Reputation: 2278
CreateProcessAsUser works, CreateProcessWithTokenW does not
We have a service that runs as LocalSystem. We use CreateProcessAsUser and LoadUserProfile to start a working app as a specific user. Works just great. But if we try to use CreateProcessWithTokenW to avoid explicitly loading and managing user profile, it fails, and the following is recorded in event log:
Faulting application name: SomeApp.exe, version: 1.0.0.0, time stamp: 0x578a7819
Faulting module name: KERNELBASE.dll, version: 10.0.10586.494, time stamp: 0x5775e4c5
Exception code: 0xc06d007e
Fault offset: 0x0000000000071f28
Faulting process id: 0x24e4
Faulting application start time: 0x01d1df8d223316a6
Faulting application path: C:\SomePath\SomeApp.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: a2310c0d-7ddf-4241-92c9-de03e8de71e8
Faulting package full name:
Faulting package-relative application ID:
Is there a trick to get CreateProcessWithTokenW to work?
Upvotes: 2
Views: 3936
Answers (1)
Reputation: 33716
when CreateProcessWithTokenW called - system make RPC call to ncalrpc:[SECLOGON] and actually main task done in context of some svchost. SeclCreateProcessWithLogonW from seclogon.dll called. here trase of this function call:
internally CreateProcessAsUserW called, but before this - you can view call - SetTokenInformation(..TokenSessionId..) - so another sessionid assigned to token (read comment about this in MSDN - The process is run in the session specified in the token. By default, this is the same session that called LogonUser. To change the session, use the SetTokenInformation function.) which is this SessionId ? this is your service - look for call ProcessIdToSessionIdStub. but we really need have interactive SessionId in token, not from service. so my conclusion - CreateProcessWithTokenW not suitable for exec interactive process from service
---------- EDIT ----------------------
CreateProcessWithTokenW - very thick shell around CreateProcessAsUserW. CreateProcessAsUserW required SE_ASSIGNPRIMARYTOKEN_PRIVILEGE, but CreateProcessWithTokenW - not. by this reason CreateProcessWithTokenW used remote call to seclogon service (which have SE_ASSIGNPRIMARYTOKEN_PRIVILEGE) for call CreateProcessAsUserW internally. but if we have SE_ASSIGNPRIMARYTOKEN_PRIVILEGE - better direct call CreateProcessAsUserW by self. main restrictions of CreateProcessWithTokenW that he set SessionId in token, based of caller process SessionId and we can not change this. however CreateProcessAsUserW not modify SessionId in token - so we can by self set interactive SessionId in token or do nothing, if this token already from interactive session. if we call CreateProcessWithTokenW from service - started app will be run on nointeractive window station (belong to session 0)
Upvotes: 8
Related Questions
- CreateProcessAsUser hToken is zero
- CreateProcessAsUser() not working
- CreateProcessAsUser error code 6
- CreateProcessAsUser failing with 1349 :The type of the token is inappropriate for its attempted use
- CreateProcessAsUser generating error 5
- CreateProcessAsUser not setting the user correctly
- CreateProcessWithUser fails to impersonate user with errors 87, 1349
- why is CreateProcessWithTokenW failing with ERROR_ACCESS_DENIED
- Can't create process with current token
- Calling CreateProcessAsUser from C#