I wish I could answer this for you, but I can not. I have sent a request
out to have someone respond as quickly as possible. Thanks for your
patience.
If you have any other questions or if you have trouble with getting a
response, please let me know. My email address is below.
Brett Keown
Microsoft Support
bre...@online.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights.
This can be done with the following gotchas.
1. Determining the currently logged on user in Windows NT/2000/XP
isn't very straight forward. There are no APIs to determine this and with
Terminal Server, it is quite possible that a Windows NT system has
multiple logged on users who are current.
There are multiple techniques to do this but none of them are 100%
reliable.
The only reliable method to determine if a user is logged on is
to have a process running as that user that can communicate its
status to your service. You can create a stub process that can
be launched via the various run keys in the registry or the startup
folder.
2. Starting a process in the security context of the user. Using the stub
process from #1, the stub process can communicate via IPC the PID to
the service and the service can call OpenProcessToken() to
obtain a token as that user and then launch a process in the
context of that user with CreateProcessAsUser().
Please let me know if you have any more questions.
Frank Kim
Microsoft Support
>.
>
Nadeem Haq
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
>>Thank you for your response. I was also told that using ManagementScope
>>and querying for Win32_LoggedOnUser and then checking the logon type to
>>see if it is interactive will allow me to determine the logged on user.
>>User.Identity.Name which I already tried returns the ID of the currently
>>running thread which in this case is local system.
This is returning the identity of your process which is the service running
in local
system account and not the interactively logged on user.
This is expected behavior.
>>There is also a registry key that I have found which seems to contain the
name of the
>>interactive user although I don't know if this will always work.
As I mentioned in my previous reply, there are various techniques but none
are 100%
as in using the registry. If the registry key you are referring to is
under HKLM, specifically
the winlogon key. This feature can be turned off so its not 100%. Also,
you need to deal
with Terminal Server.
>>I was wondering if there was a way do an "su" type of command such as the
one
>>in Unix. or impersonate which is what we have in .NET given that I know
>>the name of the logged in user but not the password or do I have to have
>>the process token if I do not have the password. Finally if i used
>>createprocessasuser would I have to manually load the users profile and
>>enviornment or should I use CreateProcessWithLogonW? Thanks.
The equivilent of the SU command is to either use CreateProcessWithLogonW()
or
CreateProcessAsUser() which requires a password just like SU. SU will
allow you
to launch a process in the same security context as the interactive user
but it isn't
the actual interactive user.
In regards to the profile, since you are trying to run a process as the
interactive user,
their profile is already loaded so you don't need to load it again. This
applies for
either CreateProcessAsUser() or CreateProcessWithLogonW().
To summarize, I would suggest the following
1. Create a stub application that is launched when the interactive user is
logged on.
When the service needs to launch a process as the interactive user, call
the stub
application and launch an app via CreateProcess(). This is much easier
then having
the service call CreateProcessAsUser() and stealing a token from the
interactive
user.
I don't recommend launching the process from the service for the following:
1. You need to determine the interactive user or at least obtain a PID to
obtain a
token.
2. You'll need to handle windowstation/desktop security if you use
CreateProcessAsUser().
3. If you don't have a PID but somehow you determined the interactive user,
you'll need
to prompt the user for a password if you don't have it, this requires your
service to
interact with the user which we don't recommend.
Nadeem Haq
nh...@pobox.com