CreateMutex - access denied on creation RRS feed

  • Question

  • From a service I want to start a GUI-application for user B on the desktop of user A.
    This action gets initiated by user A.
    The solution should work in Windows 7.

    Currently the setup is as follows:
    (1) The service (running in Session 0) creates a new system process in Session 1:
      * with SetTokenInformation I change the Session in the process token of the service to Session 1
      * then I start the new process with CreateProcessAsUser with this modified token
    (2) In the new system process in Session 1 I do the following (according to http://msdn.microsoft.com/en-us/library/aa379608(v=VS.85).aspx):
      * I get a token for user B via LogonUser (the service knows the credentials of user B, which is only an artificial user account)
      * I grant access to WindowStation "Session 1/winsta0" and Desktop "Session1/winsta0/default" for this token
      * I start the GUI-application for user B with CreateProcessAsUser with the token of user B

    Up to here everything works fine.

    However, as soon as the GUI-application attempts to create a mutex with
    CreateMutex(NULL, 0, <somename>) the program fails with: error 5, access denied.

    I also tested a dummy-app that only creates a mutex, which also fails.
    Just for testing I ran the dummy-app right after step (1), where it is able to create the mutex.

    Also if I directly call the application from user A with

      runas /user:B <app>

    it all works fine.

    Is there any object for which I can modify the DACL, or any privilege I have to obtain in order to create the mutex?

    BTW: The GUI-application is a third-party application which I cannot modify. 

    Friday, November 12, 2010 4:01 PM


All replies

  • To get some insight and figure out a solution the tool WinObj (http://technet.microsoft.com/de-de/sysinternals/bb896657.aspx) helped a lot. With this tool you can browse the kernel objects and have a look on the access rights.

    This reveals why user B cannot create a mutex. User B has no right to create objects within \Sessions\1\BaseNamedObjects, which is where CreateMutex attempts to create the mutex.

    So first one has to grant user B the proper access rights, which in the scenario above the system process can do in step (2):

    * First one can grab a handle to \Sessoins\1\BaseNamedObjects by using the ntdll.dll function NtOpenDirectoryObject (http://msdn.microsoft.com/en-us/library/ff556557(VS.85).aspx)

    * Then one can add the proper ACE in analogy to the winsta0 stuff in step (2), following the pattern in http://msdn.microsoft.com/en-us/library/aa379608(v=VS.85).aspx

    Thats it.

    • Marked as answer by Paolo Virtual Friday, November 19, 2010 3:06 PM
    Friday, November 19, 2010 3:06 PM
  • Hi,

    I too have a similar requirement however, when I try to add the ACE to session's BaseNamedObjects I get the error - access denied.

    GetUserObjectSecurity and GetKernelObjectSecurity both the functions return error 'Access Denied'.

    Although NtOpenDirectoryObject  with WRITE_DAC succeeded I am unable to get above API working. Do you have any working sample for this?

    I am running above code from the system process (running as SYSTEM) in user's session.

    Any help is highly appreciated.



    Monday, January 22, 2018 6:21 AM