Vista: create a process from service with out popping up any dialog boxes

views:

answers:

Vista: create a process from service with out popping up any dialog boxes

Hello All,

I am new to vista and not a advanced programmer. From past few days i am trying to digest many technical details about vista. But still i have few basic questions on it. Hope you all will be help me in getting the answers for my questions.

Can we create a interactive process(which is having a embedded manifest file with "invokeAsAdministrator") from a service which is running under Local system account?

Here i know about the session 0 isolation and all.Still i am asking this question because, when i create a interactive process through CreateProcessAsUser(which requires admin privileges) it is failing with error 740. While using this i have given proper session id. The session id is that of my active desktop, where my user login as administrative privilages.

If the process can be created does that show up the UAC dialog?

If the UAC dialog shows up, can we avoid this?

+1 A:

It is well understandable problem. Local account has no privelegies of admin. The only thing you can do is impersonation. Temporary you emulates another account (in your case it is admin). Example of this technique you can find in MSDN for topic WindowsIdentity.Impersonate ( http://msdn.microsoft.com/en-us/library/chf6fbt4.aspx )

EDIT

Sorry, only after post noticed that you use vc++, On Win API use ImpersonateLoggedOnUser

Dewfy 2010-02-17 11:01:40

So create the process from a service, i need the username, password and domain name of the computer. I guess there is no way to create the process with out these inputs, even the logged on user is a administrator. Please correct me, if I am wrong.

coolcake 2010-02-17 11:18:10

@coolcake - yes you are right. BUT you have 2 options: (1) create fake user that belongs to admin, but restrict them by removing most privelegies then impersonate to it. (2) Start your service not from LOCAL, but from this fake user account - for example IIS starts webservice exactly the same way from IIS_XXXX user.

Dewfy 2010-02-17 11:24:07

Hello Dewfy,Thanks alot for your prompt response. Can I create fake user and all from the code? I am currently porting a legacy code to Vista where earlier a exe was being launched from a service. Sorry if I am askig you basic questions.

coolcake 2010-02-17 11:30:36

@coolcake of course it is possible, but note - to create user LOCAL SYSTEM account is insufficient! If you going do it at "install" time, then I recommend you to look at WMI (just couple seconds to google this article: http://www.eggheadcafe.com/forumarchives/scriptingVisualBasicscript/Feb2006/post25982736.asp )

Dewfy 2010-02-17 11:37:52

Hello Dewfy,What ever the token I was getting before posting this question, that is of my Admin account only. I have confirmed this using the api GetUserName(). After this I have called ImpersonateLoggedOnUser with that token, the impersonation call succeeds but still CreateProcessAsUser fails with error 740. Please help.

coolcake 2010-02-17 12:09:07

Looking at http://www.codeproject.com/KB/vista-security/UAC__The_Definitive_Guide.aspx?display=Print ERROR_ELEVATION_REQUIRED (740) is rather popular Vista problem. Note it also can be result of using non-release version. So look at link to fix this error

Dewfy 2010-02-17 12:20:39

I am back to the very basic problem again. I am creating the process using the PRIMARY TOKEN of user, doing impersonation still I need to use third party libraries to solve the problem? I am not understanding when i have administrator token and impersonate on it and use createprocessasuser still cannot create a interactive process.

coolcake 2010-02-17 12:56:34

"Elevate.dll" - is not third party, but Vista on board

Dewfy 2010-02-17 13:21:18

Is it not possible to create a process from service other than above approach? I do not know how much i can depend on the above codeproject article. Is there no microsoft recommended way for doing this?

coolcake 2010-02-17 15:13:57

@coolcake from my point of view codeproject's article looks correct. Bu you can find explanation of ERROR_ELEVATION_REQUIRED on msdn site also. In short it described http://msdn.microsoft.com/en-us/library/bb756945.aspx

Dewfy 2010-02-18 09:17:32

Hello Dewfy, Thanks alot for your reply. Cannot depend on the articl of code project as no one has recommended it. I am looking for creating a process which requires admin privileges. I see that shellexecute is the only option but it does provide the customisation of createprocess or createprocessasuser. Microsoft should have provided a proper way for this even in Vista.

coolcake 2010-02-18 17:19:09

The createprocessasuser is failing in my case because by default when we query for the user token for the users desktop session I was getting a restricted token that was created for the user (for administrators two tokens are created 1)restricted token 2) full token; any how my application can be run only by administrators).

By browsing the net i have found that i have to find for linked token and use that token for creation of process.

The code for creation of process from service can be found in the following question: http://stackoverflow.com/questions/2212285/desktop-problem-with-using-createprocessasuser-from-a-service-on-vista

coolcake 2010-03-29 11:18:44

ansaurus

tags:

views:

answers:

Vista: create a process from service with out popping up any dialog boxes

related questions