13

I have a service that spawns a WPF application process when a user logs on.

But for some reason the WPF application gets killed about 10 minutes after it has been created? The termination is immediate with no traces found in the Event Log nor are any normal close/exit events called in the WPF application.

In fact, when the termination occurs, Windows 7 seems to hang for a second, the mouse becoming unresponsive and then acting out the mouse gestures after a short delay (when it normalizes, but now lacking the created process).

The When

public partial class Service1 : ServiceBase
{
    public Service1()
    {
        InitializeComponent();
        CanHandleSessionChangeEvent = true;
    }

    protected override void OnSessionChange(SessionChangeDescription changeDescription)
    {
        if (changeDescription.Reason == SessionChangeReason.SessionLogon
            && changeDescription.SessionId > 0)
        {
            ApplicationLoader.PROCESS_INFORMATION procInfo;
            ApplicationLoader.StartProcessAndBypassUAC(@"myapp.exe", out procInfo);                    
        }
        base.OnSessionChange(changeDescription);
    }
}

Process Creation As Per Pero Matic Code

// ...
bool result = CreateProcessAsUser(hUserTokenDup,  // client's access token
                            null,             // file to execute
                            applicationName,  // command line
                            ref sa,           // pointer to process SECURITY_ATTRIBUTES
                            ref sa,           // pointer to thread SECURITY_ATTRIBUTES
                            false,            // handles are not inheritable
                            dwCreationFlags,  // creation flags
                            IntPtr.Zero,      // pointer to new environment block 
                            null,             // name of current directory 
                            ref si,           // pointer to STARTUPINFO structure
                            out procInfo      // receives information about new process
                            );
  • the termination does not seem to happen if i target notepad.exe, however?
  • tested it with a vanilla\empty WPF application (.NET 4), and that crashed as well

Process Creation with Administrative Privileges and No Prompt

  • It seems that the issue is trying to duplicate the administrative SYSTEM token from winlogon.exe (but which is running in session 1+), because if you duplicate the specific user token instead (e.g. from explorer.exe) then the crashes are no more!
  • this is confirmed with the same vanilla/empty WPF application, and with running Marcel Roma code here - note that he uses explorer.exe instead of winlogon.exe

  • although using explorer.exe gets rid of the termination I lose the administrative privileges with that, which does not work for me

  • any ideas how to get it to work with the winlogon process token?

  • or is it possible to adjust the exlorer.exe token to make the duplicate elevated? im guessing somehow using TokenElevation and SetTokenInformation or AdjustTokenPrivileges
  • or could it be that Windows 7 has been patched to disallow such process impersonation?
  • alternatively, is there any way to get the specific user token with administrative privileges (rather than the owner being SYSTEM), but again, without password knowledge/prompts (excluding CreateProcessWithLogonW)
  • is this maybe to do with garbage collection somehow?
Cel
  • 6,467
  • 8
  • 75
  • 110
  • 2
    I believe this to be the definitive discussion of the topic: http://blogs.msdn.com/b/winsdk/archive/2009/07/14/launching-an-interactive-process-from-windows-service-in-windows-vista-and-later.aspx – David Heffernan Mar 27 '12 at 18:34
  • thumbs up for a great link with great expertise! it does not answer the question im asking, however. i.e. i have already got the service to work in regard to spawning a non-elevated process, but how would you do that to run process elevated (as administrator)? or maybe i did not understand fully - is the temporary process approach relevant here? and does `winlogon.exe` token not provide the correct `session id` and `desktop` already? or is the `winlogon` desktop incorrect and that is why `dwm` kills my process? as the comments in the linked page mention, the elevation question is unanswered? – Cel Mar 27 '12 at 20:38
  • 2
    Why do you have to spawn an *elevated* process in another user's space? Am surprised you even got this far. A hacker would only have to replace the binary of the executable in order to wreak havoc. –  Apr 02 '12 at 18:03
  • 1
    with some low-level hacks this is doable BUT I would strongly recommend AGAINST doing what you describe. What exactly is your goal ? Why do you want to do this ? IF you explain these things perhaps there are other/alternative options... – Yahia Apr 02 '12 at 18:36
  • im creating a specific kind of parental control application that has a omnipresent WPF graphical interface; and the user should not be able to kill this process, [so im making the process critical, which requires elevation](http://stackoverflow.com/a/5825934/742084) basically i need a per-user GUI that starts at log-on and that the user cannot terminate ... – Cel Apr 02 '12 at 19:19
  • @Cel ANY and EVERY process can be terminated/circumvented etc. IF really need that much protection then the only option I see is to have 2 pieces of SW, one running on the users machine and one running on the router that connects to the internet... – Yahia Apr 04 '12 at 21:34

2 Answers2

5

Well I'm just suggesting you a work around: Why you don't put your core functionalities in a windows service, and then use the wpf app as a frontend ? So that if the user kill it, it doesn't stop the service. Then the service can regularly check that the wpf front end is started, and if needed restart it.

I think it'll be a more "trusted" design that the one you're trying to do, which could let the antivirus think you're a bad software and block you.

And to protect the windows service there is another question here: Protecting a Windows Service from untrusted users

Community
  • 1
  • 1
Fabske
  • 2,106
  • 18
  • 33
  • thanks for the link, that is very helpful! in addition to inhibiting users from Stopping the service, is there a way to block users from changing the service startup from `Automatic` to `Manual` or `Disabled`? – Cel Apr 09 '12 at 08:01
  • 2
    I know there is a special user in windows vista (and 7) named "NT SERVICE\TrustedInstaller". When a file belong to this user (it's the case for all system files), nobody can modify it. I *think* it's the same for the services, but I'm not sure. Anyway, you'll not be able to completely block access to someone which is administrator and have deep computer knowledge (i.e. he can reboot in safe mode...) – Fabske Apr 09 '12 at 23:01
  • 2
    I've another idea: double click the service, and choose log on as , and change it to a specific user created for your application. Then go to regedit HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services and choose your service by right click, choose permissions, and edit there who can do what: you can remove everyone except you app user. Be careful that I've not tested this solution, but it should works. Then you can put these action in the installer. – Fabske Apr 09 '12 at 23:14
2

I don't think you can (and definitly should not be able) to do this. Your best bet is to create an application that doesn't need elevated privileges and then use IPC to talk back to your service which then performs administrative tasks on the users behalf.

Yaur
  • 7,333
  • 1
  • 25
  • 36
  • im aware of IPC as best practice, but please see my requirements as stated in the last comment to the main post - how could i achieve that using IPC? – Cel Apr 02 '12 at 19:20
  • ping your service from the desktop app and restart it if the user terminates it. – Yaur Apr 02 '12 at 19:38