CreateProcessAsUser vs CreateProcessWithLogonW
in [Win32 Kernel]
|
Prev: Support for selective suspend for usbstor.sys?
Next: VS2008 On Host Will Not Load Symbols For msvsmon'ed EXE On VM
From: Jeff McKay on 30 Nov 2009 20:16 Would it be true that CreateProcessWithLogonW() is exactly the same as doing LogonUser(), ImpersonateLoggedOnUser(), CreateProcessAsUser()? I am tryingto use CreateProcessWithLogonW() to start an application that runs under a service account for Microsoft Exchange. The process does get started but does not have the rights that it needs. So I'm wondering if the 3 calls starting with LogonUser() is a better idea. I have not been able to test this, since CreateProcessAsUser() fails with error 1314. The MSDN documentation says if this happens, use CreateProcessWithLogonW() instead. If I want to use CreateProcessAsUser(), how would I go about assigning the privileges needed to my first process? It is just an .exe file that I am starting from the command line.
From: Remy Lebeau on 30 Nov 2009 22:51 "Jeff McKay" <jeff.mckay(a)comaxis.com> wrote in message news:vuSdnSc78bwY84nWnZ2dnUVZ_sSdnZ2d(a)supernews.com... > Would it be true that CreateProcessWithLogonW() is exactly the same as > doing LogonUser(), ImpersonateLoggedOnUser(), CreateProcessAsUser()? Not exactly, no. CreateProcessWithLogonW() does not have the calling thread impersonate the user account. > I have not been able to test this, since CreateProcessAsUser() fails with > error 1314. That means your calling thread does not hold a privilege that CreateProcessAsUser() itself requires, typically either SE_INCREASE_QUOTA_NAME or SE_ASSIGNPRIMARYTOKEN_NAME. Look at AdjustTokenPrivileges(). -- Remy Lebeau (TeamB)
From: Jeff McKay on 1 Dec 2009 00:41
Well I just tried AdjustTokenPrivileges() adding both of your suggested privileges. The call worked, but CreateProcessAsUser() still fails with error 1314. Is there a way to figure out what privileges are required? Below is my code, in case you can see something obvious wrong: Privs.PrivilegeCount = 2; Privs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; bret = LookupPrivilegeValue(NULL, SE_INCREASE_QUOTA_NAME, &Privs.Privileges[0].Luid); if (!bret) return(0); Privs.Privileges[1].Attributes = SE_PRIVILEGE_ENABLED; bret = LookupPrivilegeValue(NULL, SE_ASSIGNPRIMARYTOKEN_NAME, &Privs.Privileges[1].Luid); if (!bret) return(0); bret = AdjustTokenPrivileges(hToken, FALSE, &Privs, 0, NULL, NULL); if (!bret) return(0); // we get here, so all setup calls worked OK bret = CreateProcessAsUser(hToken, procname, cmdline, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, NULL, NULL, &si, &pi); > I have not been able to test this, since CreateProcessAsUser() fails with > error 1314. That means your calling thread does not hold a privilege that CreateProcessAsUser() itself requires, typically either SE_INCREASE_QUOTA_NAME or SE_ASSIGNPRIMARYTOKEN_NAME. Look at AdjustTokenPrivileges(). |