0

I have a service running as local system. I am using CreateProcess function to call an external .exe. What is the default account used when CreateProcess function is called? I could not find anything on default account in MSDN documentation. Also, I want this process to be persistent until the time service is running. Should I be using CreateService?

Red John
  • 167
  • 10
  • 1
    And CreateService only creates an entry in the service configuration database, it doesn't actually run the service. – SoronelHaetir May 10 '18 at 20:47
  • no any default account used. `CreateProcess` create process with parent process token (your current or set by `PROC_THREAD_ATTRIBUTE_PARENT_PROCESS`) – RbMm May 10 '18 at 22:26
  • and process will be *persistent* because you run it in the service terminal session – RbMm May 10 '18 at 22:28

1 Answers1

0

CreateProcess creates a process that runs as the same user as the parent application and it runs in the same session. You must use CreateProcessAsUser/CreateProcessWithLogonW/ CreateProcessWithTokenW to create a process as another user. The only exception is ShellExecute which can create a process as a different user if UAC elevation is used and the user is not an administrator.

If you need to interact with another service you can use ChangeServiceConfig to make yourself depend on the other service. The service control manager will start the other service first before starting your service.

Anders
  • 97,548
  • 12
  • 110
  • 164
  • A Windows subsystem process is created either via `CreateProcess` or `CreateProcessAsUser`. `CreateProcessWithLogonW` and `CreateProcessWithTokenW` use an RPC to the "Secondary Logon" service. Elevating via `ShellExecuteEx` "runas" uses an RPC to the "Application Information" service. One can also define and run a task as another user via the Task Scheduler service's COM API. These all leverage a privileged service to call `CreateProcessAsUser`. – Eryk Sun May 10 '18 at 23:02
  • here can note that exist parent and creator (who call `CreateProcess`) this usually the same but not mandatoty. and child process run in the same logon session as parent and same terminal session as creator. process created from service (when it and parent) will survive logoff – RbMm May 10 '18 at 23:03
  • child inherit from parent not only pid, but token - and this is serious affect child if we have parent != creator. but terminal session inherited from creator (if we use `CreateProcess`). for run in another terminal session need use `CreateProcessAsUser` already. interesting if use `CreateProcessAsUser` with `PROC_THREAD_ATTRIBUTE_PARENT_PROCESS` (we can use both at once) - child process inherit explicit token instead of parent process token. but all this untrelated if we have creator==parent – RbMm May 10 '18 at 23:48