Solved

Run applications on users desktop from windows service

Posted on 2010-11-29
19
1,381 Views
Last Modified: 2012-05-10
Hi, I would like to execute an application from C# windows service to the logged in user's desktop. The service already runs using admin privileges.  Is it possible to run the application on the users desktop using the service's admin privileges? How do I hook to the logged in user's desktop and execute the application? The logged in user is a normal user and the application requires administrator previleges to execute.

Currently I get the "explorer.exe" process, get the handle from the process, duplicate the logged in user's token and use the "CreateProcessAsUser" method to run the application on the user's desktop. But, since the logged in user is not a administrator, the executed application fails with the insufficient privileges execption. Can anyone helpe me with a sample code or example to run the application on user's desktop with admin privileges? Or if I am doing wrong, can anyone suggest me the right way of doing it?

I currently face this problem in Windows XP. I suppose in Windows Vista or 7, it (executing with admin previleges) would require elevated permissions.

Thank You,
Sathish
0
Comment
Question by:sathish_raos
  • 9
  • 7
  • 2
  • +1
19 Comments
 
LVL 5

Expert Comment

by:roxviper
ID: 34228962
Hi,

Use this command

System.Diagnostics.Process.Start("ExePath");
0
 

Author Comment

by:sathish_raos
ID: 34228971
Thank you roxviper, for the response. If I just execute the process, the application runs in the service's local system account and the application is never visible in the logged in user's desktop. How do I use this?

How differently should I have to use this on XP, Vista and 7 platforms to overcome the elevated permissions?

Thank you,
Sathish
0
 
LVL 5

Expert Comment

by:roxviper
ID: 34229046
Hi,

I never got threw from that problem but i can see here you have more option you can define such as domain and credentials.
0
 

Author Comment

by:sathish_raos
ID: 34229085
OK, let me try that and I shall let you know.
0
 
LVL 6

Expert Comment

by:Chuck Yetter
ID: 34229849
Sounds to me like you need to set the service's "Allow interact with Desktop" property.  You can quickly check to see if this will fix your problem by going to Control Panel->Administrative Tools->Services, open your service's Properties, and look on the Log On tab for the "Allow..." checkbox.

To have your service automatically set this property when installed, you need to add a Committed event handler to the serviceInstaller object in the service's ProjectInstaller module and add the code below into the event handler.
//Set the "Allow Interact with Desktop" value.

ConnectionOptions coOptions = new ConnectionOptions();

coOptions.Impersonation = ImpersonationLevel.Impersonate;

ManagementScope mgmtScope = new ManagementScope(@"root\CIMV2", coOptions);

mgmtScope.Connect();

ManagementObject wmiService;

wmiService = new ManagementObject("Win32_Service.Name='PutYourServiceNameHere'");

ManagementBaseObject InParam = wmiService.GetMethodParameters("Change");

InParam["DesktopInteract"] = true;

ManagementBaseObject OutParam = wmiService.InvokeMethod("Change", InParam, null);

wmiService.Dispose();

Open in new window

0
 

Author Comment

by:sathish_raos
ID: 34229915
Thank you Axshun, but "Allow Interact with Desktop" is the last thing that I want to do. It could work well in XP, but it has problems in Vista and 7 OS's.

Thank you,
Sathish
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34230489
If at all possible, I think you'll find that to be more of a chore than you'd care to take on.

So, here are my alternative suggestions:

1. Modify the program so that administrative rights are not needed, or adjust NTFS file permissions, etc., such that the user has access when run under his own credentials.

2. Have the client application specify administrative credentials in the call to Process.Start(). The client's application could, for example, contact a web service in order to obtain the current username/password (thus eliminating the need to hard-code it, or store it locally in an easily read config file).
0
 

Author Comment

by:sathish_raos
ID: 34230637
Thank you for the suggestion tgerbert.

1. There's nothing much that I can do since the application is already there and I just have to trigger it from the service based on some events.

2. I had thought about it, but the admin is reluctant exposing the password to the application since it can be very easily known in a network. He's OK to install the windows service using admin privileges and use the same credentials to start the application.
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34230652
CreateProcessAsUser, I think, might let you do this.  You might need to use WTSEnumerateSessions to determine which session, and apparently you can use SetTokenInformation to set the session for this token, then calling CreateProcessAsUser with the modified token should start the application on specified session with elevated rights.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:sathish_raos
ID: 34230694
tgerbert: Thanks again. Can you give me an example? I have tried this couple of times but I have failed since I have been passing the wrong tokens (1349 error).
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34230698
If you use SSL with a web service to provide the username/password to the client I don't think it could be easily known in a network.  You can also use a seperate administrative user with certain privileges disabled (like logon interactively), and change the password periodically (theoretically, you could even change the password every hour - then even if someone does figure it out it won't be good for very long).
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34230857
I don't have any examples handy and that looks like a lot of work, so I'm afraid you're out of luck. ;)

I would suggest checking www.pinvoke.net though, you may at least save yourself the trouble of typing out all the function & structure definitions.
0
 

Author Comment

by:sathish_raos
ID: 34276427
Hi tgerbert, I tried your suggestion. I even found an article about the same, in the link below

http://www.codeproject.com/KB/vista-security/VistaSessionsC_.aspx

I even tried the sample code provided in the article. But I always ended up getting this error
"CreateProcessInConsoleSession SetTokenInformation error: 998 Token does not have the privilege" (I tried it in couple of windows 7 machine with highest UAC level, Still I get the same problem).

I have mentioned about this problem to the author, I am yet to hear from him. Meanwhile anyone can help me get around this problem?

Thank you,
Sathish
0
 
LVL 33

Accepted Solution

by:
Todd Gerbert earned 250 total points
ID: 34282847
According to MSDN (http://msdn.microsoft.com/en-us/library/aa379626(v=VS.85).aspx):

If TokenSessionId is set with SetTokenInformation, the application must have the Act As Part Of the Operating System privilege, and the application must be enabled to set the session ID in a token.

I also recall reading somewhere that only the user LocalSystem was able to set the session, though I can't find it now and I'm not sure if that's accurate.
0
 

Author Comment

by:sathish_raos
ID: 34298525
Thank you tgerbert again. I have my service started using LocalSystem account. I will remember your pointer.

I am currently working on priority issues. I shall get back and test this in 2 days. I shall let you know then.
 
Thank you,
Sathish
0
 

Author Comment

by:sathish_raos
ID: 34398204
Hi tgerbert, I have not tried your suggestion yet. But its too long to hold the points for your suggestion.

Thank you,
Sathish
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34398210
You can take as much time as you need...don't assign points unless one of the answers actually works. ;)
0
 

Author Closing Comment

by:sathish_raos
ID: 34398214
It was not complete expected suggestion, but came in bits and pieces. In short, it was not bang on point.
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34398218
I'd be curious to know if & how you finally get it working, post back and let me know if you don't mind.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Article by: Ivo
C# And Nullable Types Since 2.0 C# has Nullable(T) Generic Structure. The idea behind is to allow value type objects to have null values just like reference types have. This concerns scenarios where not all data sources have values (like a databa…
Calculating holidays and working days is a function that is often needed yet it is not one found within the Framework. This article presents one approach to building a working-day calculator for use in .NET.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now