Stored User Names and Passwords - windows

I'm writing an application which needs to store login data for multiple (XMPP) accounts on Windows.
Currently the application stores them in Windows' "Stored User Names and Passwords" using CredRead and CredWrite. And here is the problem: The login name for an XMPP account cannot be changed (it's the account's JID), but Windows only stores user name/password pairs under a given target name. I use something like "xmpp:account#server.tld" for the target name and don't use the user name at all during login. The user can't even set the user name from within the application (it will be set to "account#server.tld" automatically instead).
Now I would like to prevent the user name to be changed to something different by the user (using control panel or rundll32.exe keymgr.dll, KRShowKeyMgr) or an other application as this is currently possible and somehow confusing because the actual value is ignored anyway. If I open up the "Stored User Names and Passwords" dialog (using rundll32.exe keymgr.dll, KRShowKeyMgr), the entries which are created by my application are listed as "xmpp:account#server.tld (LegacyGeneric)" and can be edited using the "Edit..." button.
The list contains also an entry for Windows Live (listed as "live_account#hotmail.com (WindowsLive)"), whose user name cannot be changed (trying so will bring up a message box saying: "Windows cannot save the logon information. Make sure the information is correct and that all required fields are completed.".
And here is (finally) my question: Can I get this behavior for my application as well? How can I change the credential type to something different than "LegcyGeneric"? Or is there a better way to store only the password for a given login name (maybe using Windows Data Protection), while still using some "standard" Windows way of storing them?
Any hints and answers are appreciated.

Related

What patterns are possible in Windows for the login field

Our Web Application has a login screen: User can login with their Windows Accounts (the admin can use local accounts).
The Web Application uses the UserPrincipal in .NET-Framework to match the login name and password. The entered login will be split by the '\' into Domain part and SamAccountName part. E.g.:
Calamitas\Simon
But for local accounts in Windows it is possible to use the computer name instead the domain name:
ComputerName\LocalUser
And instead for the computer name it is possible to use a dot:
.\LocalUser
Where can I get a list of all these login patterns?
If you are calling FindByIdentity then the formats supported are listed in the IdentityType enum. This seems to be a subset of the types GetUserNameEx can return.
You have most of the important patterns covered already except for name#example.com, name#domain and example.com/name? It might also accept just a name but that lookup is going to be slow in a large domain forest.
There are also distinguished names (CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM) but they are hard to parse/validate.
Users are probably not going to use a GUID or a SID to log in.
If you are trying to validate form input then I would suggest allowing ?*\?* and ?*#?* (DOS syntax). Add S-?-?* to support SIDs.

How to use an unrestricted service token to restrict a service's access to a file

Sue has a standard user account domain account on Windows 10 Pro. She has an application that can run from the command line or as a service. The service runs with her credentials. Using the SC command the service has been assigned an unrestricted sid (SERVICE_SID_TYPE: UNRESTRICTED). The service name is NT SERVICE\MyService. I want to allow Sue full control of a file when running the program from the command line. I want the service to have Read Attributes and Read Extended Attributes access only.
Using the service account I adjusted the security settings on the file by denying the service all access except for Read Attributes and Read Extended Attributes. I added a second entry that gave it Read Attributes and Read Extended Attributes permission. I've confirmed these are the settings by viewing the Effective Access settings in the Advanced Security Settings dialog box: all of the rows in the Effective Access column contain Xs except for Read Attributes and Read Extended Attributes. They have checkboxes. The rows with Xs have "File Permissions" as their "Access limited by" column.
Still the service is able to change the files permissions. I'm not sure what I'm doing wrong and would appreciate any pointers. I'm open to other approaches to achieving the results I'm after.
The per-service SID was working properly. After reviewing Harry's comments and checking the containing folder permissions I got things working. Thanks a lot Harry.

Creating a Windows security popup

I'm using a batch file to map local drive A: to another network location. The batch file prompts the user for a username, followed by a password.
How would I implement the same functionality in a popup UI instead of relying on the console? The console doesn't provide any feedback during password entry. I want something like this picture:
A UI would be more convenient for the users because they wouldn't have to retype the entirety of our standard fifteen character passwords if they've made a mistake.

Strange folder creation in windows

I need some help in understanding a problem. Here is the scenario. We have a windows domain controller machine and several machines in that domain. (Everything in windows 2008). In one of the machines in that domain (machine name AlphaSiter) our own custom java based product is installed. To log on into our product, you have to provide a user/password combo which is validated against the active directory. Now here is the scenario.
Log into the domain controller and create a user (say David) in the active directory and set the “User must change password in next login option”.
Go to the machine called AlphaSiter where our custom product is installed and try to login to our product with the newly created user credentials and then change password successfully.
The side affect is that in the AlphaSiter machine in C:\Users the user folder is created..that is c:\Users\David. Also this folder is only created if at the time of user creation the “User must change password in next login option” is set. This user folder is not created if the option is unchecked. We are not creating the folder programmatically from our code. So I am wondering how this folder is getting created.Is it something that windows does internally?
Any help on this would be appreciated as I have to give explanation to our customer ---:)
The user's profile folder is always created when there is some profile information that needs to be stored. It may be some registry settings in HKCU hive.
You can use RegMon to track regitry activity.

CFPreferences for another (or all) users

I'm working on a background service which needs to ask several users' iTunes settings (the users will opt-in via a helper application which they run from their login). Is there an easy way to read the preferences for another user, than the current one, using CFPreferences ? The docs, for example for CFPreferencesCopyValue, explicitly state: 'Do not use arbitrary user and host names, instead pass the pre-defined domain qualifier constants.', when passing the 'userName' argument to the various functions.
The userName parameter in CFPreferencesCopyValue is somewhat misleading; the possible values are restricted to the following ones:
- kCFPreferencesAnyUser;
- kCFPreferencesCurrentUser;
It specifies the scope of the preferences you are accessing (either current user or all users). This also means that you cannot access preference of another user, even if you run as root.

Resources