[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1458
  • Last Modified:

Run applications on users desktop from windows service

Hi, I would like to execute an application from C# windows service to the logged in user's desktop. The service already runs using admin privileges.  Is it possible to run the application on the users desktop using the service's admin privileges? How do I hook to the logged in user's desktop and execute the application? The logged in user is a normal user and the application requires administrator previleges to execute.

Currently I get the "explorer.exe" process, get the handle from the process, duplicate the logged in user's token and use the "CreateProcessAsUser" method to run the application on the user's desktop. But, since the logged in user is not a administrator, the executed application fails with the insufficient privileges execption. Can anyone helpe me with a sample code or example to run the application on user's desktop with admin privileges? Or if I am doing wrong, can anyone suggest me the right way of doing it?

I currently face this problem in Windows XP. I suppose in Windows Vista or 7, it (executing with admin previleges) would require elevated permissions.

Thank You,
Sathish
0
sathish_raos
Asked:
sathish_raos
  • 9
  • 7
  • 2
  • +1
1 Solution
 
roxviperCommented:
Hi,

Use this command

System.Diagnostics.Process.Start("ExePath");
0
 
sathish_raosAuthor Commented:
Thank you roxviper, for the response. If I just execute the process, the application runs in the service's local system account and the application is never visible in the logged in user's desktop. How do I use this?

How differently should I have to use this on XP, Vista and 7 platforms to overcome the elevated permissions?

Thank you,
Sathish
0
 
roxviperCommented:
Hi,

I never got threw from that problem but i can see here you have more option you can define such as domain and credentials.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
sathish_raosAuthor Commented:
OK, let me try that and I shall let you know.
0
 
Chuck YetterCommented:
Sounds to me like you need to set the service's "Allow interact with Desktop" property.  You can quickly check to see if this will fix your problem by going to Control Panel->Administrative Tools->Services, open your service's Properties, and look on the Log On tab for the "Allow..." checkbox.

To have your service automatically set this property when installed, you need to add a Committed event handler to the serviceInstaller object in the service's ProjectInstaller module and add the code below into the event handler.
//Set the "Allow Interact with Desktop" value.
ConnectionOptions coOptions = new ConnectionOptions();
coOptions.Impersonation = ImpersonationLevel.Impersonate;
ManagementScope mgmtScope = new ManagementScope(@"root\CIMV2", coOptions);
mgmtScope.Connect();
ManagementObject wmiService;
wmiService = new ManagementObject("Win32_Service.Name='PutYourServiceNameHere'");
ManagementBaseObject InParam = wmiService.GetMethodParameters("Change");
InParam["DesktopInteract"] = true;
ManagementBaseObject OutParam = wmiService.InvokeMethod("Change", InParam, null);
wmiService.Dispose();

Open in new window

0
 
sathish_raosAuthor Commented:
Thank you Axshun, but "Allow Interact with Desktop" is the last thing that I want to do. It could work well in XP, but it has problems in Vista and 7 OS's.

Thank you,
Sathish
0
 
Todd GerbertIT ConsultantCommented:
If at all possible, I think you'll find that to be more of a chore than you'd care to take on.

So, here are my alternative suggestions:

1. Modify the program so that administrative rights are not needed, or adjust NTFS file permissions, etc., such that the user has access when run under his own credentials.

2. Have the client application specify administrative credentials in the call to Process.Start(). The client's application could, for example, contact a web service in order to obtain the current username/password (thus eliminating the need to hard-code it, or store it locally in an easily read config file).
0
 
sathish_raosAuthor Commented:
Thank you for the suggestion tgerbert.

1. There's nothing much that I can do since the application is already there and I just have to trigger it from the service based on some events.

2. I had thought about it, but the admin is reluctant exposing the password to the application since it can be very easily known in a network. He's OK to install the windows service using admin privileges and use the same credentials to start the application.
0
 
Todd GerbertIT ConsultantCommented:
CreateProcessAsUser, I think, might let you do this.  You might need to use WTSEnumerateSessions to determine which session, and apparently you can use SetTokenInformation to set the session for this token, then calling CreateProcessAsUser with the modified token should start the application on specified session with elevated rights.
0
 
sathish_raosAuthor Commented:
tgerbert: Thanks again. Can you give me an example? I have tried this couple of times but I have failed since I have been passing the wrong tokens (1349 error).
0
 
Todd GerbertIT ConsultantCommented:
If you use SSL with a web service to provide the username/password to the client I don't think it could be easily known in a network.  You can also use a seperate administrative user with certain privileges disabled (like logon interactively), and change the password periodically (theoretically, you could even change the password every hour - then even if someone does figure it out it won't be good for very long).
0
 
Todd GerbertIT ConsultantCommented:
I don't have any examples handy and that looks like a lot of work, so I'm afraid you're out of luck. ;)

I would suggest checking www.pinvoke.net though, you may at least save yourself the trouble of typing out all the function & structure definitions.
0
 
sathish_raosAuthor Commented:
Hi tgerbert, I tried your suggestion. I even found an article about the same, in the link below

http://www.codeproject.com/KB/vista-security/VistaSessionsC_.aspx

I even tried the sample code provided in the article. But I always ended up getting this error
"CreateProcessInConsoleSession SetTokenInformation error: 998 Token does not have the privilege" (I tried it in couple of windows 7 machine with highest UAC level, Still I get the same problem).

I have mentioned about this problem to the author, I am yet to hear from him. Meanwhile anyone can help me get around this problem?

Thank you,
Sathish
0
 
Todd GerbertIT ConsultantCommented:
According to MSDN (http://msdn.microsoft.com/en-us/library/aa379626(v=VS.85).aspx):

If TokenSessionId is set with SetTokenInformation, the application must have the Act As Part Of the Operating System privilege, and the application must be enabled to set the session ID in a token.

I also recall reading somewhere that only the user LocalSystem was able to set the session, though I can't find it now and I'm not sure if that's accurate.
0
 
sathish_raosAuthor Commented:
Thank you tgerbert again. I have my service started using LocalSystem account. I will remember your pointer.

I am currently working on priority issues. I shall get back and test this in 2 days. I shall let you know then.
 
Thank you,
Sathish
0
 
sathish_raosAuthor Commented:
Hi tgerbert, I have not tried your suggestion yet. But its too long to hold the points for your suggestion.

Thank you,
Sathish
0
 
Todd GerbertIT ConsultantCommented:
You can take as much time as you need...don't assign points unless one of the answers actually works. ;)
0
 
sathish_raosAuthor Commented:
It was not complete expected suggestion, but came in bits and pieces. In short, it was not bang on point.
0
 
Todd GerbertIT ConsultantCommented:
I'd be curious to know if & how you finally get it working, post back and let me know if you don't mind.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 9
  • 7
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now