Click here to Skip to main content
15,867,308 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
I am creating an application where I use EasyHook to hook into the explorer.exe process and listen for the CreateProcessW method call from kernel32.dll. The program intercepts CreateProcessW only if the user runs the file by double-clicking on it (without administrator privileges) while when I try to run the application as administrator the process is created while my program does not intercept CreateProcessW. My question is why my program does not capture this method. Does running the file as administrator call a different method than CreateProcessW?

My program runs with the "highestAvailable" permissions contained in the app.manifest

What I have tried:

var createProcessHook = EasyHook.LocalHook.Create(
EasyHook.LocalHook.GetProcAddress("kernel32.dll", "CreateProcessW"),
new CreateProcessW_Delegate(CreateProcessW_Hook),
this);
Posted
Updated 8-Feb-23 6:29am
v3
Comments
Daniele Rota Nodari 8-Feb-23 11:48am    
Is your application running as administrator?
If debugging from Visual studio, is VS running as administrator?
Have you tried hooking CreateProcessAsUser and CreateProcessWithLogonW ? See https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessw for more info about them.
Ṉobody 8-Feb-23 17:20pm    
Yes, my application is running as administrator and I tried hooking CreateProcessAsUser and CreateProcessWithLogonW but that didn't help. I even tried hooking ShellExecuteEx but that didn't help either.
Dave Kreskowiak 8-Feb-23 12:02pm    
"highestAvailable" privileges? That means nothing without any explanation of what you mean and how you came about this information.

1 solution

Your code, running as your account, cannot intercept calls being made by another account, or an elevated account. This is for security reasons. Think about it. Would you want some schmuck user intercepting code running as administrator and injecting their own code or function calls?

Your "hook" would have to run as an administrator in order to capture that call.
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900