NT Service and Hook problem .....


 I made a system that monitors some messages through a Hook, the
communication between Hook and the program is made through named pipes,
this works very well and without any problem,
 I get to monitor the messages correspondents for any program being
executed in the system, this everything works in the windows 2000 prof.
SP2, with Administrator login,  but I had to alter the program. . . .
and make it a service of the windows.

I have a problem with the service (I believe at least) the problem is
that Hook is not executed. . . to not to be when I click well in the
button of " Ok " in the service message installed and when it is in the
" ok " to the uninstall, I could monitor the operation of the hook with
a log " file. . . and out of the service he is not used. . . . the only
reason that I can think so that this happens it is a problem of safety.
. . , but I inform that the service was installed and tested with the
administrating user (windows 2000 sp2), any idea is wellcome ....!!!!

Sorry my poor English ...

Thanks in advance,

Who is Participating?
Russell LibbyConnect With a Mentor Software Engineer, Advisory Commented:


User account has nothing to do with your problem, but running interactive does. In your situation, you can set a global hook, but it won't do anything.



On a computer running Microsoft Windows NT 4.0, a Win32 Service cannot set a hook on a 32-bit GUI application.

When an interactive service wants to hook a user's process, it is not allowed to because the desktop opened does not have the DF_ALLOWOTHERACCOUNTHOOK flag set.

A fix was developed such that if "Allow Service to Interact with Desktop" is set, the service is allow to set hooks on a user's process. This fix requires Microsoft Windows NT version 4.0 Service Pack 2 to be installed.
Check the rights of the user that is used by the service when running. Even if you installed it as Administrator, it will run under SYSTEM (I guess) and it might miss a right (most likely debug or similar).
Unless someone else comes up with a better suggestion:
For testing, make a user with every conceivable right and assign it to your service. If it runs OK, try to remove one-by-one rights until it fails. Beware that you might be creating a huge security hole by doing this. Do not use it in a production environment until you sort out all the potential security issues.

Just guessing, too,
fva is probably pointing you into the right direction. The SYSTEM account is sort of a local administrator account, but with no networking access (excapt for direct network protocol access). Named pipes are considered to be network features, thus you cannot use them from within a service which runs in the SYSTEM account.

You have pretty much two possible solutions:
* Make your app run as another user
* Use another method to do IPC which is allowed for the SYSTEM user, for instance TCP/IP
Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

LuzckaAuthor Commented:
Before anything else I want to thank the answers..., but I believe that I have not been
very clear.... I will explain the current operation of the system so that they can have like
this a vision of him as of the problem.

The system is composed by a service and a DLL (my global Hook), the two are in
the same computer..., when carrying the service, this installs the hook to
monitoring the system (in the case, of keyboard and mouse), to each respective event  
correspond a message of the hook to the service using " Named Pipes "... these messages are worked for threads where each event is saved in a database...
well..., two events are saved (a click when beginning and another when
concluding, I believe that are in the window of installation messagebox and
uninstall message box of the service)...
I placed a routine in the hook that saves a message in a txt file each
time that the hook is called, and this routine just works twice....
what indicates that the hook was just used twice....
that I discard that the problem is in the communication through pipes (that is
local), with relationship to the service.... he was already installed without user
and with user Administrator (.\Administrator) but nothing change....; I don't know a lot of programming in the NT system.... I don't know if Administrator possesses or not all the rights..., in mine researches I verified that limitations exist in the use of Pipes... and
other methods of IPC.... but anything that indicates limitations of a service when using or
work with a hook....
if they want I can send them sources (Delphi) and /or the exe file and dll so that
they look at.. or if they have another idea.... please inform me...

Thanks in advance

Maybe that the DLL hook executes sometimes under an account with limited privileges (the hooked program changes its logon identity during operation). Therefore you get only the calls made while operating at proper privilege level.

LuzckaAuthor Commented:

 The hook got to work, I created a "super user" but didn't advance..., but when set the property " Interactive " ( Allow service to interact with desktop ) the hook began to work....
I just left the property and I removed the user and it continued working.... fou to try with other logins to see it happens some difference ....

Thanks to all !!!

LuzckaAuthor Commented:
Well, I had already found this solution. . . . and had made a comment indicating, but it is answer it is much clearer and explanatory; forced the whole ones for the help that was of big were worth.

Thanks to all ...!!!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.