Grant Network Service access to OpenProcess

Hi Everyone,

I'm currently developing an application which will be run under the Network Service account. The application launches a batch command line process and uses OpenProcess with synchronize access to get its hWnd and allow the use of WaitForSingleObject. This works perfectly fine when I am testing under my account, but it seems that the Network Service doesn't have the necessary permissions to use OpenProcess.

Does anyone know how to grant the required permissions to either my application or the Network Service? My application is being developed using VB6, although code or ideas from any language would be appreciated as I can probably find a VB version once I have a rough idea. I'm developing on Vista, but the final application will be running on Windows Server 2003.


ps. Apologies if you think this is in the wrong sections, I wasn't entirely sure where to put it =/
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You can use the Local Security Policy tool (secpol.msc) to grant the Network Service account the "Debug" privilege
Sorry, what for is OpenProcess? The cmdline process tries to access  the network service?
Corrup7ioNAuthor Commented:
Thanks for the comments guys. Unfortunately I can't do any testing until tomorrow.


I tried adding the network service account to the debug users group, but that didn't work. Is this the same thing (i'll try it regardless)? Also, what are the security implications of this?


OpenProcess is a Windows API function. See for more information.

Thanks once again
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

In theory, adding the user to the Debug Users group should have been the same as altering the SECPOL setting.   Although that technique would require a reboot to take effect.
On the other hand, it's quite possible that the account privilege is "turned off" by default for the Network Service account, and therefore must be "turned on" via code.   But let's table that thought until you verify that you've tried it after a reboot.
Corrup7ioNAuthor Commented:
I did indeed try a reboot. I also added the Network Service to the administrators group and gave it full security access to whichever dll contains open process (can't remember off the top of my head, think its kernel32) just for good measure.

My work network was experiencing some trouble which prevented me from using remote desktop to test this, but the problem seems to have been resolved. I have just tested your idea and it didn't work. I also realised I should probably tell you what exactly is happening... When I call OpenProcess, no error is thrown, instead a hWnd of 0 is returned. The same code running under my account works perfectly fine. Hopefully this may be of some use.
Hummmm.... that should  have done it.
To diagnose this a bit further... can you temporarily create a "standard user" account that you can use as a test.    I'd like to start with just a standard user, then add the Debug privilege using Secpol.msc.   If that doesn't work, we'll add more privileges one at a time to figure out what's required.
Using a temporary account is much easier to test, since you can login using that account (unlike Network Services) to run your app.
@OpenProcess: I used this function several times myself. What I meant was:
I don't understand why you use OpenProcess at all. CreateProcess - and I suppose you use this WINAPI function to start your command line process ? - will return you a full access process handle to the new process. Or do I understand it incorectly and you use OpenProcess in your command line process and want to access the service?
And do you use CreateProcess or CreateProcessAsUser ?
If you just use CreateProcess you can create a duplicate of the window handle and send it to your destination process using DuplicateHandle. It is even possible to restrict access to SYNCHRONIZE.

The debug privilege - if enabled - allows OpenProcess to return a process handle with full access. If anything goes wrong and the return value is 0 you should consider checking GetLastError(). Don't forget to post this value here.
I also suggest that you should post necessary code parts so we can give you advices. IMO your approach may be wrong.
Corrup7ioNAuthor Commented:
Christian, I freely admit that my approach is probably wrong as I am quite inexperience when it comes to using the windows API. Basically the idea is to launch an application with some parameters (filenames), the application then processes the given files, then we need to return to my code so that the files can be downloaded. Hvaing no experience with API functions, I started by using Shell() to launch the process, then posted this question to try and find out how to wait for a process to finish. I've included a portion of my code below.

It sounds like CreateProcess is pretty much the same as using Shell() then OpenProcess(), so I don't really think my approach is too far off. Also, my guess is that the restrictions on using CreateProcess would be worse than OpenProcess (or atleast the same).

I used GetLastError and get the return value 6. I have absolutely no idea what this means and had no success trying to google a table of codes.
'Launch the app
pID = Shell(cmdString)
    'If the app lauched successfully
    If pID <> 0 Then
        'Get a handle to the shelled process
        hWnd = OpenProcess(SYNCHRONIZE, 0, 5084)
        'Wait for program to end
            ret = WaitForSingleObject(hWnd, 5000)
        Loop While ret = WAIT_TIMEOUT
        CloseHandle (hWnd)

Open in new window

Corrup7ioNAuthor Commented:
just realised I left a bit of testing in there.
hWnd = OpenProcess(SYNCHRONIZE, 0, pID)

Open in new window

As fas as I can remember the debug user group was only for the Visual C++ 2003 debugger. It doesn't influence OpenProcess. In contrast to the group, the DEBUG privilege does as the MSDN for OpenProcess reads.

6 means invalid handle.
Did this error come from OpenProcess or WaitForSingleObject? You should call GetLastError (I think in VB there is a special variable for it) directly behind an API function.

If you used CreateProcess you would get a handle directly to the process which you can use in WaitForSingleObject (

So first check the return value of GetLastError from OpenProcess. It should be 5 (AccessDenied) if you can't access the process.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Corrup7ioNAuthor Commented:
In VB we use err.LastDllError rather than GetLastError. This is because VB uses API calls itself and can poison GetLastError. err.LastDllError caches the results of GetLastError after an manual API call.

I managed to find out that error 6 means invalid handle before you posted, although I had already considered that as a possible causes of the problem. That is why I was using hWnd = OpenProcess(SYNCHRONIZE, 0, 5084), I was testing using the pID of a known program.

But then I realised I made a stupid mistake. I put my error check after WaitForSingleObject, even though I knew it was being passed a hWnd of 0. After a quick caffeine intake, I put my error check in the correct place and tried again. As expected, error 5!

I was going to post the above text before trying CreateProcess as I have other things to do, but I decided that everything else can wait because I want to get this fixed! I tried and it didn't work, but I was getting no errors. After using CreateProcess, I printed out the returned hWnd and it was <> 0. I tried using it with calc.exe and it worked! Hopefully the current problem is now unrelated to this matter. I will spend some time on this a bit later on today, and will either post back or accept shortly after. Thanks for your help!

Graye, thanks for you input aswell, I really appreciate it. It's quite annoying how poorly the Windows API (especially the security aspect) is documented.

ps. For anyone who found this thread searching for GetLastError(), here is a handy list of error descriptions
Corrup7ioNAuthor Commented:
All is working now. Thank you very much for you assistance!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Development

From novice to tech pro — start learning today.