Launching a program using LocalSystem Service CreateProcessAsUser equivalent to double-clicking on the icon when logged in? [C#]

Question

At my company we have a product which pretty much interacts with everything you can imagine... registry, databases, devices, etc... it is composed of many parts but the entire application is launched by a single executable (start.exe) which is responsbile for launching everything else - this is all legacy code and run under a USER account.

Currently this is launched as a STARTUP item (or by double-clicking on the desktop icon) in Windows, meaning when the user logins into the USER account the application (start.exe) automatically kicks off, under this account it has all the permissions it needs to run and everything has been fine for years...

Now comes the change - I have written a service (Serv.exe) that is running as LocalSystem - this service is responsible for updating the various software components of our product and works as follows: - when the product detects an update it signals the LocalSystem service (Serv.exe) and then terminates itself - Serv.exe will then perform all the updating

Now, after everything is done, the product (via start.exe) needs to be launched again automatically ... and this is where I need some advice ... what is the best way to restart the product (start.exe)?

Right now I use the LocalSystem Service (Serv.exe) and impersonate the USER account as follows: - CreateEnvironmentBlock for the USER - CreateProcessAsUser(start.exe) as the USER with the corresponding EnvBlock - DestroyEnvironmentBlock

But is this really 100% equivalent to double-clicking on the icon in the USER account context? I need to ensure that everything is identical when it is either launched on STARTUP of USER or by Impersonation from Serv.exe (LocalSystem) - is there a risk involved? Will I still have the same rights/abilities with all databases? registry? device interaction? etc..

By loading the EnvBlock I seem to get everything I need but ... is this not a good way to do it...?

Kind of hoping for some guidance and advice from the pro's out there ... Any help or hints would be much appreciated. Thanks,

Answer 1

Update: Here is a post named: Launching an interactive process from Windows Service in Windows Vista and later. Which is exactly what you are looking for. It starts with:

The first thing you should do about it is that; don't do it. There are many limitations and bad implications and restrictions involved.

So first test if your current solution works. That depend on what the process is doing. If it is not involving user interaction. Or manipulating the current user session. Then you don't need this complex solution. If you need it, than good luck!

Before update: Its not 100% equivalent. Except authorization there are, in windows, sessions and, in each session, there are desktops. The process that is lunched from the service will run on the service session and desktop ( if the service has it). Depending on what the start.exe does, it may be important or not.

Look at the SetTokenInformation function.

Answer 2

Instead of launching the application directly as a "startup item" you could start a "launcher.exe" that then would launch your application. The service could then signal "launcher.exe" that another instance of the application should start after an update. Using this method you can't use the service to update "launcher.exe", but this executable should be very simple and hopefully not require any updates. Using this method would avoid all the pitfalls of trying to start an interactive application from a service.