Find centralized, trusted content and collaborate around the technologies you use most. Connect and share knowledge within a single location that is structured and easy to search. I currently have a windows service that is running under the System Account.
My problem is that i need to start certain processes from within the service as the current logged on user. My problem is that i need spawn a process as the logged on user but will not know the user credentials etc. The service is. I do not necessarily want to launch a new process, i just want to impersonate the logged on user.
I have been so wrapped up at looking at CreateProcess etc i have lead myself down a path of create a new process as the current logged in user which is not particularly what i want to do. In turn i just want to run some code under the current user context Impersonate the current Logged on user? One option is to have background application that automatically starts when user logs on and listens to commands from your service through WCF, or thrift, or by just monitoring some file and reading command from there.
Another option is to do what you originally asked for - launch using windows API. But the code is quite scary. Here is a sample, that you can use. It will execute any command line under currently active user session, with CreateProcessInConsoleSession method:. As is so common with these types of questions about Windows services, you're operating in the mindset of a single-user operating system. The whole reason you decided to write your app as a service was because you were running into conflicts between your mental model of a single-user OS and the reality of a multi-user OS.
Unfortunately, a service didn't solve all of your problems and now you're trying to figure out how to accomplish step two in the ultimately-doomed hacked design. The fact is, you cannot be guaranteed that there is a "logged on user".
If no one has logged on to the workstation, there will be no one logged on, yet your service will still be running. Even if you somehow got past this by ensuring that someone will always be logged on impossible , then you would run into the situation where multiple users are logged on. Then which one should your service start the process as?
Should it just pick one of them randomly? And is it necessary in your case to distinguish between users logged on locally to the console and those who are logged on remotely? Remember that remote users won't have a local console. If you could somehow get past all of these hurdles unfortunately, probably by burying your head in the sand and continuing to pretend that Windows is a single-user OS , you could make use of the WTSGetActiveConsoleSessionId function to obtain the current session ID, the WTSQueryUserToken function to obtain the user token corresponding to that session ID, and then finally the CreateProcessAsUser function to launch your process in the context of that user.
This article describes how to enable and use the Run as feature in Microsoft Windows Server You can use the Run as feature to run a program, MMC console, or Control Panel tool by using the credentials of a user other than the currently logged on user. This makes it possible for a user with multiple accounts to run a program as a different user.
For example, you can use the Run as feature to start a program as an administrator if you want to perform administrative tasks when you are logged on as a member of another group, such as the Users or Power Users group. By default, the Secondary Logon service starts automatically when you start Windows.
If a per-user service can't be disabled using a the security template, you can disable it by using Group Policy preferences.
In the list of values, highlight Start and click Select. Change Value data from to and click OK. To add the other services that cannot be managed with a Group Policy templates, edit the policy and repeat steps If you cannot use Group Policy Preferences to manage the per-user services, you can edit the registry with reg.
To disable the Template Services, change the Startup Type for each service to 4 disabled. For example:. We recommend that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the Registry Editor or by the Windows operating system before they are applied.
As a result, incorrect values can be stored, and this can result in unrecoverable errors in the system. If you must edit the registry, use extreme caution.
If you cannot use Group Policy preferences to manage the per-user services, you can edit the registry with regedit. To disable the template services, change the Startup Type for each service to 4 disabled :. Beginning with Windows 10, version and Windows Server, version , you can prevent the per-user service from being created by setting UserServiceFlags to 0 under the same service configuration in the registry:.
If you're using custom images to deploy Windows, you can modify the Startup Type for the template services as part of the normal imaging process. For example, if the service tries to open a handle to a pipe, the system compares the service's access token to the pipe's security descriptor before granting access. The SCM does not maintain the passwords of service user accounts. If a password is expired, the logon fails and the service fails to start.
The system administrator who assigns accounts to services can create accounts with passwords that never expire. The administrator can also manage accounts with passwords that expire by using a service configuration program to periodically change the passwords. If a service needs to recognize another service before sharing its information, the second service can either use the same account as the first service, or it can run in an account belonging to an alias that is recognized by the first service.
0コメント