From 577088460e152b9251b12d01cc2882290b3d33f0 Mon Sep 17 00:00:00 2001
From: fengcaiwen <fengcaiwen@bytedance.com>
Date: Fri, 27 Jan 2023 16:06:37 +0800
Subject: [PATCH] fix: fix permission on windows

---
 .DS_Store                        | Bin 10244 -> 10244 bytes
 cmd/.DS_Store                    | Bin 0 -> 6148 bytes
 cmd/kubevpn/.DS_Store            | Bin 0 -> 6148 bytes
 pkg/.DS_Store                    | Bin 0 -> 8196 bytes
 pkg/util/.DS_Store               | Bin 0 -> 8196 bytes
 pkg/util/a_test.go               | 150 +++++++++++++++++++++++++++++++
 pkg/util/elevatecheck_windows.go | 105 +++++++++++++---------
 pkg/util/wintoken/get.go         |  54 +++++++++++
 8 files changed, 268 insertions(+), 41 deletions(-)
 create mode 100644 cmd/.DS_Store
 create mode 100644 cmd/kubevpn/.DS_Store
 create mode 100644 pkg/.DS_Store
 create mode 100644 pkg/util/.DS_Store
 create mode 100755 pkg/util/a_test.go
 create mode 100755 pkg/util/wintoken/get.go

diff --git a/.DS_Store b/.DS_Store
index 888fcdcb23a94e2c4e9dd68c5e713ea10900fe3e..19e97cf3fd728503df6dcad8f8bf8f6ed6578591 100644
GIT binary patch
delta 404
zcmZn(XbG6$&nUJrU^hRb*k&F95q5TFhGd3ZhLp)R0w)E*tg_&uyqx^JbOr_n#>ukc
z&%iPT4A~6nnaO1ZNjdpRK#8-H`6ZML#YDv=M1`cJW#R>dlM<7&(~I&;^HQAibMlLv
za!OO<1^A0I^2<Gw^Ya3VQp++^%O^)l1jvGflZ*0masu*;GfOh_^CF|ui!xLE)6$Al
zOC}$a@U4%?1ZoM+tV#t-1Q#SGXXd3V+kXH$2?#iq9W)>;0S09VgMmTWA+Z6><`97i
zL1{+Lki7i7RAq+%h=8(#H&lj$L7TymA($bCp^%}0VLHQNhOG<-8O|{{K4$pJ$jr#g
zD8{J7sLiOuXv%2L=)ma7=*1Y#7{i#zm<2I_i4kg$ER=>)jK!NTN>;LLW>=6z311P6
I@C9lB02A+8&Hw-a

delta 339
zcmZn(XbG6$&nUbxU^hRb@MazX5%$Rj5*(9xByRI$CYKc?<>V(ZFfbmPd{9zJLsVEy
zTvS3*LONbRI4LnXJH05sG%v+DKPSJ)DW^0wA~QKZFF3O*b+U+5fNXSnQD%yNT3T^x
zNo2eLe{phAeojt6esN|=W`5q}Mk(KVkZ4AJxhGIpKv8O0W@<TDPjEqEa%Nt-vi%1J
zFi>^~fH5>63;_mZ2!nxvLj=Zx(u|xTdHH#%oXQT~P!SFWZ3agMFNR=-42E)sK89Hg
z%NTYr9A&V-#qfsV7b6R!7^4!SHlqonEu%f72csur6k{}F0%IaXI};<+7#S!Hr5Lj|
V_eoc>Y;4%exS3r+5*})dnE=##O)~%h

diff --git a/cmd/.DS_Store b/cmd/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..c2495bed63c5308f40e8a494a27ae5917a452741
GIT binary patch
literal 6148
zcmeHK%}T>S5T0$TO({YT3Oz1(E!tWsh?iLF!K)EHsMN$34UO5--$N<ntS{t~_&PeX
zyA?Hh6R|P_Gv9P}Ch2|&I~f2F&2gs&Pyzr4l`vC4^M%klX-YCSl0_8y8WZS4d>pBp
zAWCI(;4d;j&n^!=7()PEc=!BNfGhM`9H4H!XhAQP9ZZM)Akx`SK|czIqiXe8WU{%H
z)x48;iq4gHr>5S>AB~4ie{ey+PL+y+h3^MvVRzattskm*<cD#0pbNrI7gH|J!?>fS
zO*M`?LtX2c1*hN?+NJVrR@-Y-WW83MSLAGOr&^J_^~QW&a5gr#_fOir=ss2t`hSDK
zcT~%o#RWW~^NE9rH;5w@-{Q)mYLU&z3@`)C!16O-Pd2Bx{9EB2FaylM4>LgLgG42C
zEhYx_(Sb&f0EjsZYeAnr8mUHFbS)+ZaRo(~QbbcK?1&*uImV^Ub1fzYO*sfVd<c7I
zVJ8%!?~d1(Ivs>-kS#O7418pOW<Qh?_5Y*q=YO5Vh8bW6{wD(>*Ya9T+?(yKsa;a9
tm8jRKB$SsJd@Dgmw_?ntR$NBaf^kU>qH8fRh!GV25YRNRVFrGcfmfSVSuy|s

literal 0
HcmV?d00001

diff --git a/cmd/kubevpn/.DS_Store b/cmd/kubevpn/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..bbe0c1a3f3b41f6ec465d8be76d55d0084050fd3
GIT binary patch
literal 6148
zcmeHK!A=`75FLlK*$7q2p_MqU)N2F@K}e{VZJ>u<Sp)|_>25ZnE0#6NCgc!B+B5wa
zu6#*<hrY2*1PL5L1<gp~XOCy>_4CU15RvMRlQvO<h&(7`rH<kW;eOU7sW?j&sCbN@
zneNA#j?v};MgD&Vc<-vzrwdA`SlGYs=v%)tViq#@izmgU+vnT(GE0k5tMyk^R;nL9
z*1Vdx>Yawa^&}icqjAxVhR57G&^n9n>rs4|4ko?E=UttTqBI{2O+cCq;Bs=5=82wk
z^*B!o6C2tNukO`*jkW2ty|dl)JMGr2=}&hyTTOqfvpt*Dy)R!kzU}wUvx{6`Tj~}5
zOCz5g-oqbM=Igl%hk2&+GuYU_1~wu}DW`QhBfY@N4LlyQf~JTtAPfitZ;SzVHhQaX
z?7QW2g#lsU<r(1f!G|&i4oi#X=s;mo03bgjji7Fx{y?7%z`$W?5f+HDp+Fm|T#BJw
z=Adji`UB@*TD0M$%*+_a&8%F8qFmykeB(|kuqdT4APhWaV8u2YeE<J=KL39lBrRb;
z7<g9<sOnz0*Ts_D-MX|mzH5ExFDMK9l@{kAsF<r5zI+w0L5;xfa|IYUEG@zUk%xex
LK?-5uRT=mPvn*kG

literal 0
HcmV?d00001

diff --git a/pkg/.DS_Store b/pkg/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..4c2778eb5372a5721f0f44558500d2496ee69810
GIT binary patch
literal 8196
zcmeHMPjA#l6n`&Svfc)Y0|^AwN>=w$K}3^+kWf{zEL4#8kTe_7MEqIo^<?A5nOWK1
zED%N7Ge~>@J^<>WQm=dgj=lEKOTR!5J@?YS`Ln_H7WIZe%&ca9<MHpkdGqtw*7E`Y
zHv8ccz&rprR3*C8)ci-0=Vcu$6J}(F5Xl}Og6?uGIzcRgF}5AB3RnfK0#*U5fK}jK
zP=MaqvN&&e@9VR+wF+1TK1c=R^TDGkv0-qiQ9U}SQ7Hgng@#q3KIH+*#xvM3IMk?2
z$*0a9(3ql0F;JV+c~8;_8wQ6OwK<?R2Q)LI$xu+uPIjK612#0;)+%5X7*{~%?o-eK
z0UWkU`MbQ8u2H@4k1EResNrUikWCCdsy^AWT;4D3eks{ilwDHh;io0uB!uKGEqcSJ
zCDs(N5{h;Y7$ilmiumVT#13&D((KzR&TcsZ6=|MdHO!D!Hs)Q$n`c*Gmslxm7o$)S
z=XpnzUVX^M<|l>mTrS><<dDa#=uyU5;7t;*54^~d@fBEA;`E?Pv-_l3=_<)63+xK9
zGtxCKdX<{uPlXr_FBqgf^R?$?(2JuqTU`7NCnhULrm9ZWnRf2Aw#A^8`B^`0`pF%6
zv@S#(jQW0XJ7R;jJ9}O5%#S!rltC0SqTKx<;-MHcMW2VMvTf-TPR*&c-TD3fr7M>g
zyo*bV2MgZ*l`j_;yh|4^9~{)2x%wAht+jXJT`r!`-l2l##R13k@nI|X*5SIN&YoEh
z{yJLEAFexEQSGDYqsKlz?#`SzIWs#mH+Smv{M?zdXFh4WCj-B;(@kWg*F`LnX542R
zQAhAr^q6gA>|rK5ZTCcpx5mQzuZPwj^@ub3dO-QQnJ~uhbdxAt+1g53wvp>^w%y}t
zClPVHD$*#61mC=ylE}*$+g;{cf@a(!fmeF+RC=2wDdCvS#=Y1NSiHiUBFn_?rk^A}
z@3Q72$&}t`A*%_Kp48l}p5KXhw|@06En~g0I_i9`J1*392cX{YhpO+)j)n|kZJi6w
zYW2o<X2gN>wAsFe7Ttsccm~hm1-yh;@H_koe`5tt;b(XrFX7jC6>s79xP~1JF~T3U
z{lw@Z%g0KtU`hvv7kRIh@L2FJjY)o$W?~S~jDmhUrL8Y-yZqMAd9_`u!27Jgqz-<5
zn(&)9fB%1<muO?R3RngHM**zdXx(TMY4r9i^JT8>QGGyF7ReiGR3_A@bevG7<AjHQ
f7*gLOs<des9BQNyDsTToKy2UtN_pFS$O`-mAsUC4

literal 0
HcmV?d00001

diff --git a/pkg/util/.DS_Store b/pkg/util/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..7487677312eedceee8ac2c35aad80f2afef3a87c
GIT binary patch
literal 8196
zcmeHM%Wl&^6ur}i#34Yl;E@fIC3Yw(NsB5~Y)mK%wgkZfP>AESwPHMx<J3Y?B(LE|
zSRk?GOZXi)^Kj)PcEk!%F;|*7_RKwZ<{mq?XF^1*H}|?kEh4f|1U4I}3QY8ivSB;A
zr3qx<6YbL(@fQIfxxt3FX)p>H1&jhl0i%FX;9pPx?`&aK$$MY*n%XE}6!<R{5YGo2
zMWCZGRVW`FsN@m=SV6Ni9E;_E;Mf`+jj2NPz?h-}6_x2F22*sj+uG03m?~6sVtVnx
z^vF!FP?#JY@oni&%u#4+qkvIhQvvaFsnLjh@+iu$-?@t((fbr-|CclziLHPUaSCZh
zaiRbBHUGObrU2!FhG2}rK9}``28a{Ovk1|0dk5Lr?EYG;ds|{9$RR`)oRX4gU)G{s
z$8N<KGuW2B$mUxv`@J>JK;~4Yh0rd~u0jcp2xYnEeVfQe%q{^Vq6tlb0dgGCr$WBS
zF3+z@hF9b(t|@z%%j%Z&jWF7&94*1MilAk|JPC@daQEQJX)bjb=zHT7^DNDBg<X?O
zADI=6CFc1xH_scF-dlBN&|+m23o44cBgRZ8P&HJ0RM~wdbIOmi;qNB1sT)ZDAMP~p
zXK|<VlkMzQu2pMR&1zWh`{z9A$HRC&>kXr~;_MaYftwu<-Pis&88mM{<6%7X!*L`D
zzBh);yElI5@ubJ+p*NG<zUr{*R(;THEf(G5qqcq6?JV2&;`pG`wjUoJEthrc&Vxr!
zUJfR~$B=)<^@lO0kZx+sK-?c2d0q6QFyP@C`Z8YTuUc%~<7iA3N@rB&{SQ5i83nGQ
z0=sI`tp@OU`TqY^OwG*MC}0%$Lj_pnq<_+b^X4ajiXh(dHp&MSVZtv}C@H8`J_K-n
d`G+BnZMX`KqcK&87MR%xkTRIcDDYPm_zm@#AwB>A

literal 0
HcmV?d00001

diff --git a/pkg/util/a_test.go b/pkg/util/a_test.go
new file mode 100755
index 00000000..1aa5ea7f
--- /dev/null
+++ b/pkg/util/a_test.go
@@ -0,0 +1,150 @@
+package util
+
+import (
+	"context"
+	"fmt"
+	"github.com/wencaiwulue/kubevpn/pkg/util/wintoken"
+	"golang.org/x/sys/windows"
+	"os"
+	"os/exec"
+	"syscall"
+	"testing"
+	"unsafe"
+)
+
+func TestName112399(t *testing.T) {
+	verb := "runas"
+	//exe, _ := os.Executable()
+	exe := "C:\\Users\\naison\\Desktop\\kubevpn-windows-amd64.exe"
+	cwd, _ := os.Getwd()
+	args := /* strings.Join(os.Args[:], " ")*/ ""
+
+	verbPtr, _ := windows.UTF16PtrFromString(verb)
+	exePtr, _ := syscall.UTF16PtrFromString(exe)
+	cwdPtr, _ := syscall.UTF16PtrFromString(cwd)
+	argPtr, _ := syscall.UTF16PtrFromString(args)
+
+	//https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-showwindow
+	var showCmd int32 = 1 //SW_NORMAL
+
+	//
+
+	var modshell32 = windows.NewLazySystemDLL("shell32.dll")
+	var procShellExecuteW = modshell32.NewProc("ShellExecuteW")
+	r1, r2, e1 := syscall.Syscall6(procShellExecuteW.Addr(), 6, uintptr(0), uintptr(unsafe.Pointer(verbPtr)), uintptr(unsafe.Pointer(exePtr)), uintptr(unsafe.Pointer(argPtr)), uintptr(unsafe.Pointer(cwdPtr)), uintptr(showCmd))
+	if r1 <= 32 {
+		panic(e1)
+	}
+	println(r1)
+	println(r2)
+
+	token, err := wintoken.OpenProcessToken(0, wintoken.TokenPrimary)
+	if err == nil {
+		println(token.Token().IsElevated())
+	} else {
+		println(err.Error())
+	}
+	token, err = wintoken.OpenProcessToken(0, wintoken.TokenPrimary)
+	if err == nil {
+		println(token.Token().IsElevated())
+	} else {
+		println(err.Error())
+	}
+	//err := windows.ShellExecute(0, verbPtr, exePtr, argPtr, cwdPtr, showCmd)
+	//if e1 != nil {
+	//	logrus.Warn(e1)
+	//}
+}
+
+func TestName112399Exec(t *testing.T) {
+	verb := "runas"
+	//exe, _ := os.Executable()
+	//cwd, _ := os.Getwd()
+	//args := /* strings.Join(os.Args[:], " ")*/ ""
+	//
+	//verbPtr, _ := windows.UTF16PtrFromString(verb)
+	//exePtr, _ := syscall.UTF16PtrFromString(exe)
+	//cwdPtr, _ := syscall.UTF16PtrFromString(cwd)
+	//argPtr, _ := syscall.UTF16PtrFromString(args)
+
+	strings := []string{"/env", "/user:administrator", fmt.Sprintf(`"%s version"`, "C:\\Users\\naison\\Desktop\\kubevpn-windows-amd64.exe")}
+	cmd := exec.Command(verb, strings...)
+	cancel, cancelFunc := context.WithCancel(context.Background())
+	err := cmd.Start()
+	if err != nil {
+		panic(err)
+	}
+	go func() {
+		_ = cmd.Wait()
+		cancelFunc()
+	}()
+	var to *windows.Token
+	for {
+		select {
+		case <-cancel.Done():
+			if to != nil {
+				print(to.IsElevated())
+				return
+			} else {
+				panic("not found")
+			}
+		default:
+			token, err := wintoken.OpenProcessToken(cmd.Process.Pid, wintoken.TokenPrimary)
+			if err == nil {
+				ttt := token.Token()
+				to = &ttt
+			}
+		}
+	}
+}
+
+func TestName112399CreateProcess(t *testing.T) {
+	//verb := "runas"
+	//exe, _ := os.Executable()
+	cwd, _ := os.Getwd()
+	//args := /* strings.Join(os.Args[:], " ")*/ ""
+	//
+	//verbPtr, _ := windows.UTF16PtrFromString(verb)
+	//exePtr, _ := syscall.UTF16PtrFromString(exe)
+	cwdPtr, _ := syscall.UTF16PtrFromString(cwd)
+	//argPtr, _ := syscall.UTF16PtrFromString(args)
+
+	windows.Setenv("KUBECONFIG", os.Getenv("KUBECONFIG"))
+	v, _ := syscall.UTF16PtrFromString("KUBECONFIG=" + os.Getenv("KUBECONFIG"))
+	// func CreateProcess(appName *uint16, commandLine *uint16, procSecurity *SecurityAttributes, threadSecurity *SecurityAttributes, inheritHandles bool, creationFlags uint32, env *uint16, currentDir *uint16, startupInfo *StartupInfo, outProcInfo *ProcessInformation) (err error) {
+	var si windows.StartupInfo
+	var pi windows.ProcessInformation
+	a, _ := syscall.UTF16PtrFromString("runas")
+	//c, _ := syscall.UTF16PtrFromString("C:\\Users\\naison\\Desktop\\kubevpn-windows-amd64.exe")
+
+	//strings := []string{"/env", "/user:administrator", fmt.Sprintf(`"%s version"`, "C:\\Users\\naison\\Desktop\\kubevpn-windows-amd64.exe")}
+	cancel, cancelFunc := context.WithCancel(context.Background())
+	go func() {
+		err2 := windows.CreateProcess(nil, a, nil, nil, true, windows.NORMAL_PRIORITY_CLASS, v, cwdPtr, &si, &pi)
+		if err2 != nil {
+			panic(err2)
+		}
+		cancelFunc()
+	}()
+	var to *windows.Token
+	for {
+		select {
+		case <-cancel.Done():
+			if to != nil {
+				print(to.IsElevated())
+				//print(to.IsMember())
+				return
+			} else {
+				panic("not found")
+			}
+		default:
+			if pi.ProcessId != 0 {
+				token, err := wintoken.OpenProcessToken(int(pi.ProcessId), wintoken.TokenPrimary)
+				if err == nil {
+					ttt := token.Token()
+					to = &ttt
+				}
+			}
+		}
+	}
+}
diff --git a/pkg/util/elevatecheck_windows.go b/pkg/util/elevatecheck_windows.go
index 499ba09e..06fe4fef 100644
--- a/pkg/util/elevatecheck_windows.go
+++ b/pkg/util/elevatecheck_windows.go
@@ -4,9 +4,11 @@
 package util
 
 import (
+	"context"
 	"fmt"
 	log "github.com/sirupsen/logrus"
 	"github.com/wencaiwulue/kubevpn/pkg/util/wintoken"
+	"golang.org/x/sys/windows"
 	"os"
 	"os/exec"
 	"os/signal"
@@ -23,22 +25,23 @@ func RunWithElevated() {
 	cmd.Stderr = os.Stderr
 	cmd.Stdin = os.Stdin
 	cmd.Env = append(os.Environ(), "KUBECONFIG="+os.Getenv("KUBECONFIG"))
-	//token, err := wintoken.GetInteractiveToken(wintoken.TokenLinked)
+
+	//token, err := wintoken.OpenProcessToken(1234, wintoken.TokenPrimary)
 	//if err != nil {
 	//	panic(err)
 	//}
-	token, err := wintoken.OpenProcessToken(0, wintoken.TokenPrimary)
-	if err != nil {
-		panic(err)
-	}
-	err = token.EnableAllPrivileges()
-	if err != nil {
-		panic(err)
+	inner := RunWithElevatedInner()
+	if inner == 0 {
+		panic(inner)
 	}
+	//err = token.EnableAllPrivileges()
+	//if err != nil {
+	//	panic(err)
+	//}
 
-	defer token.Close()
+	//defer token.Close()
 	cmd.SysProcAttr = &syscall.SysProcAttr{
-		Token: syscall.Token(token.Token()),
+		Token: syscall.Token(inner),
 	}
 	// while send single CTRL+C, command will quit immediately, but output will cut off and print util quit final
 	// so, mute single CTRL+C, let inner command handle single only
@@ -47,42 +50,62 @@ func RunWithElevated() {
 		signal.Notify(signals, os.Interrupt, os.Kill, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGKILL)
 		<-signals
 	}()
-	err = cmd.Run()
+	err := cmd.Run()
 	if err != nil {
 		log.Warn(err)
 	}
 }
 
-//func RunWithElevated() {
-//	verb := "runas"
-//	//exe, _ := os.Executable()
-//	cwd, _ := os.Getwd()
-//	args := strings.Join(os.Args[:], " ")
-//
-//	//verbPtr, _ := windows.UTF16PtrFromString(verb)
-//	//exePtr, _ := syscall.UTF16PtrFromString(exe)
-//	cwdPtr, _ := syscall.UTF16PtrFromString(cwd)
-//	argPtr, _ := syscall.UTF16PtrFromString(args)
-//
-//	// https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-showwindow
-//	//var showCmd int32 = 1 //SW_NORMAL
-//	//process := windows.CurrentProcess()
-//	//process := windows.GetDesktopWindow()
-//	//windows.Setenv("KUBECONFIG", os.Getenv("KUBECONFIG"))
-//	v, _ := syscall.UTF16PtrFromString("KUBECONFIG=" + os.Getenv("KUBECONFIG"))
-//
-//	var si windows.StartupInfo
-//	var pi windows.ProcessInformation
-////windows.TokenElevation
-//	// CreateProcess(NULL,"cleanmgr",NULL,NULL,FALSE,NORMAL_PRIORITY_CLASS,NULL,NULL,&si,&pi); //调用系统的清理磁盘程序
-//	err := windows.CreateProcessAsUser(nil,nil, argPtr, nil, nil, true, windows.NORMAL_PRIORITY_CLASS, v, cwdPtr, &si, &pi)
-//	//r1, _, e1 := syscall.Syscall6(procShellExecuteW.Addr(), 6, uintptr(hwnd), uintptr(unsafe.Pointer(verb)), uintptr(unsafe.Pointer(file)), uintptr(unsafe.Pointer(args)), uintptr(unsafe.Pointer(cwd)), uintptr(showCmd))
-//	//r1, _, e1 := syscall.Syscall12(procCreateProcessW.Addr(), 10, uintptr(unsafe.Pointer(appName)), uintptr(unsafe.Pointer(commandLine)), uintptr(unsafe.Pointer(procSecurity)), uintptr(unsafe.Pointer(threadSecurity)), uintptr(_p0), uintptr(creationFlags), uintptr(unsafe.Pointer(env)), uintptr(unsafe.Pointer(currentDir)), uintptr(unsafe.Pointer(startupInfo)), uintptr(unsafe.Pointer(outProcInfo)), 0, 0)
-//	//err := windows.ShellExecute(windows.Handle(process), verbPtr, exePtr, argPtr, cwdPtr, showCmd)
-//	if err != nil {
-//		logrus.Warn(err)
-//	}
-//}
+func RunWithElevatedInner() windows.Token {
+	verb := "runas"
+	exe, _ := os.Executable()
+	//cwd, _ := os.Getwd()
+	//args := /* strings.Join(os.Args[:], " ")*/ ""
+
+	//verbPtr, _ := windows.UTF16PtrFromString(verb)
+	//exePtr, _ := syscall.UTF16PtrFromString(exe)
+	//cwdPtr, _ := syscall.UTF16PtrFromString(cwd)
+	//argPtr, _ := syscall.UTF16PtrFromString(args)
+
+	// https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-showwindow
+	//var showCmd int32 = 1 //SW_NORMAL
+	//process := windows.CurrentProcess()
+	//process := windows.GetDesktopWindow()
+	//windows.Setenv("KUBECONFIG", os.Getenv("KUBECONFIG"))
+	//v, _ := syscall.UTF16PtrFromString("KUBECONFIG=" + os.Getenv("KUBECONFIG"))
+	//err := windows.ShellExecute(0, verbPtr, exePtr, argPtr, cwdPtr, showCmd)
+	//if err != nil {
+	//	logrus.Warn(err)
+	//}
+	// runas /env /user:administrator "kubevpn-windows-amd64.exe"
+	strings := []string{"/env", "/user:administrator", fmt.Sprintf(`"%s version"`, exe)}
+	cmd := exec.Command(verb, strings...)
+	cancel, cancelFunc := context.WithCancel(context.Background())
+	err := cmd.Start()
+	if err != nil {
+		panic(err)
+	}
+	go func() {
+		_ = cmd.Wait()
+		cancelFunc()
+	}()
+	var tt *windows.Token
+	for {
+		select {
+		case <-cancel.Done():
+			if tt != nil {
+				return *tt
+			}
+			return 0
+		default:
+			token, err := wintoken.OpenProcessToken(cmd.Process.Pid, wintoken.TokenPrimary)
+			if err == nil {
+				ttt := token.Token()
+				tt = &ttt
+			}
+		}
+	}
+}
 
 func IsAdmin() bool {
 	_, err := os.Open("\\\\.\\PHYSICALDRIVE0")
diff --git a/pkg/util/wintoken/get.go b/pkg/util/wintoken/get.go
new file mode 100755
index 00000000..ca1a9f3c
--- /dev/null
+++ b/pkg/util/wintoken/get.go
@@ -0,0 +1,54 @@
+package wintoken
+
+import (
+	"golang.org/x/sys/windows"
+	"syscall"
+	"unsafe"
+)
+
+func GetIntegrityLevelToken(wns string) (windows.Token, error) {
+	var procToken syscall.Token
+	var token windows.Token
+
+	proc, err := syscall.GetCurrentProcess()
+	if err != nil {
+		return 0, err
+	}
+	defer syscall.CloseHandle(proc)
+
+	err = syscall.OpenProcessToken(proc,
+		syscall.TOKEN_DUPLICATE|
+			syscall.TOKEN_ADJUST_DEFAULT|
+			syscall.TOKEN_QUERY|
+			syscall.TOKEN_ASSIGN_PRIMARY,
+		&procToken)
+	if err != nil {
+		return 0, err
+	}
+	defer procToken.Close()
+
+	sid, err := syscall.StringToSid(wns)
+	if err != nil {
+		return 0, err
+	}
+
+	tml := &windows.Tokenmandatorylabel{}
+	tml.Label.Attributes = windows.SE_GROUP_INTEGRITY
+	tml.Label.Sid = (*windows.SID)(sid)
+
+	err = windows.DuplicateTokenEx(windows.Token(procToken), 0, nil, windows.SecurityImpersonation,
+		windows.TokenPrimary, &token)
+	if err != nil {
+		return 0, err
+	}
+
+	err = windows.SetTokenInformation(token,
+		syscall.TokenIntegrityLevel,
+		(*byte)(unsafe.Pointer(tml)),
+		tml.Size())
+	if err != nil {
+		token.Close()
+		return 0, err
+	}
+	return token, nil
+}