8

When I run a service as LocalSystem account, I can use following codes to launch a GUI program under current login account:

WTSGetActiveConsoleSessionId->WTSQueryUserToken->CreateProcessAsUser

However, when I run the service as my personal account, the GUI program will NOT show up. I can see it in task manager though.

What should I do to launch the GUI program when the service is running under my personal account?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
trudger
  • 917
  • 2
  • 12
  • 20

4 Answers4

2

John and jdigital are both right - from my understanding, services can generally have either desktop access (you have to use localsystem) or network access (you need to specify an account to run under).

You will need two split your app into two - one to interact with the desktop and the other to talk over the network. The two parts can then talk to each other to relay info to the end user.

Andy Stewart
  • 36
  • 2
  • I plan to run the service by my account so it can access the local and network resource. A "client" will talk to it to receive info and control it. But an odd thing, like I wrote below, is that the files it generated owned by "administrator", NOT my account (Vista OS). This confuses me. – trudger Jun 05 '09 at 02:06
0

It all has to do with permissions I believe.

LocalSystem has sufficient privileges to impersonate the current user, but your account doesn't.

You'd have to figure out a way to extend permissions to your service, either by prompting for credentials, or connecting to a helper service that runs as LocalSystem.

(Why do you want to run with your account instead of LocalSystem?)

I'm sure there are much more thorough answers that deal with the in's and out's of doing this, but at a high level I think this is the issue.

John Weldon
  • 39,849
  • 11
  • 94
  • 127
  • Thanks John, there are two reasons: 1) The LocalSystem has no permission to access network shared folders in Vista 2) All files generated by LocalSystem service are owned by "administrator". I want the files owned by my personal account. – trudger Jun 04 '09 at 04:04
0

You may be running in the wrong window station or desktop. See this Microsoft reference on Window Stations and Desktops.

jdigital
  • 11,926
  • 4
  • 34
  • 51
  • The service is running by my personal account and I'm current logged in. I just checked, the program is running, but doesn't show up. – trudger Jun 04 '09 at 05:20
  • If you take a look at the link, you'll see that this is not an issue of permissions. Microsoft uses Window Stations and Desktops to provide varying levels of process isolation. There are ways to work around this, such as SetProcessWindowStation and SwitchDesktop, but splitting the application into two parts is the generally recommended solution. – jdigital Jun 04 '09 at 19:41
  • Yes, client/server mode is that I plan to do. It will solve such problem. But an odd thing is that although the service is running by my personal account, the files it generated owned by "administrator", NOT my account. You can check this property at "File Properties->Detail->Owner". Shouldn't it be owned by my account? – trudger Jun 05 '09 at 02:02
0

I believe that what you are trying to do may be considered a security vulnerability. It is also not likely to work in some cases as well. I think jdigital is correct in that it has to do with window stations and trying to get access to the current user window station and it's desktop. This is confused a lot when you are under under a terminal services server where there are multiple current window stations. Microsoft really don't want you to what you want and they make it harder with every release of windows.

I think your best bet is to solve the problem from another angle and just create a GUI application that the user runs (manaully or automatically at login) and it talks to your service.

Shane Powell
  • 13,698
  • 2
  • 49
  • 61
  • If so, the user will not get notification if he closed the GUI app. But seems I have no other option. :( – trudger Jun 04 '09 at 07:28
  • @trudger: Nope. The user also will not get notification if they stand up and walk away from the computer, but that doesn't mean that you ship handcuffs with your software. – Aric TenEyck Jun 04 '09 at 15:07
  • Yes, that makes senses. I already decided to use pipe to communicates between GUI and the service. Maybe I can also buffer these events and show them to users when they login. – trudger Jun 04 '09 at 15:50