Geek Answers Handbook

Starting a WinNet WinNet Application Interactively from a Service

Wednesday - VS2008, Vista SP1.

I wrote a process management service that can run applications either in session 0 or in an interactive console (usually 1). Please note that this is NOT a normal mode of operation, it is intended for internal debugging purposes only. In the field, these processes will be safely hidden in session 0. Security problems are not applied.

It is clear that people do not read this: security problems do not apply. We have dozens of existing server applications (NOT services) written as follows. We are not going to completely update these applications, we just need to be able to enter their built-in debug dialogs when launching release versions within the company. I already know everything about the canonical solution and pipes, etc. If it was acceptable to add remote interfaces to all these applications, this is what we will do.

For this, I use the following code:

ZeroMemory (&sui, sizeof(STARTUPINFO)); sui.cb = sizeof (STARTUPINFO); sui.wShowWindow = pTask->GetWinStartState() ; sui.dwFlags = STARTF_USESHOWWINDOW ; ZeroMemory (&pi,sizeof(pi)); if (bInteractive) { HANDLE hToken = NULL; DWORD dwSessionId = WTSGetActiveConsoleSessionId(); WTSQueryUserToken (dwSessionId, &hToken); sui.lpDesktop = TEXT("winsta0\\default"); LPVOID pEnv = NULL; DWORD dwCreationFlag = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE; HMODULE hModu = LoadLibrary(TEXT("Userenv.dll")); if (hModu ) { if (CreateEnvironmentBlock (&pEnv, hToken, FALSE)) dwCreationFlag |= CREATE_UNICODE_ENVIRONMENT; else pEnv = NULL; } bCreatedOk = CreateProcessAsUser (hToken, NULL, (LPTSTR)(pTask->GetExeName()), NULL, NULL, FALSE, dwCreationFlag, pEnv, NULL, &sui, &pi); } else { bCreatedOk = CreateProcess (NULL, ... blah...); }

All this works fine, and I can start and control my own processes both in the Vista service session and in the console. Fine. Cakes and ale for everyone.

So here is the problem. If I try to run the winforms (C #) application in an interactive mode similar to this, it will be launched, it appears in Process Explorer as running in session 1, but on the desktop ... nada. The window is missing. The process starts and stops normally, but the window never appears. Exactly the same winform exe launched from Explorer also appears in session 1, but this time on the desktop it’s just fine.

Any ideas?

+1
c ++ winapi winforms windows-services
source share
3 answers

Despite the obvious hysteria, there is nothing wrong with launching an application from a service into an interactive session, provided that it runs with the same privileges as the interactive user or lower . Since you are running as an interactive user, escalation of privileges cannot be.

What you do works. I suspect the problem is with your STARTUPINFO structure. It seems you are creating your sui on the stack, but you are not showing what you are doing with it. You initialize it for all 0s, if not you can get some kind of garbage from the stack, which causes the window not to show or show on some coordinates from the screen.

+1
source share

In a word, "do not."

Typically, services operate with reduced privileges and NOT as the current user. Therefore, in Vista + they are not allowed to interact with the users desktop. In addition to all this, services receive a null Window station.

Previously, you could check the box that said something like "Allow interacting with the desktop," but no more. This is bad practice.

It’s best to create a helper application that runs in the context of users and interacts with the service through a named pipe, LRPC or socket, and then your helper application runs the program for the user. This is how most antiviruses work.

Also, read this white paper from Microsoft on this subject. Services cannot be performed by anything other than session 0.

NOTE. A little research seems to indicate that you need to duplicate the token using something like this:

 DuplicateTokenEx(hTokenNew,MAXIMUM_ALLOWED,NULL, SecurityIdentification,TokenPrimary,&hTokenDup);
0
source share

It sounds like you're trying to break Session Isolation. As Mystere Man said, I don’t think it is right.

http://support.microsoft.com/?scid=kb%3Ben-us%3B165194&x=5&y=3 may be useful if you really want to. In the sample code there, they seem to initialize more than you.

EDIT . If for debugging purposes, ie VS VS 2008 step, just add a wait loop at the beginning and start VS with administrator privileges. You can connect to your service without causing system isolation.

0
source share

More articles:


All Articles