Create Process with FS Virtualization Enabled

Question

With UAC disabled, I need to create a process with the same characteristics as the process created with UAC enabled - basically I'm emulating process creation with UAC enabled.

My only roadblock is virtualization. The sample code below should create an instance of notedpad at medium IL with virtualization enabled. In actuality, it creates an instance of notepad at medium IL with virtualization disabled. I'm not entirely sure why the virtualization token is being ignored. Any ideas?

BOOL bRet;
HANDLE hToken;
HANDLE hNewToken;

// Notepad is used as an example
WCHAR wszProcessName[MAX_PATH] =
L"C:\\Windows\\System32\\Notepad.exe";

// Medium integrity SID
WCHAR wszIntegritySid[20] = L"S-1-16-8192";
PSID pIntegritySid = NULL;

DWORD EnableVirtualization = 1;
TOKEN_MANDATORY_LABEL TIL = {0};
PROCESS_INFORMATION ProcInfo = {0};
STARTUPINFO StartupInfo = {0};
ULONG ExitCode = 0;

if (OpenProcessToken(GetCurrentProcess(),MAXIMUM_ALLOWED, &hToken))
{
   if (DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL,
      SecurityImpersonation, TokenPrimary, &hNewToken))
   {
      if (ConvertStringSidToSid(wszIntegritySid, &pIntegritySid))
      {
         TIL.Label.Attributes = SE_GROUP_INTEGRITY;
         TIL.Label.Sid = pIntegritySid;

         // Set the process integrity level
         if (SetTokenInformation(hNewToken, TokenIntegrityLevel, &TIL,
            sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid)))
         {
            // Enable FS Virtualization
            if (SetTokenInformation(hNewToken, TokenVirtualizationEnabled,
               &EnableVirtualization, sizeof(EnableVirtualization)))
            {
               // Create the new process at Low integrity
               bRet = CreateProcessAsUser(hNewToken, NULL,
                  wszProcessName, NULL, NULL, FALSE,
                  0, NULL, NULL, &StartupInfo, &ProcInfo);
            }
         }
         LocalFree(pIntegritySid);
      }
      CloseHandle(hNewToken);
   }
   CloseHandle(hToken);
}

Answer 1

So, I was approaching this incorrectly - fs virtualization is not what I want. To emulate UAC, as described above, its necessary to create a restricted token with the administrators group disabled and use that token to create the process.

Answer 2

The reason that this doesn't work, is that the SetTokenInformation call to turn on virtualisation is working on the primary token created for CreateProcessAsUser. What's needed is an access token for the actual process. This can be obtained by creating the process with the CreationFlag CREATE_SUSPENDED, and calling OpenProcessToken with the process handle from ProcInfo. Use SetTokenInformation on that token to enable virtualisation, and then ResumeThread to run the process.