Vista service - session 0 isolation

I'm having a problem with a windows service running on a Vista client.
Situation:
A windows service running as LocalSystem hosts a .net remoting object. When
some event raises then the service starts a process. That process is a
windows forms applicatation. That process must run under the LocalSystem
account because it needs some (local)admin privileges. Under XP we used the
"interact with desktop" functionality to show the forms application. With
Vista (Session 0 Isolation) this is no longer possible. Anyone some advice
about this?


Kind regards,

Gene

You need to rearchitect your application and factor the UI piece into an
interactive program. Then you can use LPC to communicate between that and the
service.

This book will tell you how:
http://www.amazon.com/Writing-Secure...6841908&sr=1-2

---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Gene Vangampelaere" wrote:

> I'm having a problem with a windows service running on a Vista client.
> Situation:
> A windows service running as LocalSystem hosts a .net remoting object. When
> some event raises then the service starts a process. That process is a
> windows forms applicatation. That process must run under the LocalSystem
> account because it needs some (local)admin privileges. Under XP we used the
> "interact with desktop" functionality to show the forms application. With
> Vista (Session 0 Isolation) this is no longer possible. Anyone some advice
> about this?
>
>
> Kind regards,
>
> Gene
>
>
>
>
>
>
>

Gene Vangampelaere wrote:
> I'm having a problem with a windows service running on a Vista client.
> Situation:
> A windows service running as LocalSystem hosts a .net remoting object.
> When some event raises then the service starts a process. That process is
> a windows forms applicatation. That process must run under the LocalSystem
> account because it needs some (local)admin privileges. Under XP we used
> the "interact with desktop" functionality to show the forms application.
> With Vista (Session 0 Isolation) this is no longer possible. Anyone some
> advice about this?
>
If a service running as LocalSystem really wants to run a process as
LocalSystem on a user desktop in a Terminal Services session other than 0,
it is esay to do. I have code to do that, which uses the following sequence
of calls. The code below is modified somewhat from my working code to
simplify it, and I have not actually compiled or run it, but it should give
you the general idea. You need to add code to set sessionID to the user's
Terminal Services session ID, and to declare commandLine and set it to the
command to be executed.

STARTUPINFO si;
PROCESS_INFORMATION pi;
HANDLE hToken = NULL;
HANDLE hPrimaryToken = NULL;
DWORD dwSize;
DWORD sessionID;
..
..
..
if (ImpersonateSelf(SecurityImpersonation)) {
if (OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &hToken))
{
dwSize = sizeof sessionID;
if (SetTokenInformation(hToken,
TokenSessionId,
&sessionID,
dwSize)) {
if (DuplicateTokenEx(hToken,
MAXIMUM_ALLOWED,
NULL,
SecurityImpersonation,
TokenPrimary,
&hPrimaryToken)) {
ZeroMemory(&pi, sizeof pi);
ZeroMemory(&si, sizeof si);
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = "winsta0\\default";
if (CreateProcessAsUser(hPrimaryToken,
NULL,
commandLine,
NULL,
NULL,
FALSE,
CREATE_NEW_CONSOLE,
NULL,
NULL,
&si,
&pi)) {
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
CloseHandle(hPrimaryToken);
}
}
CloseHandle(hToken);
}
RevertToSelf();
}

--
Larry Futrell