I am trying to sandbox SYSTEM level Win service in C++. In order to create the sandbox process, we first need to create a restricted token through CreateRestrictedToken which is then passed through CreateProcessAsUser.
CreateRestrictedToken needs a token of an existing process in input. At present, I was using the token of the current SYSTEM level process after dropping SIDs and priveledges. I read the following https://www.tiraniddo.dev/2020/01/dont-use-system-tokens-for-sandboxing.html and found that its not recommended to use SYSTEM level token as base token.
Where will I get the base token from?
its not recommended to use SYSTEM level token as base token.
for be more exactly its not recommended to use token with AuthenticationId == SYSTEM_LUID
(SYSTEM_LUID defined in winnt.h and ntifs.h as { 0x3e7, 0x0 } )
for get token with another (not 0x3e7 = 999) AuthenticationId you can simply call
LogonUserW(L"*", L"*", L"*", LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_DEFAULT, &hToken)
then already call CreateRestrictedToken on returned token