I am new to vista and not a advanced programmer. From past few days i am trying to digest many technical details about vista. But still i have few basic questions on it. Hope you all will be help me in getting the answers for my questions.
Can we create a interactive process(which is having a embedded manifest file with "invokeAsAdministrator") from a service which is running under Local system account?
Here i know about the session 0 isolation and all.Still i am asking this question because, when i create a interactive process through CreateProcessAsUser(which requires admin privileges) it is failing with error 740. While using this i have given proper session id. The session id is that of my active desktop, where my user login as administrative privilages.
If the process can be created does that show up the UAC dialog?
If the UAC dialog shows up, can we avoid this?
It is well understandable problem. Local account has no privelegies of admin. The only thing you can do is impersonation. Temporary you emulates another account (in your case it is admin). Example of this technique you can find in MSDN for topic WindowsIdentity.Impersonate ( http://msdn.microsoft.com/en-us/library/chf6fbt4.aspx )
EDIT
Sorry, only after post noticed that you use vc++,
On Win API use ImpersonateLoggedOnUser
The createprocessasuser is failing in my case because by default when we query for the user token for the users desktop session I was getting a restricted token that was created for the user (for administrators two tokens are created 1)restricted token 2) full token; any how my application can be run only by administrators).
By browsing the net i have found that i have to find for linked token and use that token for creation of process.
The code for creation of process from service can be found in the following question:
Desktop problem with using CreateProcessAsUser from a service on Vista
Related
The goal is to have a service create a process which has the security context of a user whose password is not known.
I understand and accept the limitation that the new process will only be able to access local resources
I think I am close to a solution. Everything works fine so long as the user to be impersonated is in the local administrators group.
But if not I get an exception 0xc06d007e.
It seems the user to be impersonated lacks some permission or privilege that it has when it is in the administrators group.
But how can I find out what this missing right/permission/privilege is without by trial and error going through the thousands of permutations
get a token for the user to be impersonated
token = new WindowsIdentity("username#domain").Token
create a primary token
token2 = duplicatetokenex(token)
The process to be created is a simple console application and indeed I don't even need a console.
process_creation_flags.DETACHED_PROCESS
| process_creation_flags.CREATE_NO_WINDOW
| process_creation_flags.CREATE_NEW_PROCESS_GROUP
try to start the new process as the impersonated user
createprocessasuser(token2, "myapplication.exe" etc etc)`
As I say this works fine if username#domain is in the local admin group
otherwise I get exception 0xc06d007e I think when the new process is trying to start
As one of the steps towards creating the service, I was running the code as a console application and it was during that stage I was getting the exception mentioned above.
But I found that running the code as a service works fine!!
So I never found out why the user-to-be-impersonated (impersonatee?) needs to be in the local admin group when the impersonation is done from a console application.
I suspect it is something to do with sessions and / or desktops.
I have not found many discussions where the scenario is impersonating a user whose password you do not know. So I just want to re-assure anyone having problems that it is indeed possible and the main points are:
1) run the code as a service (with local system or a user with all the required privileges)
2) get the s4u token from windowsidentity (this will be an impersonation token if the call has the required privileges)
3) create a primary token from the impersonation token using duplicatetokenex
4) createprocessasuser using the token from 3
note the process will only have access to local resources
There is a Windows app that requires admin rights and this is declared in its manifest. When a restricted user starts it she has to input admin credentials. It's OK and the application works well, but it can't obtain original user folders anymore (ShellAPI returns admin's ones).
Since the application is started under admin initially, there is no point where I can store original user's folder paths to use them later.
Is there a way to get initial restricted user credentials?
Regards,
Because of your manifest, your app is running as an admin user, not the currently logged in restricted user. As David Heffernan mentioned, you should redesign your app to not require the entire app to be run elevated. Delegate your admin tasks to a separate process that runs elevated when needed.
That being said, if you must run your entire app elevated, all is not lost, but you are going to have to do some extra work.
Start by getting the Session ID that your elevated app is running in. You can do that using WTSQuerySessionInformation() with WTS_CURRENT_SESSION, or ProcessIdToSessionId() with GetCurrentProcessId(), or open the current process's token with OpenProcessToken() and then use GetTokenInformation().
Once you have the Session ID, use EnumProcesses(), GetProcessImageFileName() (or equivalent), OpenProcessToken(), and GetTokenInformation() to find the instance of explorer.exe (or whatever the PC's registered shell app is, which you can find in the Registry) that is running in the same Session ID as your app.
When found, you have the user token for that process from OpenProcessToken(). Duplicate it using DuplicateTokenEx() to get its primary token, and then you can use that token with APIs like LoadUserProfile(), SHGetFolderPath() and SHGetKnownFolderPath() as needed.
I would like to know if there are any API's available to switch users programmatically in windows.My application when provided with user credentials(account name & password) will try to logout any other user logged on and try to login the present user.
Any help would be greatly appreciated.
The function you are presumably looking for is LogonUser
However, you are probably better off using user impersonation in most cases.
Personally, I suspect you are likely better off user neither method and simply using security context of the running user, providing an privileged function via a windows service you wrote specifically for your application
Why don't you create a service to switch user credentials (by methods mentioned in the other answers), and install and run the service as "Administrator". From the logged in user account, you can invoke this service (Which is already running as admin), and make it switch user accounts without the permissions issue (as the service responsible to switching is already running as admin)
I have a C# desktop app where a user enters his company ID card number as a simple form of "authentication" against a database table of valid employees. If the user is found in the table with the correct permission level, the app runs and the user can use all of the screens and menus in the application. Problem is anyone who has a valid user's ID number (perhaps from a lost or stolen ID card) can run the program and get to the data.
We want to make this application more secure. Is there a way to use the Windows ID and pwd to authenticate application users? At the very least we would like to force app users to re-enter the credentials (ID and pwd) of the currently logged in Windows user on the machine. If that fails to authenticate then the application quits and will not run.
What are my options for adding this "feature" to my app? What is the easiest way to do it? LDAP bind? Compare the Windows ID entered to the User ID found in LDAP? What is the most secure way to do it? I"m good with making my apps talk to the database, but I've never done much with Windows security or authentication, so you'll have to talk down at my level. We want to avoid storing Windows user ID's in the database. The app is a VS 2008 project, but I will someday need to do the same thing in my VS 2010 projects. Thanks!
I am developing a VB.NET based application which requires administrative privileges in order to run properly. However I went through several tutorials online and it all mentioned how to do this using a mainifest file. The problem with this technique is that whenever the program is opened I need to type in the Administrator password, however I want this to happen automatically. (The user should not type the Admin password, the password must be entered from the code level)
The following code is the closest I could find, but it too does not satisfy my problem,
Dim securePass As New Security.SecureString()
Dim pass As String = "password"
For Each c As Char In pass
securePass.AppendChar(c)
Next
' If there isn't a domain, set the argument to 'Nothing', as demonstrated below.
Process.Start("testsoftware\WinKBSel\WinKBSel1003.exe", "username", pass, Nothing)
Could anyone please let me know how I could do this without requiring the user to enter the administrator password?
You would probably be best splitting the application up, if you had a back-end service that runs under an administrator account your application could use that to do stuff it requires at an elevated privilege. UAC is designed to protect the user from themselves, you can get around it by adding a backend service... but be very careful about opening up holes in this way as they could be exploited by other applications/viruses. Storing an administror password inside an application is always a bad idea as the application could be decompiled and the password extracted.
You cannot create a program that will automatically log on as a user unless the username/password is already known.
That means that you're either restricted to running on systems where your app already knows the credentials, your user has to enter the credentials into your app, or your user has to use the "Run As" functionality in Windows to use the correct user.
If what you're proposing were actually possible, it would represent a huge security hole: you'd be able to run any code as any user without requiring authentication first. That is not a good thing!
Think about it like this: if you were sold a program that would automatically log on as administrator even without your permission, how would you feel?
UAC is designed so that you cannot do what you want. UAC ensures that in order to elevate the user must pass through a UAC dialog (either the admin consent dialog or the over-the-shoulder dialog). You need to adapt your expectations to the reality of UAC.
You don't need a code for this action, UAC is made so you can automatically log on without the user's permission. What you can do is use the manifest and change the startup so when the application starts it runs as administrator and asks for permission! Change the manifest. look it up!