Starting an exe from within a service

[ludwig.stuyck]

Hi all,

I need to start an executable from within a windows service. I tried
the following code in the windows service:

ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "filename.exe";
psi.Arguments = "arg1 arg2";
psi.UseShellExecute = false;

psi.Domain = "domain";
psi.UserName = "username";

string password = "password";
SecureString secureString = new SecureString();
foreach (char c in password) { secureString.AppendChar(c); }
psi.Password = secureString;

Process process = new Process();
process.StartInfo = psi;
process.Start();

However, when the Start() method is executed I always get the error
"Access is denied".

Can someone tell me what could be wrong or what the reason may be for
the error?

Thanks!

 

[ludwig.stuyck]

(e-mail address removed) schreef:

Hi all,

I need to start an executable from within a windows service. I tried
the following code in the windows service:

ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "filename.exe";
psi.Arguments = "arg1 arg2";
psi.UseShellExecute = false;

psi.Domain = "domain";
psi.UserName = "username";

string password = "password";
SecureString secureString = new SecureString();
foreach (char c in password) { secureString.AppendChar(c); }
psi.Password = secureString;

Process process = new Process();
process.StartInfo = psi;
process.Start();

However, when the Start() method is executed I always get the error
"Access is denied".

Can someone tell me what could be wrong or what the reason may be for
the error?

Thanks!

Extra information: if I don't specify the domain, username and
password, the exe is started under the SYSTEM account; but I need the
exe to be started under the currently logged on user.

 

[Greg Young]

And you are hard coding the username/password of the current user into the
code?

I would imagine this may not work, try using LogonUser
http://msdn.microsoft.com/library/en-us/secauthn/security/logonuser.asp?frame=true
and CreateProcessAsUser
http://msdn.microsoft.com/library/d...ry/en-us/dllproc/base/createprocessasuser.asp

If you google on the API function names with "C#" it is pretty easy to get
their definitions as well as some articles on usage.

Cheers,

Greg Young
MVP - C#
http://geekswithblogs.net/gyoung

 

[Willy Denoyette [MVP]]

| Hi all,
|
| I need to start an executable from within a windows service. I tried
| the following code in the windows service:
|
| ProcessStartInfo psi = new ProcessStartInfo();
| psi.FileName = "filename.exe";
| psi.Arguments = "arg1 arg2";
| psi.UseShellExecute = false;
|
| psi.Domain = "domain";
| psi.UserName = "username";
|
| string password = "password";
| SecureString secureString = new SecureString();
| foreach (char c in password) { secureString.AppendChar(c); }
| psi.Password = secureString;
|
| Process process = new Process();
| process.StartInfo = psi;
| process.Start();
|
| However, when the Start() method is executed I always get the error
| "Access is denied".
|
| Can someone tell me what could be wrong or what the reason may be for
| the error?
|
| Thanks!
|

Using alternate credentials to start a process from a 'localsystem' logon
session (SYSTEM) does not work on XP SP2 and W2K3. This is because the
underlying API used (CreateProcessWithLogonW() ) needs the Logon SID of the
parent in order to add it to the access token of the client process (this it
grants the client process access to the parents desktop), however, a SYSTEM
logon token does no longer contain a Logon SID, so the API fails.

One way to solve this issue (provided that the logon user and the one used
in the ProcessStartInfo are the same) is to impersonate (calling LogonUser
using the alternate credentials) before calling process.Start().
If both "login" and "alternate" user are different, you will have to to
modify the DACLs for the windowstation/desktop, before you call
Process.Start.

Willy.

 

[ludwig.stuyck]

Greg Young schreef:

And you are hard coding the username/password of the current user into the
code?

I would imagine this may not work, try using LogonUser
http://msdn.microsoft.com/library/en-us/secauthn/security/logonuser.asp?frame=true
and CreateProcessAsUser
http://msdn.microsoft.com/library/d...ry/en-us/dllproc/base/createprocessasuser.asp

If you google on the API function names with "C#" it is pretty easy to get
their definitions as well as some articles on usage.

Cheers,

Greg Young
MVP - C#
http://geekswithblogs.net/gyoung

Thank you, I managed to launch a process with a specified account using
CreateProcessAsUser.

First I do an impersonation of a specific user, then I create a token
based on the impersonated windows identity (DuplicateTokenEx) and then
I use this token in CreateProcessAsUser to start a proces.

However, I need to explicitely specify the username, domain and
password to impersonate.

Is it possible to retrieve the token of the currently logged on user
(which will be null if no user is logged on) so that I can impersonate
the currently logged on user from within the windows service?

 

[ludwig.stuyck]

(e-mail address removed) schreef:

Greg Young schreef:



Thank you, I managed to launch a process with a specified account using
CreateProcessAsUser.

First I do an impersonation of a specific user, then I create a token
based on the impersonated windows identity (DuplicateTokenEx) and then
I use this token in CreateProcessAsUser to start a proces.

However, I need to explicitely specify the username, domain and
password to impersonate.

Is it possible to retrieve the token of the currently logged on user
(which will be null if no user is logged on) so that I can impersonate
the currently logged on user from within the windows service?

Question: what are the consequences of starting an application from a
windows service so that it runs under the SYSTEM account? I ask this
because I noticed that the processes that correspond to the tray icons
also run under the SYSTEM account...

 

[Willy Denoyette [MVP]]

|
| (e-mail address removed) schreef:
|
| > Greg Young schreef:
| >
| > > And you are hard coding the username/password of the current user into
the
| > > code?
| > >
| > > I would imagine this may not work, try using LogonUser
| > >
http://msdn.microsoft.com/library/en-us/secauthn/security/logonuser.asp?frame=true
| > > and CreateProcessAsUser
| > >
http://msdn.microsoft.com/library/d...ry/en-us/dllproc/base/createprocessasuser.asp
| > >
| > > If you google on the API function names with "C#" it is pretty easy to
get
| > > their definitions as well as some articles on usage.
| > >
| > > Cheers,
| > >
| > > Greg Young
| > > MVP - C#
| > > http://geekswithblogs.net/gyoung
| >
| >
| > Thank you, I managed to launch a process with a specified account using
| > CreateProcessAsUser.
| >
| > First I do an impersonation of a specific user, then I create a token
| > based on the impersonated windows identity (DuplicateTokenEx) and then
| > I use this token in CreateProcessAsUser to start a proces.
| >
| > However, I need to explicitely specify the username, domain and
| > password to impersonate.
| >
| > Is it possible to retrieve the token of the currently logged on user
| > (which will be null if no user is logged on) so that I can impersonate
| > the currently logged on user from within the windows service?
|
| Question: what are the consequences of starting an application from a
| windows service so that it runs under the SYSTEM account? I ask this
| because I noticed that the processes that correspond to the tray icons
| also run under the SYSTEM account...


User processes that have a UI should never run in the TCB, that is they
should never run as SYSTEM. Even windows services should (preferably) not
run as SYSTEM, use one of the service accounts like LOCAL_SERVICE or
NETWORK_SERVICE to run a Service if you care about security.

Willy.