryksun commented on GitHub (Dec 2, 2021): The linked code just calls `CreateProcessAsUserW()` to spawn the console host. But `CreateProcessWithLogonW()` and `CreateProcessWithTokenW()` are delegated to the Secondary Logon service (seclogon). Delegation is required in order to allow an unprivileged user to spawn a process as another user (e.g. via runas.exe). Unless the new token is related to the caller's token (e.g. a restricted token, or UWP app token), directly calling `CreateProcessAsUserW()` requires [SeAssignPrimaryTokenPrivilege](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token) and possibly [SeIncreaseQuotaPrivilege](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process). By default, even administrators don't have SeAssignPrimaryTokenPrivilege. Also, for `CreateProcessWithLogonW()`, the Secondary Logon service enables access to the client's interactive window station and desktop by adding the client's logon-session group to the new token. (A logon-session group has the attribute [`SE_GROUP_LOGON_ID`](https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_groups).) Without this access, the spawned process (e.g. conhost.exe) will fail with `STATUS_DLL_INIT_FAILED` (0xC0000142) when user32.dll loads, since it tries and fails to open the window station and desktop. Creating a token with the client's logon-session group requires calling `LsaLogonUser()` or `LogonUserExExW()` with SeTcbPrivilege (act as part of the OS) granted and enabled, which is why seclogon runs as a SYSTEM service. The alternative is to open the client's window station and desktop objects to add a DACL entry that grants all access to the new logon-session group.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Reserved
A11yCO
A11yMAS
A11ySev1
A11ySev2
A11ySev3
A11yTTValidated
A11yUsable
A11yVoiceAccess
A11yWCAG
Area-Accessibility
Area-AtlasEngine
Area-AzureShell
Area-Build
Area-Build
Area-Chat
Area-CmdPal
Area-CodeHealth
Area-Commandline
Area-CookedRead
Area-DefApp
Area-Extensibility
Area-Fonts
Area-GroupPolicy
Area-i18n
Area-Input
Area-Interaction
Area-Interop
Area-Localization
Area-Output
Area-Performance
Area-Portable
Area-Quality
Area-Remoting
Area-Rendering
Area-Schema
Area-Server
Area-Settings
Area-SettingsUI
Area-ShellExtension
Area-ShellExtension
Area-ShellExtension
Area-Suggestions
Area-Suggestions
Area-TerminalConnection
Area-TerminalControl
Area-Theming
Area-UserInterface
Area-VT
Area-Windowing
Area-WPFControl
AutoMerge
Blocking-Ingestion
Culprit-Centennial
Culprit-WinUI
Disability-All
Disability-Blind
Disability-LowVision
Disability-Mobility
External-Blocked-WinUI3
Fixed
Gathering-Data
good first issue
HCL-E+D
HCL-WindowsTerminal
Help Wanted
Impact-Compatibility
Impact-Compliance
Impact-Correctness
Impact-Visual
In-PR
InclusionBacklog
InclusionBacklog-Windows TerminalWin32
InclusionCommitted-202206
Issue-Bug
Issue-Docs
Issue-Feature
Issue-Feature
Issue-Question
Issue-Samples
Issue-Scenario
Issue-Task
Needs-Attention
Needs-Author-Feedback
Needs-Bisect
Needs-Discussion
Needs-Repro
Needs-Tag-Fix
Needs-Tag-Fix
Needs-Triage
No-Recent-Activity
Priority-0
Priority-1
Priority-2
Priority-3
Product-Cmd.exe
Product-Colortool
Product-Colortool
Product-Colortool
Product-Conhost
Product-Conpty
Product-Meta
Product-Powershell
Product-Terminal
Product-WSL
pull-request
Mirrored from GitHub Pull Request
 Resolution-Answered
Resolution-By-Design
Resolution-Duplicate
Resolution-External
Resolution-Fix-Available
Resolution-Fix-Committed
Resolution-No-Repro
Resolution-Won't-Fix
Severity-Blocking
Severity-Crash
Severity-DataLoss
spam
this-will-be-a-breaking-change
Tracking-External
WindowsTerminal_Win32
Work-Item
zAskModeBug
zInbox-Bug
No Label Area-Server Issue-Feature Product-Conpty
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claunia
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/terminal#16022
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?