Solved

Run applications on users desktop from windows service

Posted on 2010-11-29
19
1,407 Views
Last Modified: 2012-05-10
Hi, I would like to execute an application from C# windows service to the logged in user's desktop. The service already runs using admin privileges.  Is it possible to run the application on the users desktop using the service's admin privileges? How do I hook to the logged in user's desktop and execute the application? The logged in user is a normal user and the application requires administrator previleges to execute.

Currently I get the "explorer.exe" process, get the handle from the process, duplicate the logged in user's token and use the "CreateProcessAsUser" method to run the application on the user's desktop. But, since the logged in user is not a administrator, the executed application fails with the insufficient privileges execption. Can anyone helpe me with a sample code or example to run the application on user's desktop with admin privileges? Or if I am doing wrong, can anyone suggest me the right way of doing it?

I currently face this problem in Windows XP. I suppose in Windows Vista or 7, it (executing with admin previleges) would require elevated permissions.

Thank You,
Sathish
0
Comment
Question by:sathish_raos
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
  • 2
  • +1
19 Comments
 
LVL 5

Expert Comment

by:roxviper
ID: 34228962
Hi,

Use this command

System.Diagnostics.Process.Start("ExePath");
0
 

Author Comment

by:sathish_raos
ID: 34228971
Thank you roxviper, for the response. If I just execute the process, the application runs in the service's local system account and the application is never visible in the logged in user's desktop. How do I use this?

How differently should I have to use this on XP, Vista and 7 platforms to overcome the elevated permissions?

Thank you,
Sathish
0
 
LVL 5

Expert Comment

by:roxviper
ID: 34229046
Hi,

I never got threw from that problem but i can see here you have more option you can define such as domain and credentials.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:sathish_raos
ID: 34229085
OK, let me try that and I shall let you know.
0
 
LVL 6

Expert Comment

by:Chuck Yetter
ID: 34229849
Sounds to me like you need to set the service's "Allow interact with Desktop" property.  You can quickly check to see if this will fix your problem by going to Control Panel->Administrative Tools->Services, open your service's Properties, and look on the Log On tab for the "Allow..." checkbox.

To have your service automatically set this property when installed, you need to add a Committed event handler to the serviceInstaller object in the service's ProjectInstaller module and add the code below into the event handler.
//Set the "Allow Interact with Desktop" value.
ConnectionOptions coOptions = new ConnectionOptions();
coOptions.Impersonation = ImpersonationLevel.Impersonate;
ManagementScope mgmtScope = new ManagementScope(@"root\CIMV2", coOptions);
mgmtScope.Connect();
ManagementObject wmiService;
wmiService = new ManagementObject("Win32_Service.Name='PutYourServiceNameHere'");
ManagementBaseObject InParam = wmiService.GetMethodParameters("Change");
InParam["DesktopInteract"] = true;
ManagementBaseObject OutParam = wmiService.InvokeMethod("Change", InParam, null);
wmiService.Dispose();

Open in new window

0
 

Author Comment

by:sathish_raos
ID: 34229915
Thank you Axshun, but "Allow Interact with Desktop" is the last thing that I want to do. It could work well in XP, but it has problems in Vista and 7 OS's.

Thank you,
Sathish
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34230489
If at all possible, I think you'll find that to be more of a chore than you'd care to take on.

So, here are my alternative suggestions:

1. Modify the program so that administrative rights are not needed, or adjust NTFS file permissions, etc., such that the user has access when run under his own credentials.

2. Have the client application specify administrative credentials in the call to Process.Start(). The client's application could, for example, contact a web service in order to obtain the current username/password (thus eliminating the need to hard-code it, or store it locally in an easily read config file).
0
 

Author Comment

by:sathish_raos
ID: 34230637
Thank you for the suggestion tgerbert.

1. There's nothing much that I can do since the application is already there and I just have to trigger it from the service based on some events.

2. I had thought about it, but the admin is reluctant exposing the password to the application since it can be very easily known in a network. He's OK to install the windows service using admin privileges and use the same credentials to start the application.
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34230652
CreateProcessAsUser, I think, might let you do this.  You might need to use WTSEnumerateSessions to determine which session, and apparently you can use SetTokenInformation to set the session for this token, then calling CreateProcessAsUser with the modified token should start the application on specified session with elevated rights.
0
 

Author Comment

by:sathish_raos
ID: 34230694
tgerbert: Thanks again. Can you give me an example? I have tried this couple of times but I have failed since I have been passing the wrong tokens (1349 error).
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34230698
If you use SSL with a web service to provide the username/password to the client I don't think it could be easily known in a network.  You can also use a seperate administrative user with certain privileges disabled (like logon interactively), and change the password periodically (theoretically, you could even change the password every hour - then even if someone does figure it out it won't be good for very long).
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34230857
I don't have any examples handy and that looks like a lot of work, so I'm afraid you're out of luck. ;)

I would suggest checking www.pinvoke.net though, you may at least save yourself the trouble of typing out all the function & structure definitions.
0
 

Author Comment

by:sathish_raos
ID: 34276427
Hi tgerbert, I tried your suggestion. I even found an article about the same, in the link below

http://www.codeproject.com/KB/vista-security/VistaSessionsC_.aspx

I even tried the sample code provided in the article. But I always ended up getting this error
"CreateProcessInConsoleSession SetTokenInformation error: 998 Token does not have the privilege" (I tried it in couple of windows 7 machine with highest UAC level, Still I get the same problem).

I have mentioned about this problem to the author, I am yet to hear from him. Meanwhile anyone can help me get around this problem?

Thank you,
Sathish
0
 
LVL 33

Accepted Solution

by:
Todd Gerbert earned 250 total points
ID: 34282847
According to MSDN (http://msdn.microsoft.com/en-us/library/aa379626(v=VS.85).aspx):

If TokenSessionId is set with SetTokenInformation, the application must have the Act As Part Of the Operating System privilege, and the application must be enabled to set the session ID in a token.

I also recall reading somewhere that only the user LocalSystem was able to set the session, though I can't find it now and I'm not sure if that's accurate.
0
 

Author Comment

by:sathish_raos
ID: 34298525
Thank you tgerbert again. I have my service started using LocalSystem account. I will remember your pointer.

I am currently working on priority issues. I shall get back and test this in 2 days. I shall let you know then.
 
Thank you,
Sathish
0
 

Author Comment

by:sathish_raos
ID: 34398204
Hi tgerbert, I have not tried your suggestion yet. But its too long to hold the points for your suggestion.

Thank you,
Sathish
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34398210
You can take as much time as you need...don't assign points unless one of the answers actually works. ;)
0
 

Author Closing Comment

by:sathish_raos
ID: 34398214
It was not complete expected suggestion, but came in bits and pieces. In short, it was not bang on point.
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34398218
I'd be curious to know if & how you finally get it working, post back and let me know if you don't mind.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Entity Framework is a powerful tool to help you interact with the DataBase but still doesn't help much when we have a Stored Procedure that returns more than one resultset. The solution takes some of out-of-the-box thinking; read on!
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question