none
process.start access denied RRS feed

  • Question

  • I thought I postet this yesterday but I can't find my thread so if this is a duplicate please point me at the original one. 

    Background: 

    I need to create a user account and Modify it's registry before the user logs on the first time. Creating the account is done by using the Winnt provider (works great). 

    To create the profile I'm trying to use Process.start to launch a process as the newly created user. With the use of loaduserprofile property the users profile gets created and i can do my regwrites without problem.

    System is W7SP1 32 Bit English. Code compiled for .net 2.0

    My problem:

    This works as long as the user that launches my app is a Admin. If i Launch it as System (as the deploy sstem does) it fails with access denied. 

    Steps to reproduce:

    Compile the code below

    Run as admin. Should launch notepad

    run as system (psexec -i -s cmd) and run the demo code. Now will give access denied.

    Anyone got a solution to this?

    Imports System.Security
    Imports System.Runtime.InteropServices
    Imports System.ComponentModel
    Imports System.Diagnostics
    
    
    Module Module1
    
        Function ConvertToSecureString(ByVal str As String)
            Dim password As New SecureString
            For Each c As Char In str.ToCharArray
                password.AppendChar(c)
            Next
            Return password
        End Function
        Sub Main()
    
            Try
                Dim startinfo As New ProcessStartInfo()
                startinfo.FileName = "c:\windows\notepad.exe"
                startinfo.LoadUserProfile = True
                startinfo.UserName = "test"
                startinfo.WorkingDirectory = "C:\"
                startinfo.Password = ConvertToSecureString("Password12")
                startinfo.UseShellExecute = False
    
                Process.Start(startinfo)
            Catch ex As Win32Exception
                Console.WriteLine(ex.Message)
                Console.WriteLine(ex.InnerException)
            End Try
        End Sub
    End Module


    • Edited by mats42 Thursday, May 31, 2012 6:38 AM forgot System version
    Thursday, May 31, 2012 6:37 AM

All replies

  • In Windows 7 is the mainroot of C:\ protected as workdirectory. That is also the reason you see me use in all my samples C:\Test\

    Success
    Cor

    Thursday, May 31, 2012 6:42 AM
  • I changed the code to use The environment variable temp as working directory.

    Unfortunally it doesn't solve the problem. I still get Access Denied

    Updated code as following

    Imports System.Diagnostics
    
    
    Module Module1
    
        Function ConvertToSecureString(ByVal str As String)
            Dim password As New SecureString
            For Each c As Char In str.ToCharArray
                password.AppendChar(c)
            Next
            Return password
        End Function
        Sub Main()
    
              Try
                Dim startinfo As New ProcessStartInfo()
                startinfo.FileName = "c:\windows\notepad.exe"
                startinfo.LoadUserProfile = True
                startinfo.UserName = "test"
                startinfo.WorkingDirectory = Environ("temp")
                startinfo.Password = ConvertToSecureString("Password12")
                startinfo.UseShellExecute = False
    
                Console.WriteLine(startinfo.WorkingDirectory)
                Process.Start(startinfo)
            Catch ex As Win32Exception
                Console.WriteLine(ex.Message)
                Console.WriteLine(ex.InnerException)
            End Try
        End Sub
    End Module


    • Edited by mats42 Monday, June 4, 2012 8:10 AM
    Monday, June 4, 2012 8:09 AM
  •      I tried your code and it seemed to work fine. The only change I had to make other than user name, password and working directory was

    Dim password As New Security.SecureString  instead of Dim password As New SecureString

        I'm using MS Visual Studio 11 beta on a laptop with Win 7 64bit Home

    Imports System.Diagnostics
    
    Public Class Form1
    
        Private Sub Form1_Load(sender As Object, e As EventArgs) Handles MyBase.Load
    
        End Sub
    
        Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
            Main()
        End Sub
    
        Function ConvertToSecureString(ByVal str As String)
            Dim password As New Security.SecureString
            For Each c As Char In str.ToCharArray
                password.AppendChar(c)
            Next
            Return password
        End Function
    
        Sub Main()
    
            Try
                Dim startinfo As New ProcessStartInfo()
                startinfo.FileName = "c:\windows\notepad.exe"
                startinfo.LoadUserProfile = True
                startinfo.UserName = "John"
                startinfo.WorkingDirectory = Environ("c:\users\john\desktop\temp")
                startinfo.Password = ConvertToSecureString("*********")
                startinfo.UseShellExecute = False
    
                Console.WriteLine(startinfo.WorkingDirectory)
                Process.Start(startinfo)
            Catch ex As Win32Exception
                Console.WriteLine(ex.Message)
                Console.WriteLine(ex.InnerException)
            End Try
        End Sub
    
    End Class


    You've taught me everything I know but not everything you know.

    • Marked as answer by Youen ZenModerator Friday, June 8, 2012 5:42 AM
    • Unmarked as answer by mats42 Thursday, June 21, 2012 9:49 AM
    Monday, June 4, 2012 8:32 AM
  • Still the same problem.

    Works if you launch as admin. Doesn't work if you launch as system. Still gives access denied.

    System is non domain joined so no policies that could be causing it either


    • Edited by mats42 Thursday, June 21, 2012 9:50 AM
    Thursday, June 21, 2012 9:49 AM
  • Seems fine here as normal user, all I changed was username and password and working directory. Made it a full console app to simplify for me.

    Option Strict On
    Imports System.Diagnostics
    
    Module Module1
        Function ConvertToSecureString(ByVal str As String) As Security.SecureString
            Dim password As New Security.SecureString
            For Each c As Char In str.ToCharArray
                password.AppendChar(c)
            Next
            Return password
        End Function
    
        Sub Main()
    
            Try
                Dim startinfo As New ProcessStartInfo()
                startinfo.FileName = "c:\windows\notepad.exe"
                startinfo.LoadUserProfile = True
                startinfo.UserName = "my_username"
                startinfo.WorkingDirectory = Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments)
                startinfo.Password = ConvertToSecureString("my_password")
                startinfo.UseShellExecute = False
    
                Console.WriteLine(startinfo.WorkingDirectory)
                Process.Start(startinfo)
            Catch ex As Exception
                Console.WriteLine(ex.Message)
                Console.WriteLine(ex.InnerException)
            End Try
            Console.ReadLine()
        End Sub
    
    End Module
    

    Friday, June 22, 2012 1:52 AM
  • I dont have psexec so cannot test that - Doesn't "System" have even higher privleges than Administrator ?

    Friday, June 22, 2012 1:56 AM
  • Mats if you have this kind of problems then go to your Dos box and type in the process you want to start. 

    I've nothing to add and on a W7 computer it gives this

    Why not try the same? 


    Success
    Cor

    Friday, June 22, 2012 8:40 AM
  • Mats if you have this kind of problems then go to your Dos box and type in the process you want to start. 

    I've nothing to add and on a W7 computer it gives this

    Why not try the same? 


    Success
    Cor

    If you would have read the first post in the thread 

    "

    I need to create a user account and Modify it's registry before the user logs on the first time. Creating the account is done by using the Winnt provider (works great). 

    To create the profile I'm trying to use Process.start to launch a process as the newly created user. With the use of loaduserprofile property the users profile gets created and i can do my regwrites without problem."


    Friday, June 22, 2012 8:53 AM
  • I dont have psexec so cannot test that - Doesn't "System" have even higher privleges than Administrator ?

    Psexec can be freely downloaded from MS/sysinternals if ypu would like to try (it's a great tool). 

    System should have a lot more than admin yes. Thats why I find it so strange

    Friday, June 22, 2012 8:54 AM

  • If you would have read the first post in the thread 

    "

    I need to create a user account and Modify it's registry before the user logs on the first time. Creating the account is done by using the Winnt provider (works great). 

    To create the profile I'm trying to use Process.start to launch a process as the newly created user. With the use of loaduserprofile property the users profile gets created and i can do my regwrites without problem."


    I did read, it but you showed a sample with C:\windows and if I read the text above has nothing to do with your real problem. Many many persons tried to help you and have tested it. Then it does not work and you come back with replies like "If you would have read the first post in this thread. Yes we did, but it seems that you don't want us to give the real reason but more like this kind of offending replies. I was the first one who replied to you. Therefore I've read it, so first try to find why you are not able to give information (It seems you are only replying not trying to read what others wrote), if you cannot give information to humans you surely cannot do it to a computer.

    Success
    Cor


    Friday, June 22, 2012 11:11 AM

  • If you would have read the first post in the thread 

    "

    I need to create a user account and Modify it's registry before the user logs on the first time. Creating the account is done by using the Winnt provider (works great). 

    To create the profile I'm trying to use Process.start to launch a process as the newly created user. With the use of loaduserprofile property the users profile gets created and i can do my regwrites without problem."


    I did read, it but you showed a sample with C:\windows and if I read the text above has nothing to do with your real problem. Many many persons tried to help you and have tested it. Then it does not work and you come back with replies like "If you would have read the first post in this thread. Yes we did, but it seems that you don't want us to give the real reason but more like this kind of offending replies. I was the first one who replied to you. Therefore I've read it, so first try to find why you are not able to give information (It seems you are only replying not trying to read what others wrote), if you cannot give information to humans you surely cannot do it to a computer.

    Success
    Cor


    Yes i used a file in the windows directory as an example file since everyone will have notepad installed. 

    Mr Monkeyboy tried and states success - no information wether he tested as system though.

    Devon_Nullman tried (thanks) but he started from a user account and we know that it works from a user account

    I still fail to see what starting something manually as the current user has to do with it. The Scope still is to do it from code (so it can be run from the sys mgmt tool), create a process as a different user (forces the creation of the profile) and do it from the context of the system user (as the system mgmt tool is running as system). 

    The quoted text has everything to do with my problem since it is the problem. I started this thread because I do need to create a user account and modify it's registry before the user log on the first time. I need to do this as system since my systems mgmt tool runs as system. Also as stated in the first post process.start does the job if you launch as Admin but you get an access denied if you do it with the same code as System. 

    So the scope still is that if you call process.start from a process running as system you will get an access denied even if you have the proper permissions in the system. 

    However I have found a workaround today.  Sysinternals psexec will launch a app as another user from the systemaccount. It's not a soloution i like but it works (it also proves that system has the permissions it needs and that the problem is in the VB.code) 





    • Edited by mats42 Friday, June 22, 2012 6:48 PM
    Friday, June 22, 2012 6:42 PM
  • And now I also have found a statement that it is MS that once again has blocked something.

    http://blogs.msdn.com/b/winsdk/archive/2009/07/14/launching-an-interactive-process-from-windows-service-in-windows-vista-and-later.aspx

    process.start calls CreateProcessWithLogonW and in the article it states " CreateProcessWithLogonW cannot be called from Local System context. Therefore if you have a service running in Local System context you cannot use  CreateProcessWithLogonW."  (MSDN says that this limitation only applies to 5.X)

    It should be possible to work around this limitation by using  CreateProcessAsUser and LogonUser functions but in my Eyes it's to much job since PSExec provides a working workaround

    Monday, June 25, 2012 7:50 AM