Reputation: 17416
From a service started as Local System Account, run a program as a logged in user
tl/dr: I'm looking for a way to run a program as the user who is currently logged in from a service that is started as Local System Account.
Long Version:
Follow up from: Get current username from a program started as Local System Account
My program is started from a service that runs as Local System Account.
This service is started at windows start-up time and basically provides functionality to some hardware buttons e.g. displaying an on screen keyboard. My program is also assigned to one of the buttons, but it is only available when an actual user is logged in.
What it does is to take a picture using a hardware camera and to store it somewhere on the file system, which is working fine, but I can't store pictures on a network path, which is understandable, because doing so requires authentication.
If the program is started directly as the logged in user, this authentication is available and storing files on a network path works fine.
Is there any way how I can solve this problem?
My preferred solution would be to start the program as the user who currently logged in without storing the password and username somewhere.
Working solution found on a different site: http://chabster.blogspot.com/2008/01/run-as-interactive-user-from-service.html
stdafx.h:
#include <WtsApi32.h>
#pragma comment(lib, "WtsApi32.lib")
#include <Userenv.h>
#pragma comment(lib, "Userenv.lib")
RunAsInteractiveUser function:
BOOL bRet;
HRESULT hr;
HANDLE processToken = NULL;
TOKEN_PRIVILEGES oldTokenPrivileges = { 0 };
HANDLE impersonationToken = NULL;
HANDLE userToken = NULL;
LPVOID pEnvironment = NULL;
PROCESS_INFORMATION processInformation = { 0 };
__try {
bRet = OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &processToken);
if (!bRet) {
hr = GetLastError();
return hr;
}
// This step might not be necessary because
// SeTcbPrivilege is enabled by default for Local System
LUID luid;
bRet = LookupPrivilegeValue(NULL, _T("SeTcbPrivilege"), &luid);
if (!bRet) {
hr = GetLastError();
return hr;
}
TOKEN_PRIVILEGES adjTokenPrivileges = { 0 };
adjTokenPrivileges.PrivilegeCount = 1;
adjTokenPrivileges.Privileges[0].Luid = luid;
adjTokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
DWORD dwOldTPLen;
bRet = AdjustTokenPrivileges(processToken, FALSE,
&adjTokenPrivileges, sizeof(TOKEN_PRIVILEGES),
&oldTokenPrivileges, &dwOldTPLen);
if (bRet) {
hr = GetLastError();
if (hr == ERROR_SUCCESS);
else if (hr == ERROR_NOT_ALL_ASSIGNED) {
// Enabled by default
}
}
else {
hr = GetLastError();
return hr;
}
DWORD conSessId = WTSGetActiveConsoleSessionId();
if (conSessId == 0xFFFFFFFF) {
// There is no session attached to the console
return ERROR_SUCCESS;
}
bRet = WTSQueryUserToken(conSessId, &impersonationToken);
if (!bRet) {
hr = GetLastError();
return hr;
}
bRet = DuplicateTokenEx(impersonationToken, MAXIMUM_ALLOWED, NULL,
SecurityIdentification, TokenPrimary, &userToken);
if (!bRet) {
hr = GetLastError();
return hr;
}
STARTUPINFO si = { 0 };
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = _T("winsta0\\default");
bRet = CreateEnvironmentBlock(&pEnvironment, userToken, TRUE);
if (!bRet) {
hr = GetLastError();
return hr;
}
bRet = CreateProcessAsUser(userToken, _T("C:\\Windows\\notepad.exe"),
NULL, NULL, NULL, FALSE, CREATE_UNICODE_ENVIRONMENT,
pEnvironment, NULL, &si, &processInformation);
if (!bRet) {
hr = GetLastError();
return hr;
}
}
__finally {
if (processInformation.hThread) {
CloseHandle(processInformation.hThread);
}
if (processInformation.hProcess) {
CloseHandle(processInformation.hProcess);
}
if (pEnvironment) {
bRet = DestroyEnvironmentBlock(pEnvironment);
}
if (userToken) {
CloseHandle(userToken);
}
if (impersonationToken) {
CloseHandle(impersonationToken);
}
if (processToken) {
bRet = AdjustTokenPrivileges(processToken,
FALSE, &oldTokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
CloseHandle(processToken);
}
}
Upvotes: 3
Views: 2375
Answers (1)
Reputation: 3056
you have to use CreateProcessAsUser. A guide can be found here and here. Hope this helps.
Upvotes: 2
Related Questions
- Run process from a windows service as the current user with administrative privilege
- Run a process from a windows service as the current user
- Calling OpenWindowStation from a service running under a "user" account
- Running a windows service as a privileged user
- How to access to a shared resource with a windows service using local system user?
- Installing a windows service as another user than Network Service
- How to run a separate process as a domain user with a 'local system' service?
- How to run an executable as a system service?
- Running a process as the current user from a SYSTEM process
- Executable started by a windows service using the local system account cannot access network shares