RunAsNewUser_RunDLLW

Go to Home Page

Runs a program using the parameters specified in a named file mapping

Syntax

int WINAPI RunAsNewUser_RunDLLW (
    HWND unusedHwnd,
    HINSTANCE unusedHinstance,
    LPCWSTR pMappingName,
    int nCmdShow
)

Parameters

unusedHwnd
Unused
unusedHinstance
Unused
pMappingName
The name of the file mapping that contains the parameters
nCmdShow
The SW_ value to pass to ShellExecuteEx

Return Value

HRESULT_FROM_WIN32(GetLastError()) if opening the shared mapping fails, otherwise the return value of ShellExecuteEx

Remarks

Despite its name, this function does nothing to run the program named by execFile as any different user. As it currently stands, it's only use is as a more cumbersome interface to ShellExecuteEx

The shared mapping must be at least 0xc80 (3200) bytes long and contain a RUNASNEWUSERPARAM structure defined as follows:

struct RUNASNEWUSERPARAM
{
   WCHAR eventName[0x38]; // offsets
   WCHAR execFile[MAX_PATH]; // 0x70
   WCHAR arguments[MAX_PATH]; // 0x278
   UCHAR padding[0x600]; // 0x478
   WCHAR directory[MAX_PATH - 4]; // 0xa78
};
eventName is the name of an event that the function sets after it is done copying the struct from the mapping into a local buffer. It is not optional.
execFile is the path of the file to execute. It is not optional
arguments are those to be passed to execFile. Optional
padding is unused space in current versions
directory is the 'start in' directory. Optional

Example

#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>

struct RUNASNEWUSERPARAM
{
   WCHAR eventName[0x38];
   WCHAR execFile[MAX_PATH];
   WCHAR arguments[MAX_PATH];
   UCHAR padding[0x600];
   WCHAR directory[MAX_PATH - 4];
};

typedef int (WINAPI*pfnShell)(HWND, HINSTANCE, LPCWSTR, int);

int main()
{
    LPCWSTR fileMapName = L"MyMap";
    LPCWSTR eventName = L"MyEvent";
    HMODULE hShell = LoadLibrary(L"shell32.dll");
    pfnShell runAsNewUserRunDLLW = (pfnShell)GetProcAddress(hShell, "RunAsNewUser_RunDLLW");
    HANDLE hFileMap = CreateFileMapping(INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE, 0, sizeof(RUNASNEWUSERPARAM), fileMapName);
    HANDLE hEvent = CreateEvent(NULL, FALSE, FALSE, eventName);
    RUNASNEWUSERPARAM* pParam = reinterpret_cast(MapViewOfFile(hFileMap, FILE_MAP_WRITE, 0, 0, 0));

    wcscpy(pParam->name, eventName);
    wcscpy(pParam->execFile, L"C:\\Windows\\System32\\winver.exe");

    runAsNewUserRunDLLW(NULL, NULL, fileMapName, SW_SHOW);
    UnmapViewOfFile(pParam);
    CloseHandle(hEvent);
    CloseHandle(hFileMap);
    FreeLibrary(hShell);
    return 0;
}