A while ago i’ve come across an interesting MSI. The vendor had a custom action in form of a DLL.
At first glance i didn’t give it too much of an importance, however it was curious that some user specific actions were done on my user, even if i installed the MSI from the SYSTEM account.
A few hours later and with some investigation, i realized that the DLL was impersonating the current logged in user in order to perform the changes, and it surely detected if the installation was done from the System account, because from a normal installation (run as admin) nothing was happening. It was quite an interesting installer and my commends to the vendor.
While i was cleaning up my HDD, i see it again and reminded me of the custom action. So my next thought was, what if i make an app that tries to impersonate a user when it’s executed in the container of an MSIX?
How can you do that you ask?
I don’t want to get technical on how you can build an EXE that impersonates a user, you can find different snippets of code from stackoverflow as examples.
The main point here is that, by using a certain CreateProcessAsUser function, you can impersonate another user by using a token.
So that’s what i did, i started Visual Studio and started to create an app that was checking if it was executed as administrator, tried to impersonate another user and show a cmd that outputs something like “whoami”.
The exe didn’t even start, the moment i openend the application, this was shut down.
And this is exactly what i was expecting!
Why you might ask?
Because the whole point for an MSIX is to run in a container. By allowing CreateProcessAsUser to impersonate another user meant breaking it, and i am quite happy that i found that MS thought about this.
I am not sure how much this specific function is used in the programming world, but if you are using it in your application, you might want to re-think your app if you want to migrate to MSIX in the future.