CreateService Failing on windows 7 - winapi

I am trying to install a service using CreateService API in Windows 7 64 bit.When CreateService API is called, it fails with Error code 1314 which is "A required privilege is not held by the client. ".
I am running Visual studio in Administrator mode. Any idea why it still failing when service is getting created by a process running in admin mode.
Also I am trying to create service with ACCESS_SYSTEM_SECURITY as one of desired access flag.CreateService is failing only when ACCESS_SYSTEM_SECURITY is passed otherwise its working fine.
Here is code
LUID luidSecurityPriv;
HANDLE hTokenProcCur;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS | TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hTokenProcCur))
{
if (LookupPrivilegeValue(NULL, L"SeSecurityPrivilege", &luidSecurityPriv))
{
TOKEN_PRIVILEGES tp;
DWORD cbSinglePriv= sizeof(TOKEN_PRIVILEGES);
tp.PrivilegeCount= 1;
tp.Privileges[0].Luid= luidSecurityPriv;
tp.Privileges[0].Attributes= SE_PRIVILEGE_ENABLED;
if (AdjustTokenPrivileges(hTokenProcCur,
FALSE,
&tp,
cbSinglePriv,
NULL,
NULL))
{
// actually register the NanoService with the OS here
SC_HANDLE schService = CreateService(schSCManager,
_T(SERVICE_NAME),
(LPCTSTR)strServiceName,
SERVICE_QUERY_STATUS | SERVICE_CHANGE_CONFIG | SERVICE_START | READ_CONTROL | WRITE_DAC | ACCESS_SYSTEM_SECURITY, // desired access
SERVICE_WIN32_OWN_PROCESS, // service type
SERVICE_AUTO_START, // start type
SERVICE_ERROR_NORMAL, // error control type
strServicePath, // service's binary
NULL, // no load ordering group
NULL, // no tag identifier
NULL, // dependencies
NULL, // LocalSystem account
NULL); // no password
if (schService)
{
MessageBox(NULL,"CreateService Succeeded",L"",MB_OK);
}
else
MessageBox(NULL,"CreateService failed",L"",MB_OK);
}
}
}

The description for ACCESS_SYSTEM_SECURITY states the requirements for this access right:
The proper way to obtain this access is to enable the SE_SECURITY_NAME privilege in the caller's current access token, open the handle for ACCESS_SYSTEM_SECURITY access, and then disable the privilege.

Related

Open a JobObject created in a service from a user session process

I have a windows service that creates a JobObject that i need to keep alive as long as the machine is turned on - the goal is to manage a few user session processes that can terminate/start at any time with this JobObject. I am creating it in a service to make sure the process is running at startup, and that it can't be killed by regular users.
However, i don't seem to be able to open a handle to this JobObject from the user session, I always get an access denied (5) error, despite going as far as creating it with a NULL DACL.
I have found a somewhat related question here: Open an Event object created by my service from my application, but for me, even with the NULL DACL, when asking for a JOB_OBJECT_ASSIGN_PROCESS right, i get access denied (asking for SYNCHRONIZE works for example).
The service code:
PSECURITY_DESCRIPTOR psd = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH);
InitializeSecurityDescriptor(psd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(psd, TRUE, NULL, FALSE);
SECURITY_ATTRIBUTES secAttr= {0};
secAttr.nLength = sizeof(secAttr);
secAttr.bInheritHandle = false;
secAttr.lpSecurityDescriptor = psd;
hJobObject = CreateJobObject(&secAttr, SCL_JOBOBJECTNAME);
LocalFree(psd);
The user session code:
hJobObject = OpenJobObject(JOB_OBJECT_ASSIGN_PROCESS, FALSE, SCL_JOBOBJECTNAME);
if (hJobObject == NULL)
{
DWORD wError = GetLastError();
printf("Error: %d\n", wError); // this always pops 5
return 1;
}
Any ideas? As a test, i tried spawning a user session process from within the service, and assign the JobObject via the service code, and that worked,.. so i'm fairly certain its related to security settings i am missing, despite the NULL DACL.
if you create Job in service - this object by default will be have WinSystemLabelSid label SID: S-1-16-16384 - System Mandatory Level. (i just check this) so you need not only set Dacl but Sacl too. for example:
ULONG cb = MAX_SID_SIZE;
PSID LowLabelSid = (PSID)alloca(MAX_SID_SIZE);
if (CreateWellKnownSid(WinLowLabelSid, 0, LowLabelSid, &cb))
{
PACL Sacl = (PACL)alloca(cb += sizeof(ACL) + sizeof(ACE_HEADER) + sizeof(ACCESS_MASK));
InitializeAcl(Sacl, cb, ACL_REVISION);
if (AddMandatoryAce(Sacl, ACL_REVISION, 0, 0, LowLabelSid))
{
SECURITY_DESCRIPTOR sd;
InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&sd, TRUE, NULL, FALSE);
SetSecurityDescriptorSacl(&sd, TRUE, Sacl, FALSE);
SECURITY_ATTRIBUTES sa= { sizeof(sa), &sd, FALSE };
if (HANDLE hJob = CreateJobObject(&sa, L"Global\\{58BFC6DB-BE93-4cdb-919C-4C713ACB5A32}"))
{
CloseHandle(hJob);
}
}
}

OpenMutex fails in process opened with CreateProcessAsUser

I've been banging my head on this for days, and I must have read every page on the Internet even remotely related, but I still can't find an answer. Help!
Here's the scenario: In Windows 7, I have a process running under an admin user account (not a service). It creates a global named mutex, which is later used in a child process running under a regular user account. No matter what I do, or what ACLs I put on the mutex, the child process keeps returning Access Denied when trying to get the handle.
I've distilled my code down into a test app just to experiment with the process and mutex parts, and I found something surprising: if I call OpenMutex from the user app without first creating the mutex, I would expect a Not Found error but I still get Access Denied. However, if I launch the user app from Explorer instead (shift-right-click, Run as different user...), I get the expected behavior. I also noticed that the user app has a plain blocky window border rather than the normal Windows theme when launched from the admin app.
So my guess is that there's something wrong with how I'm launching the user app, but I just can't see what I'm missing.
Here are the relevant parts:
bool CUserTest::LogInUser()
{
if ((m_hUserToken == NULL) && !LogonUser(TEST_USER_NAME, L".", TEST_USER_PASS, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &m_hUserToken))
{
CloseHandle(m_hUserToken);
m_hUserToken = NULL;
}
return (m_hUserToken != NULL);
}
bool CUserTest::LaunchTestApp()
{
PROCESS_INFORMATION ProcInfo;
STARTUPINFO si;
ZeroMemory(&si, sizeof(STARTUPINFO));
si.cb = sizeof(si);
si.lpDesktop = L"winsta0\\default";
wchar_t wszCmdLine[MAX_PATH + 1] = { 0 };
wcscpy(wszCmdLine, L"UserTestClient.exe");
bool bSuccess = false;
LPVOID pEnv;
PROFILEINFO sProfileInfo;
ZeroMemory(&sProfileInfo, sizeof(PROFILEINFO));
sProfileInfo.dwSize = sizeof(PROFILEINFO);
sProfileInfo.lpUserName = TEST_USER_NAME;
if (LoadUserProfile(m_hUserToken, &sProfileInfo))
{
if (ImpersonateLoggedOnUser(m_hUserToken))
{
if (CreateEnvironmentBlock(&pEnv, m_hUserToken, FALSE))
{
bSuccess = CreateProcessAsUser(
m_hUserToken,
NULL,
wszCmdLine,
NULL, // ProcessAttributes
NULL, // ThreadAttributes
FALSE, // InheritHandles
CREATE_UNICODE_ENVIRONMENT, // CreationFlags
pEnv, // Environment
NULL, // CurrentDirectory
&si,
&ProcInfo); // ProcessInformation
DestroyEnvironmentBlock(pEnv);
}
RevertToSelf();
}
UnloadUserProfile(m_hUserToken, sProfileInfo.hProfile);
}
if (bSuccess)
{
CloseHandle(ProcInfo.hThread);
CloseHandle(ProcInfo.hProcess);
}
return bSuccess;
}
I never could get the CreateProcessAsUser call to work correctly, but I finally got it working using CreateProcessWithLogonW instead. The trick was to set si.lpDesktop to NULL rather than "winsta0\default", contrary to everything I'd read up to this point.

windows service, can't have network access until user logon

I am trying to write a simple window service on window 7 64bit. The user account for the service is LocalSystem.
What I want to do is just a basic server/client socket program and the server exists in a windows service. The service just does a simple thing. When it starts, it creates a thread to listen on a port and wait for client connecting using window socket apis. But the problem is the client can't connect to the server until a user login the machine on which the service is running.
Below is my code for installing the service.
wchar_t szPath[MAX_PATH];
SC_HANDLE schSCManager = NULL;
SC_HANDLE schService = NULL;
GetModuleFileName(NULL, szPath, ARRAYSIZE(szPath);
schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CONNECT | SC_MANAGER_CREATE_SERVICE);
schService = CreateService(
schSCManager,
L"msdcontrol",
L"msd control",
SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS,
SERVICE_AUTO_START,
SERVICE_ERROR_NORMAL,
szPath,
NULL,
NULL,
NULL,
NULL,
NULL
);
What am i doing wrong?

How can I add customized strings to the messages displayed by shutdown screen in Windows 7?

How can I add custom text to shutdown screen, like those messages that show when Windows is installing updates before shutting down? For example, you have a backup script that is executed on shutdown, and you want to inform about the progress of the backup just like Windows does when installing updates. Is there any command line tool for that, or some code library, or even something in Windows API?
Note that this is not about how to shutdown a computer, and it is not about whatever way to display a message there in shutdown screen, such as console applications or message boxes. This is not about customizing existing messages either, and it is not about any shutdown dialog that shows before shutdown screen and allows the user to cancel the shutdown or proceed without waiting for the programs to terminate.
This is about understanding how Windows implements the displaying of those messages the way they are displayed there in shutdown, and how to add new messages to be displayed, preferably with progress information. To be clear, below is a screenshot.
There is a function WmsgPostNotifyMessage in wmsgapi.dll which is displaying this message. Undocumented though, but shouldn't be a problem to use.
Here is a C++ code that can shutdown the computer with message.
#include <windows.h>
#pragma comment( lib, "advapi32.lib" )
BOOL MySystemShutdown( LPTSTR lpMsg )
{
HANDLE hToken; // handle to process token
TOKEN_PRIVILEGES tkp; // pointer to token structure
BOOL fResult; // system shutdown flag
// Get the current process token handle so we can get shutdown
// privilege.
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
return FALSE;
// Get the LUID for shutdown privilege.
LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME,
&tkp.Privileges[0].Luid);
tkp.PrivilegeCount = 1; // one privilege to set
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
// Get shutdown privilege for this process.
AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,
(PTOKEN_PRIVILEGES) NULL, 0);
// Cannot test the return value of AdjustTokenPrivileges.
if (GetLastError() != ERROR_SUCCESS)
return FALSE;
// Display the shutdown dialog box and start the countdown.
fResult = InitiateSystemShutdown(
NULL, // shut down local computer
lpMsg, // message for user
30, // time-out period, in seconds
FALSE, // ask user to close apps
TRUE); // reboot after shutdown
if (!fResult)
return FALSE;
// Disable shutdown privilege.
tkp.Privileges[0].Attributes = 0;
AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,
(PTOKEN_PRIVILEGES) NULL, 0);
return TRUE;
}

Create Process with FS Virtualization Enabled

With UAC disabled, I need to create a process with the same characteristics as the process created with UAC enabled - basically I'm emulating process creation with UAC enabled.
My only roadblock is virtualization. The sample code below should create an instance of notedpad at medium IL with virtualization enabled. In actuality, it creates an instance of notepad at medium IL with virtualization disabled. I'm not entirely sure why the virtualization token is being ignored. Any ideas?
BOOL bRet;
HANDLE hToken;
HANDLE hNewToken;
// Notepad is used as an example
WCHAR wszProcessName[MAX_PATH] =
L"C:\\Windows\\System32\\Notepad.exe";
// Medium integrity SID
WCHAR wszIntegritySid[20] = L"S-1-16-8192";
PSID pIntegritySid = NULL;
DWORD EnableVirtualization = 1;
TOKEN_MANDATORY_LABEL TIL = {0};
PROCESS_INFORMATION ProcInfo = {0};
STARTUPINFO StartupInfo = {0};
ULONG ExitCode = 0;
if (OpenProcessToken(GetCurrentProcess(),MAXIMUM_ALLOWED, &hToken))
{
if (DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL,
SecurityImpersonation, TokenPrimary, &hNewToken))
{
if (ConvertStringSidToSid(wszIntegritySid, &pIntegritySid))
{
TIL.Label.Attributes = SE_GROUP_INTEGRITY;
TIL.Label.Sid = pIntegritySid;
// Set the process integrity level
if (SetTokenInformation(hNewToken, TokenIntegrityLevel, &TIL,
sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid)))
{
// Enable FS Virtualization
if (SetTokenInformation(hNewToken, TokenVirtualizationEnabled,
&EnableVirtualization, sizeof(EnableVirtualization)))
{
// Create the new process at Low integrity
bRet = CreateProcessAsUser(hNewToken, NULL,
wszProcessName, NULL, NULL, FALSE,
0, NULL, NULL, &StartupInfo, &ProcInfo);
}
}
LocalFree(pIntegritySid);
}
CloseHandle(hNewToken);
}
CloseHandle(hToken);
}
So, I was approaching this incorrectly - fs virtualization is not what I want. To emulate UAC, as described above, its necessary to create a restricted token with the administrators group disabled and use that token to create the process.
The reason that this doesn't work, is that the SetTokenInformation call to turn on virtualisation is working on the primary token created for CreateProcessAsUser. What's needed is an access token for the actual process. This can be obtained by creating the process with the CreationFlag CREATE_SUSPENDED, and calling OpenProcessToken with the process handle from ProcInfo. Use SetTokenInformation on that token to enable virtualisation, and then ResumeThread to run the process.

Resources