Privexec and Appexec are working great for some time now. Excellent work.
The majority of App Capabilities are working as expected. However, some of the more powerful Restricted Capabilities (rescap) are not working because something is missing. As we know, the Restricted Capabilities are showing in the Token Properties. So that is good. The rescap capabilities are in place in the token correctly. But something is missing as part of their xml configuration to unlock them within the system.
There are a few projects on Github, file explorer type uwp programs, which are great code examples for showing how this is working since they all use this technique.
See the Example from the very bottom of that documentation page:
Example
This example adds the restricted broadFileSystemAccess capability. In addition to specifying the capability, the rescap namespace must be added, and is also added to IgnorableNamespaces:
Now, I don't know how we can get those two lines of xml config ( xmlns:rescap= and IgnorableNamespaces= ) into the target process. That would make the system aware that these apps are requesting those privileges. I don't know if this can work from a "process launcher" perspective or not. If you can get this working, AppExec and wsudo would gain significant power.
Privexec and Appexec are working great for some time now. Excellent work.
The majority of App Capabilities are working as expected. However, some of the more powerful Restricted Capabilities (rescap) are not working because something is missing. As we know, the Restricted Capabilities are showing in the Token Properties. So that is good. The rescap capabilities are in place in the token correctly. But something is missing as part of their xml configuration to unlock them within the system.
There are a few projects on Github, file explorer type uwp programs, which are great code examples for showing how this is working since they all use this technique.
Files-UWP is one example: https://github.com/duke7553/files-uwp
Microsoft Doc: https://docs.microsoft.com/en-us/windows/uwp/files/file-access-permissions
See the Example from the very bottom of that documentation page:
Those two lines ( xmlns:rescap= and IgnorableNamespaces= ) are key important lines.
From the Files-UWP project, you can see the line within Package section: https://github.com/duke7553/files-uwp/blob/master/FilesUwp.Package/Package.appxmanifest#L2
Now, I don't know how we can get those two lines of xml config ( xmlns:rescap= and IgnorableNamespaces= ) into the target process. That would make the system aware that these apps are requesting those privileges. I don't know if this can work from a "process launcher" perspective or not. If you can get this working, AppExec and wsudo would gain significant power.
Thank you for your time.