login      my ps      about      contact  



home instructor-led on-demand! screencasts blogs


Security Briefs » CreateProcessWithLogonW from SYSTEM

CreateProcessWithLogonW from SYSTEM

Security Briefs

Pluralsight Blogs

Syndication

Recent Posts

Tags

View more

Keith's books

Misc

Recent Articles

Archives

I've gotten a few reports from people that CPWLW is failing when run as SYSTEM. I confirmed this myself on Friday when I was hacking up some code for a client. Today I looked and found this in the docs:

Windows XP SP2 and Windows Server 2003:  You cannot call CreateProcessWithLogonW from a process running under the LocalSystem account. This is because the function uses the logon SID in the caller token and the token for the LocalSystem account does not contain this SID. As an alternative, use the CreateProcessAsUser and LogonUser functions.

When I first read this, I figured it was referring to the logon SID of the new logon, which is typically used to add a grant in the DACL of the winsta / desktop pair where the new process will live. But now that I reread it, clearly it's referring to the caller's logon SID. I wonder what that could be used for? Securing some temporary object used for communicating between the caller's process and the secondary logon service? Inquiring minds want to know, in case any of my MS readers were involved with this change.

In any case, if you're running your service as SYSTEM (tsk tsk tsk) and you want to migrate to W2K3 and XP SP2, I hope you're not calling CreateProcessWithLogonW. If you are and need another way, check out my 5 year old article (wow, has it been that long?) on doing this the old way using LogonUser / CreateProcessAsUser, etc. Note that since the article was released, (Un)LoadUserProfile was documented. So be sure to use that API instead of the rather complicated approach to bootstrapping the user's environment that I had to follow back in 1999.

The article comes with a tool called cmdasuser.exe from which you can grab all the code you need to get this going.

Posted Jul 16 2005, 11:10 AM by keith-brown
Filed under: ,

Comments

Stefan Kuhr wrote re: CreateProcessWithLogonW from SYSTEM
on 08-06-2005 11:21 AM
Keith,

I found that this limitation in the new OS versions is fairly easy to circumvent: First do a LogonUser for the user whose credentials you want to pass to CPWLW. It worked for me with LOGON32_LOGON_NEW_CREDENTIALS and LOGON32_LOGON_NETWORK. Then impersonate the user and now call CPWLW.
I do not know up to now if this has any side effects, it seemed to work for me.

--
Stefan
Keith Brown wrote re: CreateProcessWithLogonW from SYSTEM
on 08-12-2005 10:51 AM
Good point, Stefan. Given that you've got the user's password, and that LogonUser isn't a privileged call on the affected OS's, you could check to see which OS you're running on and impersonate the user before making the request.
Pavel Lebedinsky wrote re: CreateProcessWithLogonW from SYSTEM
on 08-19-2005 12:30 AM
I think it goes somewhat like this. CPWLW used to tweak the DACL of the caller's winstation/desktop to allow the new process to access it. This wasn't very secure, and presented problems such as how to clean up the added ACEs when the process terminates.

So the new implementation leaves the ACLs alone, and instead injects the caller's LogonId SID into the new process' token, which has a side effect of allowing it access to the desktop.

The system logon session doesn't have a logon id SID so CPWLW fails.

If you impersonate some other account before you call CPWLW you can bypass this problem, but you will also not get automatic access to the desktop.

Finally, I'm not sure but I think that you might be able to use CPWLW from the system session if you specify a non-NULL lpDesktop, or if you use LOGON_NETCREDENTIALS_ONLY flag on W2K3 SP1 and later, because in these cases CPWLW doesn't care about desktop permissions.
Stefan Kuhr wrote re: CreateProcessWithLogonW from SYSTEM
on 08-25-2005 10:29 AM
Hi Pavel,

you are right. When I did my first attempts to bypass the problem, I made the mistake to use the same credentials as those of the user who was interactively logged in. The service had interaction with the desktop enabled and therefore spawning processes with CPWL from the service worked. But as soon as I specify other credentials, the processes fail if they do UI. I think, in the case of the originating process running as SYSTEM, you now have to manipulate the ACEs of the winsta\desktop DACLS again.

--
Stefan
Vytautas wrote re: CreateProcessWithLogonW from SYSTEM
on 10-14-2005 12:49 PM
Hi guys,

I am getting blocked by quite similar issue. My service is running under admin acount, not system account. It executes runas tool, which internally calls our famous API.

So, if user credentials are admins, everything works perfectly. However, if Iam trying to runas with non admin credentials, runas succeeds, but process fails to initialize with 0xc0000142. Has anyone faced that? Any ideas how can I fix that?

Thanks!
Vytautas
Pankaj Lohani wrote re: CreateProcessWithLogonW from SYSTEM
on 11-21-2006 10:43 PM
hello Keith,
i read your artical.i think u can help me solve my problem.
This is very challenging problem for me. basically my windows service monitor the application when my application hang due any reason then my service kill that process and application .Then restart the process and application again.
So for all this I made the service. Well now come on problem, plz come on controlpannel > Administrator Tool > Service >myservice.Then right click on service and go on properties. There is a property on Log On
"Allow Service to interact with desktop". I check this property through coding using vb.net.
But there is a very big problem when I check this property through code using vb.net then my application is start working but after killing the application due to hang, service start the process on background means GUI of application do not display on user screen, process is running on background(we can see it on task bar of windows ) .
But when we do same things manually then every thing is running fine, service kill application or process properly and start it properly and proper GUI display on user screen
Please help me to solve this problem.
OS-Windows XP 2.0,
.NET 2.0
--
----- With Regards ----
Pankaj Lohani
pankaj.lohani@gmail.com
Dot Net Consaltant
Chandigarh(India)
+919888273250

Add a Comment

(required)  
(optional)
(required)  
Remember Me?


home instructor-led training online training blogs

781.749.9238 (East Coast) | 310.251.9901 (West Coast) | Pluralsight, LLC , 185 Lincoln St., Suite 305, Hingham, MA 02043-1741

Copyright © 2008 Pluralsight LLC. All rights reserved.

designed by nukeation