[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Run applications on users desktop from windows service

Posted on 2010-11-29
19
Medium Priority
?
1,439 Views
Last Modified: 2012-05-10
Hi, I would like to execute an application from C# windows service to the logged in user's desktop. The service already runs using admin privileges.  Is it possible to run the application on the users desktop using the service's admin privileges? How do I hook to the logged in user's desktop and execute the application? The logged in user is a normal user and the application requires administrator previleges to execute.

Currently I get the "explorer.exe" process, get the handle from the process, duplicate the logged in user's token and use the "CreateProcessAsUser" method to run the application on the user's desktop. But, since the logged in user is not a administrator, the executed application fails with the insufficient privileges execption. Can anyone helpe me with a sample code or example to run the application on user's desktop with admin privileges? Or if I am doing wrong, can anyone suggest me the right way of doing it?

I currently face this problem in Windows XP. I suppose in Windows Vista or 7, it (executing with admin previleges) would require elevated permissions.

Thank You,
Sathish
0
Comment
Question by:sathish_raos
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
  • 2
  • +1
19 Comments
 
LVL 5

Expert Comment

by:roxviper
ID: 34228962
Hi,

Use this command

System.Diagnostics.Process.Start("ExePath");
0
 

Author Comment

by:sathish_raos
ID: 34228971
Thank you roxviper, for the response. If I just execute the process, the application runs in the service's local system account and the application is never visible in the logged in user's desktop. How do I use this?

How differently should I have to use this on XP, Vista and 7 platforms to overcome the elevated permissions?

Thank you,
Sathish
0
 
LVL 5

Expert Comment

by:roxviper
ID: 34229046
Hi,

I never got threw from that problem but i can see here you have more option you can define such as domain and credentials.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:sathish_raos
ID: 34229085
OK, let me try that and I shall let you know.
0
 
LVL 6

Expert Comment

by:Chuck Yetter
ID: 34229849
Sounds to me like you need to set the service's "Allow interact with Desktop" property.  You can quickly check to see if this will fix your problem by going to Control Panel->Administrative Tools->Services, open your service's Properties, and look on the Log On tab for the "Allow..." checkbox.

To have your service automatically set this property when installed, you need to add a Committed event handler to the serviceInstaller object in the service's ProjectInstaller module and add the code below into the event handler.
//Set the "Allow Interact with Desktop" value.
ConnectionOptions coOptions = new ConnectionOptions();
coOptions.Impersonation = ImpersonationLevel.Impersonate;
ManagementScope mgmtScope = new ManagementScope(@"root\CIMV2", coOptions);
mgmtScope.Connect();
ManagementObject wmiService;
wmiService = new ManagementObject("Win32_Service.Name='PutYourServiceNameHere'");
ManagementBaseObject InParam = wmiService.GetMethodParameters("Change");
InParam["DesktopInteract"] = true;
ManagementBaseObject OutParam = wmiService.InvokeMethod("Change", InParam, null);
wmiService.Dispose();

Open in new window

0
 

Author Comment

by:sathish_raos
ID: 34229915
Thank you Axshun, but "Allow Interact with Desktop" is the last thing that I want to do. It could work well in XP, but it has problems in Vista and 7 OS's.

Thank you,
Sathish
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34230489
If at all possible, I think you'll find that to be more of a chore than you'd care to take on.

So, here are my alternative suggestions:

1. Modify the program so that administrative rights are not needed, or adjust NTFS file permissions, etc., such that the user has access when run under his own credentials.

2. Have the client application specify administrative credentials in the call to Process.Start(). The client's application could, for example, contact a web service in order to obtain the current username/password (thus eliminating the need to hard-code it, or store it locally in an easily read config file).
0
 

Author Comment

by:sathish_raos
ID: 34230637
Thank you for the suggestion tgerbert.

1. There's nothing much that I can do since the application is already there and I just have to trigger it from the service based on some events.

2. I had thought about it, but the admin is reluctant exposing the password to the application since it can be very easily known in a network. He's OK to install the windows service using admin privileges and use the same credentials to start the application.
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34230652
CreateProcessAsUser, I think, might let you do this.  You might need to use WTSEnumerateSessions to determine which session, and apparently you can use SetTokenInformation to set the session for this token, then calling CreateProcessAsUser with the modified token should start the application on specified session with elevated rights.
0
 

Author Comment

by:sathish_raos
ID: 34230694
tgerbert: Thanks again. Can you give me an example? I have tried this couple of times but I have failed since I have been passing the wrong tokens (1349 error).
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34230698
If you use SSL with a web service to provide the username/password to the client I don't think it could be easily known in a network.  You can also use a seperate administrative user with certain privileges disabled (like logon interactively), and change the password periodically (theoretically, you could even change the password every hour - then even if someone does figure it out it won't be good for very long).
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34230857
I don't have any examples handy and that looks like a lot of work, so I'm afraid you're out of luck. ;)

I would suggest checking www.pinvoke.net though, you may at least save yourself the trouble of typing out all the function & structure definitions.
0
 

Author Comment

by:sathish_raos
ID: 34276427
Hi tgerbert, I tried your suggestion. I even found an article about the same, in the link below

http://www.codeproject.com/KB/vista-security/VistaSessionsC_.aspx

I even tried the sample code provided in the article. But I always ended up getting this error
"CreateProcessInConsoleSession SetTokenInformation error: 998 Token does not have the privilege" (I tried it in couple of windows 7 machine with highest UAC level, Still I get the same problem).

I have mentioned about this problem to the author, I am yet to hear from him. Meanwhile anyone can help me get around this problem?

Thank you,
Sathish
0
 
LVL 33

Accepted Solution

by:
Todd Gerbert earned 750 total points
ID: 34282847
According to MSDN (http://msdn.microsoft.com/en-us/library/aa379626(v=VS.85).aspx):

If TokenSessionId is set with SetTokenInformation, the application must have the Act As Part Of the Operating System privilege, and the application must be enabled to set the session ID in a token.

I also recall reading somewhere that only the user LocalSystem was able to set the session, though I can't find it now and I'm not sure if that's accurate.
0
 

Author Comment

by:sathish_raos
ID: 34298525
Thank you tgerbert again. I have my service started using LocalSystem account. I will remember your pointer.

I am currently working on priority issues. I shall get back and test this in 2 days. I shall let you know then.
 
Thank you,
Sathish
0
 

Author Comment

by:sathish_raos
ID: 34398204
Hi tgerbert, I have not tried your suggestion yet. But its too long to hold the points for your suggestion.

Thank you,
Sathish
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34398210
You can take as much time as you need...don't assign points unless one of the answers actually works. ;)
0
 

Author Closing Comment

by:sathish_raos
ID: 34398214
It was not complete expected suggestion, but came in bits and pieces. In short, it was not bang on point.
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34398218
I'd be curious to know if & how you finally get it working, post back and let me know if you don't mind.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Summary: Persistence is the capability of an application to store the state of objects and recover it when necessary. This article compares the two common types of serialization in aspects of data access, readability, and runtime cost. A ready-to…
Performance in games development is paramount: every microsecond counts to be able to do everything in less than 33ms (aiming at 16ms). C# foreach statement is one of the worst performance killers, and here I explain why.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question