Solved

Get current user from system account 2

Posted on 2001-07-05
9
349 Views
Last Modified: 2010-09-16
Okay,

This question is related to a previous one: How can I get the current interactive logon user from a service running under the system account?

The answer provided by Epsilon was really good, although the circumstances have now changed.

- The Current user is NOT running explorer as shell. Instead, it's running a custom application, which may change for different users.

- The applications to be run as shell, have different class names and window names. The only common thing is the user that's logged on interactively (always same user).

- The Current user may or may NOT be running a shell (the custom application running as a shell may have crashed, hung or exit prematurely)

The service is running under the sytem account and have interact with desktop rights.

I tried looking for winsta0\default, but although it works fine on some computers running 2000 SP2, it fails on those running Win2K Sp1 (always return SYSTEM as user)

Because there's no specific application to look for, I've found no way fo getting ahold a windows handle to identify the owner.

The thing is that the service is kind of a watchdog service that is monitoring the application running as a shell for specific user. The computer autologons this user all the time.

If the application stop responding of exits prematurely, the service must logoff that user (and only that user!)inmediatelly, to cleanup the user environment and reload the application (by logging on the user again via autologon)

Any clues?

Luis
0
Comment
Question by:elkavayo
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 13

Expert Comment

by:Epsylon
ID: 6258621
Are you running an own shell?

Just an idea. When a user logs in, write the handle to the registry. The service can read it back and use it to get the current user.
0
 
LVL 20

Expert Comment

by:Madshi
ID: 6258681
Why not using EnumDesktops and EnumDesktopWindows for each desktop? This way you should get all desktops and all windows of all programs that are running. From the windows you can get the processID (GetWindowThreadProcessID), then I think Epsylon's code should give you the user for each process.

Regards, Madshi.
0
 
LVL 13

Expert Comment

by:Epsylon
ID: 6258702
If EnumDesktopWindows works, then GetDesktopWindows will work to, I guess.
0
 

Author Comment

by:elkavayo
ID: 6259923
first answer to Epsylon. Yes, we are running custom shells. The problem with writing to the registry is that SYSTEM account doesn't have access to HKEY_CURRENT_USER for the logged on user, and the logged on user is an unpriviledge account that doesn't have write access to HKEY_LOCAL_MACHINE. The other thing is: what happens if the application crashes? the handle is still there, but it's invalid, and it's not useful for logging the current user off.

What would GetDesktopwindows help? AFAIK, the windowstation associated with the console is always 'winsta0' and the application desktop is always 'default'. Well, I got a handle to the winsta0\default, and still doesn't work. When the app crashes, there's no other windows open on the desktop.

I have written the following based on Epsylon's code:

function TAATestSvc.Username(var h: HWND): string;
var
  winstaCurrent: HWND;
  dwProcessId: DWORD;
  hProcess, hToken: THandle;
  a: array[0..255] of Char;
  s: Cardinal;
begin                                      
  try
    winstaCurrent := GetProcessWindowStation();
    if winstaCurrent <> 0 then
    begin
      h := winstaCurrent;
      GetWindowThreadProcessId(winstaCurrent, @dwProcessId);
      hProcess := OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
      OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, hToken);
      ImpersonateLoggedOnUser(hToken);
      s := sizeof(a);
      GetUserName(a, s);
      Result := a;
      RevertToSelf;
      CloseHandle(hToken);
      CloseHandle(hProcess);
    end
    else
      result := '';
  except
  end;
end;

It works fine on Win2K Pro with SP2.WinstaCurrent is always 52 (regardless the user or session)
and I can reliably obtain the logon user. When no one is logged on, it returns SYSTEM.

The problem is that on Win2K SP1, it always returns SYSTEM. and I'm not sure which one is right. Is it a bug in SP1 corrected in SP2? Is it that SP2 implemented something that may change in SP3 or XP?

If the SP2 behavior is fine, then I'm set, but I'm not sure I should trust it.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 13

Expert Comment

by:Epsylon
ID: 6259957
Are you are this is a sp1/sp2 issue and not some difference in the configuration?
0
 
LVL 20

Expert Comment

by:Madshi
ID: 6260056
Please check the return values of all the functions you're using. Does all succeed in your win2k sp1? Maybe one fails? If so, then please tell us the error code.
0
 

Author Comment

by:elkavayo
ID: 6260315
okay, I'm rather confused now.

are these ateps correctes for identifying the logged on user?

1.- Get a HWINSTA for winsta0 (system console: display, keyboard, mouse etc)
2.- Get a HDESK for "application desktop"  (default). That makes winsta0\default
3.- Enum all windows for that desktop.

I guess what we are looking for is a window-handle, in order to get the thread ID or process ID associated with that handle and find out the process o thread owner.

Now what do I do? I get a buch of windows, some of them belong to the logged on user, other to system, other to other services running as different accounts ...


Actually I'm now lacking a procedure, rather than a solution to identify the interactive logged on user.
0
 
LVL 26

Expert Comment

by:Russell Libby
ID: 8702146
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

To be PAQ/Refund

Please leave any comments here within the next seven days.
 
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
 
Thank you,
Russell

EE Cleanup Volunteer
0
 

Accepted Solution

by:
PashaMod earned 0 total points
ID: 8818562
Per recommendation,

PashaMod
Community Support Moderator @Experts Exchange
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

A lot of questions regard threads in Delphi.   One of the more specific questions is how to show progress of the thread.   Updating a progressbar from inside a thread is a mistake. A solution to this would be to send a synchronized message to the…
Introduction Raise your hands if you were as upset with FireMonkey as I was when I discovered that there was no TListview.  I use TListView in almost all of my applications I've written, and I was not going to compromise by resorting to TStringGrid…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now