• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1603
  • Last Modified:

Grant Network Service access to OpenProcess

Hi Everyone,

I'm currently developing an application which will be run under the Network Service account. The application launches a batch command line process and uses OpenProcess with synchronize access to get its hWnd and allow the use of WaitForSingleObject. This works perfectly fine when I am testing under my account, but it seems that the Network Service doesn't have the necessary permissions to use OpenProcess.

Does anyone know how to grant the required permissions to either my application or the Network Service? My application is being developed using VB6, although code or ideas from any language would be appreciated as I can probably find a VB version once I have a rough idea. I'm developing on Vista, but the final application will be running on Windows Server 2003.

Thanks

ps. Apologies if you think this is in the wrong sections, I wasn't entirely sure where to put it =/
0
Corrup7ioN
Asked:
Corrup7ioN
  • 6
  • 3
  • 3
1 Solution
 
grayeCommented:
You can use the Local Security Policy tool (secpol.msc) to grant the Network Service account the "Debug" privilege
0
 
ChristianWimmerCommented:
Sorry, what for is OpenProcess? The cmdline process tries to access  the network service?
0
 
Corrup7ioNAuthor Commented:
Thanks for the comments guys. Unfortunately I can't do any testing until tomorrow.

@graye

I tried adding the network service account to the debug users group, but that didn't work. Is this the same thing (i'll try it regardless)? Also, what are the security implications of this?

@Christian

OpenProcess is a Windows API function. See http://msdn.microsoft.com/en-us/library/ms684320(VS.85).aspx for more information.

Thanks once again
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
grayeCommented:
In theory, adding the user to the Debug Users group should have been the same as altering the SECPOL setting.   Although that technique would require a reboot to take effect.
On the other hand, it's quite possible that the account privilege is "turned off" by default for the Network Service account, and therefore must be "turned on" via code.   But let's table that thought until you verify that you've tried it after a reboot.
0
 
Corrup7ioNAuthor Commented:
I did indeed try a reboot. I also added the Network Service to the administrators group and gave it full security access to whichever dll contains open process (can't remember off the top of my head, think its kernel32) just for good measure.

My work network was experiencing some trouble which prevented me from using remote desktop to test this, but the problem seems to have been resolved. I have just tested your idea and it didn't work. I also realised I should probably tell you what exactly is happening... When I call OpenProcess, no error is thrown, instead a hWnd of 0 is returned. The same code running under my account works perfectly fine. Hopefully this may be of some use.
0
 
grayeCommented:
Hummmm.... that should  have done it.
To diagnose this a bit further... can you temporarily create a "standard user" account that you can use as a test.    I'd like to start with just a standard user, then add the Debug privilege using Secpol.msc.   If that doesn't work, we'll add more privileges one at a time to figure out what's required.
Using a temporary account is much easier to test, since you can login using that account (unlike Network Services) to run your app.
0
 
ChristianWimmerCommented:
@OpenProcess: I used this function several times myself. What I meant was:
I don't understand why you use OpenProcess at all. CreateProcess - and I suppose you use this WINAPI function to start your command line process ? - will return you a full access process handle to the new process. Or do I understand it incorectly and you use OpenProcess in your command line process and want to access the service?
And do you use CreateProcess or CreateProcessAsUser ?
If you just use CreateProcess you can create a duplicate of the window handle and send it to your destination process using DuplicateHandle. It is even possible to restrict access to SYNCHRONIZE.

The debug privilege - if enabled - allows OpenProcess to return a process handle with full access. If anything goes wrong and the return value is 0 you should consider checking GetLastError(). Don't forget to post this value here.
I also suggest that you should post necessary code parts so we can give you advices. IMO your approach may be wrong.
0
 
Corrup7ioNAuthor Commented:
Christian, I freely admit that my approach is probably wrong as I am quite inexperience when it comes to using the windows API. Basically the idea is to launch an application with some parameters (filenames), the application then processes the given files, then we need to return to my code so that the files can be downloaded. Hvaing no experience with API functions, I started by using Shell() to launch the process, then posted this question http://www.experts-exchange.com/Programming/Languages/Visual_Basic/Q_23870948.html to try and find out how to wait for a process to finish. I've included a portion of my code below.

It sounds like CreateProcess is pretty much the same as using Shell() then OpenProcess(), so I don't really think my approach is too far off. Also, my guess is that the restrictions on using CreateProcess would be worse than OpenProcess (or atleast the same).

I used GetLastError and get the return value 6. I have absolutely no idea what this means and had no success trying to google a table of codes.
'Launch the app
pID = Shell(cmdString)
    
    'If the app lauched successfully
    If pID <> 0 Then
    
        'Get a handle to the shelled process
        hWnd = OpenProcess(SYNCHRONIZE, 0, 5084)
        
        'Wait for program to end
        Do
        
            ret = WaitForSingleObject(hWnd, 5000)
        
        Loop While ret = WAIT_TIMEOUT
        
        CloseHandle (hWnd)

Open in new window

0
 
Corrup7ioNAuthor Commented:
just realised I left a bit of testing in there.
hWnd = OpenProcess(SYNCHRONIZE, 0, pID)

Open in new window

0
 
ChristianWimmerCommented:
As fas as I can remember the debug user group was only for the Visual C++ 2003 debugger. It doesn't influence OpenProcess. In contrast to the group, the DEBUG privilege does as the MSDN for OpenProcess reads.

6 means invalid handle.
Did this error come from OpenProcess or WaitForSingleObject? You should call GetLastError (I think in VB there is a special variable for it) directly behind an API function.

If you used CreateProcess you would get a handle directly to the process which you can use in WaitForSingleObject (http://www.experts-exchange.com/Programming/System/Windows__Programming/Q_10047079.html?sfQueryTermInfo=1+basic+createprocess+visual)

So first check the return value of GetLastError from OpenProcess. It should be 5 (AccessDenied) if you can't access the process.
0
 
Corrup7ioNAuthor Commented:
In VB we use err.LastDllError rather than GetLastError. This is because VB uses API calls itself and can poison GetLastError. err.LastDllError caches the results of GetLastError after an manual API call.

I managed to find out that error 6 means invalid handle before you posted, although I had already considered that as a possible causes of the problem. That is why I was using hWnd = OpenProcess(SYNCHRONIZE, 0, 5084), I was testing using the pID of a known program.

But then I realised I made a stupid mistake. I put my error check after WaitForSingleObject, even though I knew it was being passed a hWnd of 0. After a quick caffeine intake, I put my error check in the correct place and tried again. As expected, error 5!

I was going to post the above text before trying CreateProcess as I have other things to do, but I decided that everything else can wait because I want to get this fixed! I tried and it didn't work, but I was getting no errors. After using CreateProcess, I printed out the returned hWnd and it was <> 0. I tried using it with calc.exe and it worked! Hopefully the current problem is now unrelated to this matter. I will spend some time on this a bit later on today, and will either post back or accept shortly after. Thanks for your help!

Graye, thanks for you input aswell, I really appreciate it. It's quite annoying how poorly the Windows API (especially the security aspect) is documented.

ps. For anyone who found this thread searching for GetLastError(), here is a handy list of error descriptions http://help.netop.com/support/errorcodes/win32_error_codes.htm
0
 
Corrup7ioNAuthor Commented:
All is working now. Thank you very much for you assistance!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 6
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now