locked
createprocesswithlogonw error access denial RRS feed

  • Question

  • Hi all,
    i'm having some trouble in using CreateProcessWithLogonW to start an executable from a user different from the starting process. Everything I try to launch (notepad for example) always returns with error: 5 Access denied. I'm testing this solution on windows XP sp3 and from VB6. User credential is the administrator account, it should be right for this operation.... The executable I'll want to start is regsvr32.exe. Any help would be appreciated, thanks in advance.
    Sunday, May 8, 2011 7:29 PM

Answers

  • I solved the problem! After a lot of testing I discovered that was the changing of the security context previously of the call to CreateProcessWithLogonW that created confusion. I explain it better: in my flow the process starts as 'normal' user then it changes security context (through LogonUser and ImpersonateLogonUser) and obtains a Token (I need this because want to copy\move files in administrative folder). After these operations the code calls CreateProcessWithLogonW (with the same credentials as before) but without reverting to normal user privileges: this causes the problem. Reverting to user's context security let's CreateProcessWithLogonW works properly.
    • Marked as answer by Bedeschi Wednesday, May 11, 2011 7:16 AM
    Monday, May 9, 2011 1:11 PM

All replies

  • Where or how are you obtaining the administrator's token?  And is your process executing in normal mode, meaning no LUA or anything similar?  Is your process a Windows service?
    MCP
    Sunday, May 8, 2011 9:45 PM
  • I don't obtain any token, this should be done by CreateProcessWithLogonW, to this function I pass the user credential in plain text. The process is running in normal mode, no windows service.

    Monday, May 9, 2011 7:44 AM
  • I see.  I didn't check the function's signature, so I thought it used a token.  My bad.  I see the function is rather complex.  What logon flags are you using?  Better yet, please show the function call here.
    MCP
    Monday, May 9, 2011 12:35 PM
  • I solved the problem! After a lot of testing I discovered that was the changing of the security context previously of the call to CreateProcessWithLogonW that created confusion. I explain it better: in my flow the process starts as 'normal' user then it changes security context (through LogonUser and ImpersonateLogonUser) and obtains a Token (I need this because want to copy\move files in administrative folder). After these operations the code calls CreateProcessWithLogonW (with the same credentials as before) but without reverting to normal user privileges: this causes the problem. Reverting to user's context security let's CreateProcessWithLogonW works properly.
    • Marked as answer by Bedeschi Wednesday, May 11, 2011 7:16 AM
    Monday, May 9, 2011 1:11 PM