Launch a process from a Service as Interactive User

I've run into a problem with trying to launch a process as
the currently logged in user in Windows NT. I have a
Windows Service created in .Net that is running as
LocalSystem and has permission to interact with the
desktop. I need to be able to determine the currently
logged in user if any and then launch an applicaton with
that user's permissions. Can anyone please help?

Hi Nadeem,

I wish I could answer this for you, but I can not. I have sent a request
out to have someone respond as quickly as possible. Thanks for your
patience.

If you have any other questions or if you have trouble with getting a
response, please let me know. My email address is below.

Brett Keown
Microsoft Support
bre...@online.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Nadeem,

This can be done with the following gotchas.
1. Determining the currently logged on user in Windows NT/2000/XP
isn't very straight forward. There are no APIs to determine this and with
Terminal Server, it is quite possible that a Windows NT system has
multiple logged on users who are current.

There are multiple techniques to do this but none of them are 100%
reliable.

The only reliable method to determine if a user is logged on is
to have a process running as that user that can communicate its
status to your service. You can create a stub process that can
be launched via the various run keys in the registry or the startup
folder.

2. Starting a process in the security context of the user. Using the stub
process from #1, the stub process can communicate via IPC the PID to
the service and the service can call OpenProcessToken() to
obtain a token as that user and then launch a process in the
context of that user with CreateProcessAsUser().

Please let me know if you have any more questions.

Frank Kim
Microsoft Support

Another usefull thing is Winlogon notifications. Search
MSDN for "Winlogon Notification Events".
This is not easy and requires a very good understanding of
NT security model and objects.
Although, as it was said, under server with terminal
services, or under xp with fast user switching you can
have multiple logged on users. Only one of them I suppose
will be active -- havind desktop for them.
a

>.
>

Thank you for your response. I was also told that using ManagementScope
and querying for Win32_LoggedOnUser and then checking the logon type to
see if it is interactive will allow me to determine the logged on user.
User.Identity.Name which I already tried returns the ID of the currently
running thread which in this case is local system. There is also a
registry key that I have found which seems to contain the name of the
interactive user although I don't know if this will always work. I was
wondering if there was a way do an "su" type of command such as the one
in Unix. or impersonate which is what we have in .NET given that I know
the name of the logged in user but not the password or do I have to have
the process token if I do not have the password. Finally if i used
createprocessasuser would I have to manually load the users profile and
enviornment or should I use CreateProcessWithLogonW? Thanks.

Nadeem Haq

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Hi Nadeem,

This is returning the identity of your process which is the service running
in local
system account and not the interactively logged on user.
This is expected behavior.

As I mentioned in my previous reply, there are various techniques but none
are 100%
as in using the registry. If the registry key you are referring to is
under HKLM, specifically
the winlogon key. This feature can be turned off so its not 100%. Also,
you need to deal
with Terminal Server.

The equivilent of the SU command is to either use CreateProcessWithLogonW()
or
CreateProcessAsUser() which requires a password just like SU. SU will
allow you
to launch a process in the same security context as the interactive user
but it isn't
the actual interactive user.

In regards to the profile, since you are trying to run a process as the
interactive user,
their profile is already loaded so you don't need to load it again. This
applies for
either CreateProcessAsUser() or CreateProcessWithLogonW().

To summarize, I would suggest the following
1. Create a stub application that is launched when the interactive user is
logged on.
When the service needs to launch a process as the interactive user, call
the stub
application and launch an app via CreateProcess(). This is much easier
then having
the service call CreateProcessAsUser() and stealing a token from the
interactive
user.

I don't recommend launching the process from the service for the following:
1. You need to determine the interactive user or at least obtain a PID to
obtain a
token.
2. You'll need to handle windowstation/desktop security if you use
CreateProcessAsUser().
3. If you don't have a PID but somehow you determined the interactive user,
you'll need
to prompt the user for a password if you don't have it, this requires your
service to
interact with the user which we don't recommend.

I spent a little bit of time seeing if the impersonation feature would
suffice but what you have suggested is perfect. A stub process
definately resolves the problem and eliminates the need for a password.
I appreciate you advice. For some reason I was stubbornly trying to
solve it on the service side only. Thanks for you help!!

Nadeem Haq
nh...@pobox.com