I am developing a credential provider for windows. I would like to know if it’s possible to attach and debug while running. As this is part of a logon process I am not sure if/how to do it.
Also, if a credential provider crashes, does windows dump a core like Linux does?
Thank you
You can invoke your credential provider using simple call to credentials API CredUIPromptForWindowsCredentialsW. See MS docs for detailed description.
I have been creating my own simple application to do this call.
It is tuned to call Windows Security Dialog with my own suggestions and options (CREDUIWIN_IN_CRED_ONLY flag in my case).
You can modify invocation flags to approximate your scenario.
The easiest way debug credential provider is to setup it on some other machine and use remote debug tools to attach to LogonUI.exe.
Related
We are trying to communicate with a hp server with a P420i controller via an application written in C#.We have used the "hpssacli" to retrieve SMART info.I was wondering if there is a set of library out there that we could interface to instead of working with command line interface. Can anyone help please?
You could use the hpssacli utility to do what it's meant to do... Something like hpssacli ctrl all show config.
Or configure the HP management agents to provide email alerts about the entire server's health.
Maybe even set up the HP management agents to send SNMP alerts.
You could leverage the HP Array Diagnostics Utility.
You could parse the HP Health Status Array output.
You could configure Agent-less Management and monitor the ILO4 instead of the OS.
Can you provide more context on why the C# application is necessary here?
I apologize for the bad phrasing in the title, but here's a little more context.
I recently bought a Windows 8 laptop and noticed that Norton was pre-installed and running with SYSTEM level privileges. Thus, it occurred to me that there must be some way for third-party applications to run with SYSTEM privileges.
However, after much googling, I could not figure out whether it was an API call or a registry setting or something else entirely that enabled Norton to do this, so I decided to ask the SO community. How can I write an application that runs with SYSTEM privileges?
Services can be configured to run as several different accounts, including LOCAL SERVICE, NETWORK SERVICE, SYSTEM, or any user's account.
Using SYSTEM isn't recommended, because any security problem can lead to complete compromise of the machine, but it is available.
This is configured by the lpServiceStartName parameter of CreateService and/or ChangeServiceConfig. Pass a NULL pointer as this parameter of CreateService, or ".\\LocalSystem" to ChangeServiceConfig, to use the local system account.
It's a bad idea to run a GUI application as local system. The best approach is to have both a GUI application (running as the logged-on user) and a service (running as SYSTEM) and have them communicate as needed using any suitable IPC method. This is probably what Norton is actually doing.
However, it is possible to get a system service to launch an application as SYSTEM in the user's session. To do this, duplicate the processes security token with DuplicateTokenEx and then use SetTokenInformation with the TokenSessionId option. This will give you a token in SYSTEM context but in the user's session which you can use to launch an executable. (There may be additional issues; for example, you might also need to change the permissions on the workstation and desktop.)
I need to consume an out-proc COM server from both a worker role and a web role in a Windows Azure application. One step I'm almost sure I'll need to do is to alter the access permissions for the COM server - grant "local launch" and "local activation" permissions for the predefined user under which roles code executes.
So far I found there's DCOMPERM utility in Windows SDK samples which contains code that I guess would do that. So I could write similar code and package it into either a separate executable or into the COM registration code of the COM server and run that code from a role start-up task. That's not trivial, but certainly doable.
I only have one major concern before I start.
Are there any reasons why I can't do that? Maybe using out-proc COM servers is not allowed on Windows Azure or something? Are there any such limitations?
Are there any reasons why I can't do that? Maybe using out-proc COM servers is not allowed on Windows Azure or something? Are there any such limitations?
It's not something I've personally done, but if you can install a COM+ server running in a shell exe, then I think you should be able to do what you want - see this recent blog post http://michaelwasham.com/2011/05/15/deploying-a-com-servicedcomponent-to-windows-azure/
I don't think you will hit limitations - but I think you will hit a fair few problems along the way - good luck.
I have a web app that uses some backend servers (UNC, HTTP and SQL). To get this working I need to configure ServicePrincipalNames for the account running the IIS AppPool and then allow kerberos delegation to the backend services.
I know how to configure this through the "Delegation" tab of the AD Users and Computers tool.
However, the application is going to be deployed to a number of Active Directory environments. Configuring delegation manually has proved to be error prone and debugging the issues misconfiguration causes is time consuming. I'd like to create an installation script or program that can do this for me.
Does anyone know how to script or programmatically set constrained delegation within AD?
Failing that how can I script reading the allowed services for a user to validate that it has been setup correctly?
OK, after much digging on the internet and some testing, I've got a way forward.
The following code is c#.
Setting an SPN for a user or computer can be achieved via the setspn utility.
Alternatively, the following C# code can do the same:
DirectoryEntry de = new DirectoryEntry("LDAP://"+usersDN);
if (!de.Properties["servicePrincipalName"].Contains(spnString))
{
de.Properties["servicePrincipalName"].Add(spnString);
de.CommitChanges();
}
To set constrained delegation:
if (!de.Properties["msDS-AllowedToDelegateTo"].Contains(backendSpnString))
{
de.Properties["msDS-AllowedToDelegateTo"].Add(backendSpnString);
de.CommitChanges();
}
If the user has had non-constrained delegation enabled, you may need to turn this off before enabling constrained - but I didn't fully test this scenario.
I've been trying to use the Windows Authentication low level credential API functions to backup/restore credentials.
http://msdn.microsoft.com/en-us/library/aa374731%28VS.85%29.aspx#low_level_credentials_management_functions
However, I've found that while I can use CredEnumerate to obtain every credential on the system, all the passwords are missing for domain type credentials (which is documented). Is there any way to backup/restore these credentials in the same way as the windows GUI tool can?
Hmm, it looks like I've found the answer although I don't like it. The only way to do this seems to be to CreateRemoteThread() to create a thread in lsass.exe (The windows security subsystem) and then to enumerate the credentials from within that thread using undocumented function LsaICryptUnprotectData exported from Lsasrv.dll to decrypt the credentials buffer.
It works but I'm not sure I have the stomache to put this into my software...