locked
CreateProcessAsUser from service in XP sometimes launches app under SYSTEM RRS feed

  • Question

  • We have a service which launches an application.

    If there is an active user, the app must run under user account; if not, under SYSTEM. So, if user logs off, the service starts new instance running as SYSTEM; when user logs on, it starts using CreateProcessAsUserW for current user.

    Everything works fine, but sometimes newly launched application in XP is running under SYSTEM account (as seen from Task Manager or Process Explorer). Nevertheless, our log shows that service really attempts to launch the application under user account, and user name in the application itself (obtained via GetUserName() method) returns correct user name.

    The way the application is launched is:

        HANDLE hProcess = NULL, hToken = NULL;
        if ( WTSQueryUserToken(dwSessionId, &hToken) == 0 ) // for XP, dwSessionId always turns out 0
            ...    
        HANDLE hTokenDup = NULL;
        if ( DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification,TokenPrimary, &hTokenDup) == 0 )
           ...
        
        LPVOID lpEnvironment = NULL;
        if ( CreateEnvironmentBlock(&lpEnvironment, hTokenDup, FALSE /* do not inherit */) == 0 )
            ...
        WCHAR szCmdLine[MAX_PATH];
        STARTUPINFOW startup_info;
        // Ommited command line and startup_info initialization

        PROCESS_INFORMATION proc_info;       
        BOOL ok = CreateProcessAsUserW(
            hTokenDup,
            NULL,
            szCmdLine,
            NULL,
            NULL,
            FALSE,
            CREATE_UNICODE_ENVIRONMENT,
            lpEnvironment,
            NULL,
            &startup_info,
            &proc_info);

    Any idea what's happening?

    Tuesday, May 15, 2012 3:16 PM

All replies

  • Hi!

    At which moment you try to run process? At response to which event?

    Other question: in your process did you check that other instance running? How you handle it?

    Tuesday, May 15, 2012 8:43 PM
  • Basically, there are 2 conditions:

    1. No instance of the applicaton running.
    2. User logged off, or another user's session becomes active.

    Checking for other instances is straightforward: using WTSEnumerateProcesses.

    Currently I've openned a case with Microsoft. Looks like they're ready to admit that method CreateProcessAsUserW in XP has a bug. I'm looking for a work-around.

    Wednesday, May 16, 2012 9:18 PM
  • Microsoft admitted that there is a problem in XP.

    Here is what I found after some research:

    For processes launched for logged user from a service, when process token is being used to obtain user credentials, it returns a user. But when SID is being used, it sometimes returns SYSTEM.

    Apparently, Process Explorer and Task Manager use SID to obtain user credentials, which causes confusion. But process itself behaves as having user credentials, which tells me that internally Windows uses process token. I.e. the problem is basically cosmetic, altough quite uncomfortable.

    Wednesday, June 27, 2012 9:28 PM