I have a problem today. I have a program that starts with Windows as Administrator. The probleme is I want to retreive the current UserName of the current user and getUserNameEx (NameDisplay) give me the Administrator NameDisplay...
I have also try to retreive this information by browsing Windows Logon Sessions but I have about 16 sessions each time and it'is difficult to know the good one.
Thanks you very much,
JM.
The program launched as Administrator will still run in the user's logon session, so you can enumerate the logon sessions until you find the matching one and then obtain the user name from that.
I've seen suggestions that you can do this using WMI - you enumerate Win32_Process instances and then call the GetOwner method to find who is the owner of 'explorer.exe'.
Not sure how well this would work in Terminal Services configurations though. You'd also have to make sure that explorer.exe is really the system process and not some other local program that just happens to have the same EXE name.
You should still be able to tell who the 'owning' user is - I did a little test here: Logged into a Win2k8 terminal server with my non-admin account and launched a command prompt (cmd.exe) as my admin user.
Using Process Explorer to get details on each process, I could see the User associated with the cmd.exe process was my admin account, the Parent process was explorer.exe (PID 5008), and when I look up the User associated with PID 5008, it was my non-admin account.
If you can replicate this in your code you should be able to track down who started any given process running as your administrator account.
Related
I have a windows 2016 server running RDS. It is configured to run a single application when a user accesses it from a .rdp shortcut. The user just sees the application as though it is running on their local machine, not a whole remote desktop.
If from a client PC, if I launch the application and log in then I can see a new connection in the RD Gateway manager.
However if I launch the application from the same client PC multiple times I am only asked to login the first time, and whilst I see many instances of the application I only see one connection in the RD gateway manager.
I would like a new connection each time I launch the application, so that I can simulate multiple users running the app concurrently in their own sessions.
I have tried adding "prompt for credentials on client:i:1" to the .rdp shortcut and this has no effect.
Thanks you your help.
I don't think it's possible. Let me try to explain:
Whenever you launch the RDP file, you connect to a session on the RDSH. Now, if you want separate connections, that means that there should be multiple sessions (probably for the same user since the credentials don't change) which is not allowed by the RDSH by default.
Assuming you get passed multiple sessions for same user, MSTSC actually recognizes that for the given RDP file, there is already an open connection, so it will try to reuse that.
Last but not least, there is the problem of licensing - you are "working around" the system: both per-device and per-user licensing would report 1, therefore it would probably be a violation of ToS.
It would be much more useful if you could tell us what you are trying to achieve and then maybe we can help you more.
P.S.: This question has nothing to do with programming, so it probably belongs to https://superuser.com
Hi I figured out a solution to this, so I will share in case it is useful for anyone else.
Modify the hosts file to include different names for the target machine ip address:
eg:
51.xxx.159.233 test1.xxx.uk-user1
51.xxx.159.233 test1.xxx.uk-user2
51.xxx.159.233 test1.xxx.uk-user3
51.xxx.159.233 test1.xxx.uk-user4
Then in each rdp launch shortcut, reference a different alias.
eg:
Shortcut1:
full address:s:test1.xxx.uk-user4
Shortcut2:
full address:s:test1.xxx.uk-user3
Then when the RDP is launched it will ask you to log in even if you already have an active connection and server will have a new user logged into it.
Hope this helps somone in the future.
I have a program, which users sometimes want to restart with administrative privileges to perform administrative tasks.
Currently, it has a menu item, which does the following call:
Process.Start(new ProcessStartInfo("self.exe") { Verb = "runas" })
That works if program is installed with MSI. It displays a usual UAC prompt, which lets user to elevate the program.
However, when converted using Desktop Bridge converter, and installed the Store way, this call crashes due to insufficient privileges. Is there another way for me to (re-)start self with UAC prompt?
Alternatively, is it possible to perform elevation using COM?
I am on release branch, Creators Update btw
Is there another way for me to (re-)start self with UAC prompt?
No. According to this page (https://learn.microsoft.com/en-us/windows/uwp/porting/desktop-to-uwp-prepare, look for Your app requires UIAccess), it seems that requesting the UAC prompt from your app is not currently supported.
Remember, as a UWP app, it needs to work while running as the interactive user.
There is a one-year-old post from MSDN that answers a similar question: https://social.msdn.microsoft.com/Forums/en-US/a35b4c70-5fc6-4f1a-b80a-b11ee90105eb/uwpdesktop-bridgeproject-centennial-appconverter-convert-admin-apps?forum=wpdevelop
Alternatively, is it possible to perform elevation using COM?
Given the findings above, the answer is probably no.
If I were in your position, I would rethink these Administrative tasks. They might even be something that you would not be able to run as a UWP app anyways. For instance, any attempt to create an HKLM key will fail.
I am trying to make a batch file that calls an executable named idlelogoff after a certain amount of idle time. I can see the process in task manager however the computer doesn't sign out.
However when I run the process as an administrator manually it works. I thought the system account was supposed to have all privileges. Very confused as to why this isn't working. Any help would be appreciated.
Below is my batch file contents.
start "IdleLogOff" /d C:\ /b idlelogoff.exe 10 logoff
I found an answer to this by using local group policy instead of domain policy . I used user configuration->windows settings-> and then logon scripts and had it run on an user logon. The script works from here but did not work from domain group policy for whatever reason
look into taskmanager- i suppose that the process runs under system-account when using domain-gpo- no matter if activated/linked in user or workstation context.
So the exe would check if the system-account is idle.
A solution could be putting the exe into autostart-folder or create a run-key into registry or with an scheduled task -> all can be done with a gpo
Is it possible to run handle.exe (from sysinternals) from a service (in windows7) without having to turn off UAC?
The service is a custom c-app that needs to find out which process is locking a file it tries to access and handle.exe seems to be a good way to solve it but i can't get it to work with UAC turned on. This app runs all the time so i can't have a UAC prompt while its running but its fine if it shows up at startup.
Handle.exe works fine from an admin commandprompt but fails when trying to run from a normal prompt.
I call handle.exe from CreateProcess() and get the output from pipes. I guess there should be a way to solve this but i can't figure it out. Setting up the service to log in from an admin account does not seem to work.
UAC does not affect services (it only affects interactive sessions) so that should work.
However, if you don't want to move your entire program into a service then there are better ways to do this which don't require creating, installing and managing a separate service process in addition to your main program.
If your program requires admin rights to work at all, and this isn't the only place it will require them, then you could flag your program (via its embedded manifest resource) as requiring administrator rights. It will then trigger one UAC prompt whenever it is run and be run with full admin rights, including the ability to run Handle.exe.
On the other hand, if this is the only place where your program needs admin rights, it may make sense to create a COM DLL which wraps your Handle.exe call (or any other admin work) so that you can use UAC to make elevated calls to that function from your non-elevated app. You will then trigger a UAC prompt each time you create (an elevated version of) that COM object. You can keep the COM object open as long as you want, and create it whenever you want, so when and how often the UAC prompt(s) appear are still up to you.
Both 1 & 2 are standard uses of UAC so any good documentation or tutorial on UAC will describe how to do them in detail.
You may want to look at the Win32 API method CreateProcessWithLogonW.
There is also an elevate VBS script here you may learn from: http://technet.microsoft.com/en-us/magazine/2007.06.utilityspotlight.aspx
I am having an issue with UAC and executing a non interactive process as a different user (APIs such as CreateProcessAsUser or CreateProcessWithLogonW).
My program is intended to do the following:
1) Create a new windows user account (check, works correctly)
2) Create a non interactive child process as new user account (fails when UAC is enabled)
My application includes a administrator manifest, and elevates correct when UAC is enabled in order to complete step 1.
But step 2 is failing to execute correctly. I suspect this is because the child process which executes as another user is not inheriting the elevated rights of my main process (which executes as the interactive user).
I would like to know how to resolve this issue. When UAC is off my program works correctly. How can I deal with UAC or required elevated rights in this situation?
If it helps any, the child process needs to run as another user in order to setup file encryption for the new user account.
The reason why the spawned process has no admin rights when using CreateProcessWithLogon and CreateProcessAsUser is explained in this blog post:
http://blogs.msdn.com/cjacks/archive/2010/02/01/why-can-t-i-elevate-my-application-to-run-as-administrator-while-using-createprocesswithlogonw.aspx
Long story short: CreateProcess is such a low layer in windows it doesn't know about elevation. ShellExecute(Ex) does. So you have to create and start a bootstrapper application with CreateProcessWithLogon/CreateProcessAsUser which in turn (now acting as the other user) starts your final application with ShellExecute(Ex) which will ask for admin rights (if you specify "runas" as lpVerb or provide a manifest for your app). And because this is such an easy and fun task to do there is no ShellExecuteWithLogon function provided by Windows.
Hope this helps.
Just faced a similar issue on Windows 7 under maxed UAC.
When UAC is turned ON, CreateProcessWithLogon creates a restricted token, just like LogonUser with LOGON32_LOGON_INTERACTIVE would do. This token prevents elevation.
Solution is to first call LogonUser with LOGON32_LOGON_BATCH, which returns a full-access token. Once obtained, just call CreateProcessWithToken.