"Access denied" while trying to change a service priorityclass

[muradjames]

Yes, sorry I tried to make it clear in the original question that I want to
get the user token of the service - ie. the account the service is running
under. I know services don't have user tokens - I suspect users do have
tokens, hence "user token", otherwise we might call them "service tokens" or
somesuch

If you read the question again, you migh see that the fundamental question
is, *assuming there is no other approach*:

The service runs as "Local System" - can I impersonate the "Local System"
account?

I don't believe that "logonuser" can help with this.

What I was trying to demonstrate with the code is that I can get the process
that the service is running as - I just cannot get its user token.

Is there anyone here who can understand my original question and have a go
at answering it? I would be grateful for any assistance.

Well, you would want to get the token of a user that has the appropriate
rights to change the priority of the class.

There is no such thing as the user token of the service. The service
runs under a user account, and that user is the one assocaited with the
process/thread.

If you don't have the appropriate permissions then you need to have the
service run under a user account that has permissions (in which case, none
of this is necessary), or call the LogonUser API function through the
P/Invoke layer, passing the username and password of the user you want to
impersonate, then use the user token returned from LogonUser to pass to the
Impersonate method (the documentation for the Impersonate method should have
an example of how to call LogonUser).

It should be noted that changing the priority of any process is
generally a bad idea.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

I have a service running on my PC. I want to set the service's
PriorityClass
to BelowNormal. I use the following code:

Process process = GetServiceProcess();

// How can I get the user's token (Local System) from the
process, or wherever?

using (WindowsImpersonationContext user =
WindowsIdentity.Impersonate(userToken))
{
process.PriorityClass =
Settings.Default.servicePriority;
}

Clearly, this cannot work - I need the userToken.

So, my questions are:

1) Is this the correct approach? I am assuming that the "access denied" is
caused by the fact that my application is running as one user, and the
service is running as local system so I cannot change it? My approach is
to
impersonate the local system user while I change the priority class.

2) If this is correct, how can I get the user token *of the service* (i.e.
the Local System token) so that I can impersonate it?

I am using .Net 3.5, by the way...any help gratefully accepted!!!

 

[Nicholas Paldino [.NET/C# MVP]]

I see what you are saying now.

Getting the user that the process executes under doesn't guarantee that
you will have rights to elevate the priority of the process. I don't know
if the LocalService account does (it's easy enough to check though, create a
service to run under the LocalService account and see if you can elevate
your own priority).

Impersonating the local service seems to be a little more difficult, and
is laid out here:

http://geek.hubkey.com/2008/02/impersonating-built-in-service-account.html

If the LocalService account doesn't allow this, then you have to run the
program attempting to elevate the process under an account that does have
the appropriate permissions.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Yes, sorry I tried to make it clear in the original question that I want
to
get the user token of the service - ie. the account the service is running
under. I know services don't have user tokens - I suspect users do have
tokens, hence "user token", otherwise we might call them "service tokens"
or
somesuch

If you read the question again, you migh see that the fundamental question
is, *assuming there is no other approach*:

The service runs as "Local System" - can I impersonate the "Local System"
account?

I don't believe that "logonuser" can help with this.

What I was trying to demonstrate with the code is that I can get the
process
that the service is running as - I just cannot get its user token.

Is there anyone here who can understand my original question and have a go
at answering it? I would be grateful for any assistance.

Well, you would want to get the token of a user that has the
appropriate
rights to change the priority of the class.

There is no such thing as the user token of the service. The service
runs under a user account, and that user is the one assocaited with the
process/thread.

If you don't have the appropriate permissions then you need to have
the
service run under a user account that has permissions (in which case,
none
of this is necessary), or call the LogonUser API function through the
P/Invoke layer, passing the username and password of the user you want to
impersonate, then use the user token returned from LogonUser to pass to
the
Impersonate method (the documentation for the Impersonate method should
have
an example of how to call LogonUser).

It should be noted that changing the priority of any process is
generally a bad idea.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

I have a service running on my PC. I want to set the service's
PriorityClass
to BelowNormal. I use the following code:

Process process = GetServiceProcess();

// How can I get the user's token (Local System) from
the
process, or wherever?

using (WindowsImpersonationContext user =
WindowsIdentity.Impersonate(userToken))
{
process.PriorityClass =
Settings.Default.servicePriority;
}

Clearly, this cannot work - I need the userToken.

So, my questions are:

1) Is this the correct approach? I am assuming that the "access denied"
is
caused by the fact that my application is running as one user, and the
service is running as local system so I cannot change it? My approach
is
to
impersonate the local system user while I change the priority class.

2) If this is correct, how can I get the user token *of the service*
(i.e.
the Local System token) so that I can impersonate it?

I am using .Net 3.5, by the way...any help gratefully accepted!!!

 

[muradjames]

Thanks Nicholas. The funny thing is that I can lower the priority class for
the service to "BelowNormal" (what I want to do) using Sysinternals process
explorer. However, when I try from my app, I get "access denied". I wonder if
the problem is something else, rather than permissions...in fact, I just
tried this:

I used WindowsIdentity.GetCurrent() to get the user name in the app and it's
me (not unexpected). I am an administrator on this pc so why can I not drop
the priority class of the service? Maybe this is a "red herring".

Re your second point - how can I elevate my privileges? Is that by using
GetCurrent() and passing a TokenAccessLevels access level? If so, what should
I request? (or is there more to it than that?)

Thanks again!

I see what you are saying now.

Getting the user that the process executes under doesn't guarantee that
you will have rights to elevate the priority of the process. I don't know
if the LocalService account does (it's easy enough to check though, create a
service to run under the LocalService account and see if you can elevate
your own priority).

Impersonating the local service seems to be a little more difficult, and
is laid out here:

http://geek.hubkey.com/2008/02/impersonating-built-in-service-account.html

If the LocalService account doesn't allow this, then you have to run the
program attempting to elevate the process under an account that does have
the appropriate permissions.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Yes, sorry I tried to make it clear in the original question that I want
to
get the user token of the service - ie. the account the service is running
under. I know services don't have user tokens - I suspect users do have
tokens, hence "user token", otherwise we might call them "service tokens"
or
somesuch

If you read the question again, you migh see that the fundamental question
is, *assuming there is no other approach*:

The service runs as "Local System" - can I impersonate the "Local System"
account?

I don't believe that "logonuser" can help with this.

What I was trying to demonstrate with the code is that I can get the
process
that the service is running as - I just cannot get its user token.

Is there anyone here who can understand my original question and have a go
at answering it? I would be grateful for any assistance.

Well, you would want to get the token of a user that has the
appropriate
rights to change the priority of the class.

There is no such thing as the user token of the service. The service
runs under a user account, and that user is the one assocaited with the
process/thread.

If you don't have the appropriate permissions then you need to have
the
service run under a user account that has permissions (in which case,
none
of this is necessary), or call the LogonUser API function through the
P/Invoke layer, passing the username and password of the user you want to
impersonate, then use the user token returned from LogonUser to pass to
the
Impersonate method (the documentation for the Impersonate method should
have
an example of how to call LogonUser).

It should be noted that changing the priority of any process is
generally a bad idea.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

I have a service running on my PC. I want to set the service's
PriorityClass
to BelowNormal. I use the following code:

Process process = GetServiceProcess();

// How can I get the user's token (Local System) from
the
process, or wherever?

using (WindowsImpersonationContext user =
WindowsIdentity.Impersonate(userToken))
{
process.PriorityClass =
Settings.Default.servicePriority;
}

Clearly, this cannot work - I need the userToken.

So, my questions are:

1) Is this the correct approach? I am assuming that the "access denied"
is
caused by the fact that my application is running as one user, and the
service is running as local system so I cannot change it? My approach
is
to
impersonate the local system user while I change the priority class.

2) If this is correct, how can I get the user token *of the service*
(i.e.
the Local System token) so that I can impersonate it?

I am using .Net 3.5, by the way...any help gratefully accepted!!!