I installed a PostScript printer driver and have setup REDMON (redmonnt.dll) for redirecting postscript output to my program. In my rather simple c program I capture the data from STDIN and I am able to successfully save it into a .ps file. The file looks OK.
However, I want to start gsview.exe for viewing the file. If I call ShellExecute it fails in Windows 7 because of permission issues. It seems that my program is called under a different user account (LOCAL SERVICE). So I am looking for a way to run gsview.exe under a specific username (the user who initiated the print job) which is available to the program in a variable called REDMON_USER along with the SESSIONID as well.
Q: What are the minimum WinAPI calls required to start a program given a username and a sessionid?
Any code examples in C/C++, .NET would be very helpful.
EDIT: What I am trying accomplish is something very similar to redrunee (from redmonee). I don't want to use redrunee because it opens about a console window for a brief moment.
Note:
1) The program is called by the printer service as [LOCAL SERVICE] account.
2) The first parameter Username (REDMON_USER), in effect, points to the user currently looking at the screen
Look at CreateProcessAsUser.
Also look at CreateProcessWithLogonW and CreateProcess.
They are linked from the CreateProcessAsUser
EDIT In reply to comments by OP.
Follow advice from this thread.
I am copying this here verbatim, in case the original link stops working:
The same code works for us on Vista as
on XP, etc. The service is running as
the Local System.
use WTSGetActiveConsoleSessionId to get the ID of the current active
Windows session at the console (i.e.
the machine keyboard and display, as
opposed to WTS sessions).
use WTSQueryUserToken to get the token for that session.
use DuplicateTokenEx(hToken,MAXIMUM_ALLOWED,NULL,SecurityIdentification,TokenPrimary,
&hTokenDup) to duplicate that token.
use CreateEnvironmentBlock to create an environment that you will be
passing to the process.
use CreateProcessAsUser with the duplicated token and the created
environment. Actually, we use
CreateProcessAsUserW, since the A
version had some sort of bug on some
older systems.
Don't forget to CloseHandle on the various tokens, etc, and to
DestroyEnvironmentBlock the
environment.
Thank you efratian.
PS. Oh joy of Windows programming, did not do it for quite a while. Now I remember why. The only thing that is close or even worse documented is OpenSSH programming.
The documentation describes the "Run as User" feature, which seems to be exactly what you want:
Run as User is intended for launching a GUI program such as GSview locally via RedRun.
Related
I'm trying to make a C program that modifies my host file, but I can't just straight up open the file with the program, because Windows blocks it. Is there any way that I can make the program request administrative privileges within the code, or any script I can use to start the program in admin mode?
Right clicking is a solution that allows you to run any program with Administrator privileges. That includes ticking the box in "Properties".
On Windows 7 and later, you can also rename your program so that its name contains setup (like hosts_setup.exe), and it'll automatically be run in Administrator mode (brings up the UAC prompt) if double-clicked in Explorer. Note this only works from double-clicking in Explorer.
You can also take a look at How can I run a child process that requires elevation and wait? . It calls WinAPI and is a fairly native approach. The best solution is to add it in menifest so your program requests Admin at startup.
Shoot, okay, seconds after posting this question, I found a solution. It turns out that you can right click the executable, click properties, and on the compatibility tab, select "Run this program as administrator". Just in case anyone else needed this information.
I need help on sending certificate information from one program to another, and logging into Windows with that information through the use of CredMarshalCredential and LogonUser. My program currently passes credentials and logs in successfully with a regular username/password combination. I'm just adding the ability to do it with Smart Card credentials.
I've used this example successfully to login with a Smart Card Certificate.
This works when you run the program as the user, but not when trying to run the program as SYSTEM. This is because SYSTEM cannot access the user's "MY" store. I'm trying to work around this, either by passing the cert or the entire cert store to the program running as SYSTEM from an application running as the user.
I've tried numerous approaches to get something that would login successfully after serialization, but haven't gotten anything to successfully work. The approach that seems to work the best has been to call CertSaveStore and Open the BLOB. I've used the last example at the bottom of this Microsoft Example Page. This restores the cert store from the BLOB correctly, finds certs, and even generates a username. But the generated username is different than the original generated username and fails to login with an error of ERROR_LOGON_FAILURE (The user name or password is incorrect).
My current test applications saves the cert and loads it again in the same program. I've taken the SYSTEM aspect out of the equation for now. I'm guessing the restored cert store is missing some information, but I'm not sure what I'm missing. Any insight would be appreciated.
One last note, I originally tried to just pass the generated username and PIN to SYSTEM and have it step down, but it failed with the same ERROR_LOGON_FAILURE error. I'm assuming the username has to be regenerated since being called by a different user/program, but that assumption could be wrong.
I have gotten my example program working with CertSerializeCertificatesStoreElement and CertAddCertificateContextToStore. I am able to serialize the certificate, and add it to a new store in memory at a later time. I had tried this earlier, but accidentally did not save the size of the serialized item, I just tried to use sizeof() the item which returned an incorrect size.
If anyone is looking to send certificate credentials between programs in the same userspace this approach will work well.
I took this ahead step further and implemented it in my userspace/SYSTEM paradigm. The logic worked correctly, and I was able to generate a username but still failed to LogonUser. After another week or trial and error, I found a solution that works between the userspace and SYSTEM. I ended up having to use LsaLogonUser instead of LogonUser.
If anyone is looking to have a userspace program send credentials to a daemon running in SYSTEM and have that program step down to the user use this example. I initially tried this very similar example, but it continues to fail. In the working example, you do not need to pass in a domain or username, just the PIN. The system will read the Smart Card from the reader and verify with the passed in PIN. This solution will work across computers, ONLY IF the smart card is located at the remote computer. I am looking into a way to accomplish having it work with the smart card in the host computer, but it is outside of this post.
I hope this saves someone the weeks of work I put into getting to this point.
The scenarios is:
IBM WMB V8 running on linux has a list of user id's given to it in an MQ message. For each user id I need to connect to a windows box (samba share probably) and then pass this user id to a windows executable i.e.
C:\temp\command.exe 1234
C:\temp\command.exe 5678
the output from this command will return an image of this user from a database output to a directory.
WMB then goes and retrieves this image and somehow maps (user id => image) and updates a database somewhere.
Is this scenario possible in WMB without involving some other processor on the windows machine?
I can't see any nodes to help with this and I'm expecting i'll have to dump the userid list in a file and use perl or similar to process the command & image capture and return these to WMB as a message or something.
Regards,
Sapatos
Seems like a hard task. You can call arbitrary C-code and code custom nodes in C, so it's not impossible, since you could probably do most things with C and the Internet of libraries.
It seems like you would save yourself months of trouble by setting up a simple service on the windows box, for instance something listening to MQ, invokes the command then replies with the image.
You have not missed any thing. There are not any built in functionallity in WMB for this task. At least not when running on non windows platforms.
I know this is not ideal, but my constraint is that I have a legacy application written in Clipper.
I want to launch a new, WinForms/WPF application from inside the application (to ease transition). This legacy application written in Clipper launches using:
SwpRunCmd("C:\MyApp\MyBat.bat",0)
The batch file contains something like this command:
C:\PROGRA~1\INTERN~1\iexplore "http://QASVR/MyApp/AppWin/MyCompany.MyApp.AppWin.application#MyCompany.MyApp.AppWin.application"
It is launching a WinForms/WPF app that is we deploy via ClickOnce. Everything has been going well until we introduced WPF into the application. We were able to easily launch from the legacy application.
Since we have introduced WPF, however, we have the following behavior. If we launch via the Clipper application first, we get an exception when launching the application. The error text is:
The type initializer for 'System.Windows.FrameworkElement' threw an exception.
at System.Windows.FrameworkElement..ctor()
at System.Windows.Controls.Panel..ctor()
at System.Windows.Controls.DockPanel..ctor()
at System.Windows.Forms.Integration.AvalonAdapter..ctor(ElementHost hostControl)
at System.Windows.Forms.Integration.ElementHost..ctor()
at MyCompany.MyApp.AppWin.Main.InitializeComponent()
at MyCompany.MyApp.AppWin.Main..ctor(String[] args)
at MyCompany.MyApp.AppWin.Program.Main(String[] args)
The type initializer for 'System.Windows.Documents.TextElement' threw an exception.
at System.Windows.FrameworkElement..cctor()
The type initializer for 'System.Windows.Media.FontFamily' threw an exception.
at System.Windows.Media.FontFamily..ctor(String familyName)
at System.Windows.SystemFonts.get_MessageFontFamily()
at System.Windows.Documents.TextElement..cctor()
The type initializer for 'MS.Internal.FontCache.Util' threw an exception.
at MS.Internal.FontCache.Util.get_WindowsFontsUriObject()
at System.Windows.Media.FontFamily.PreCreateDefaultFamilyCollection()
at System.Windows.Media.FontFamily..cctor()
Invalid URI: The format of the URI could not be determined.
at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)
at System.Uri..ctor(String uriString, UriKind uriKind)
at MS.Internal.FontCache.Util..cctor()
If we launch the application via the URL (in IE) or via the icon on the desktop first, we do not get the exception and application launches as expected.
The neat thing is that whatever we launch with first determines whether the app will launch at all. So, if we launch with legacy first, it breaks right away and we can't get the app to run even if we launch with the otherwise successful URL or icon. To get it to work, we have to logout and log back in and start it from the URL or icon.
If we first use the URL or the icon, we have no problem launching from the legacy application from that point forward (until we logout and come back in).
One other piece of information is that we are able to simulate the problem in the following fashion. If we enter a command prompt using "cmd.exe" and execute a statement to launch from a URL, we are successful. If, however, we enter a command prompt using "command.com" and we execute that same statement, we experience the breaking behavior.
We assume it is because the legacy application in Clipper uses the equivalent of command.com to create the shell to spawn the other app. We have tried a bunch of hacks like having command.com run cmd.exe or psexec and then executing, but nothing seems to work.
We have some ideas for workarounds (like making the app launch on startup so we force the successful launch from a URL, making all subsequent launches successful), but they all are sub-optimal even though we have a great deal of control over our workstations.
To reduce the chance that this is related to permissions, we have given the launching account administrative rights (as well as non-administrative rights in case that made a difference).
Any ideas would be greatly-appreciate. Like I said, we have some work arounds, but I would love to avoid them.
Thanks!
It sounds like the Presentation Font Cache service has trouble starting when the app is launched in this way.
If you have control over the client environment, you could try setting the Windows Presentation Font Cache startup to automatic instead of manual.
This is a shot in the dark made with incomplete information:
command.com and cmd.exe are quite different. AFAIK, command.com exists for legacy compatibility, so applications you run from it will run differently. I can't test anything to complete my post because I believe that command.com runs in 16-bit mode and 64bit versions of Windows (on which I'm running) don't support that mode anymore so no more command.com for me.
That being said, there should be no difference when trying to run 32-bit applications (including managed applications).
I'm not aware of what are the limitations of your environment, but some things you may try are:
Rename you .bat into .cmd to make sure it starts with cmd.exe rather than command.com
Make your .bat start the program using the start console command
Have a non-WPF program to invoke your WPF one with a more sane environment
The problem is that the windir environmental variable is not set when using command.com.
So, in your case, adding the line set windir=C:\Windows to the beginning of the bat file will solve the problem (assuming that you have your Windows instalation in C:\Windows.
An additional issue might be that the host application is running command.com in compatibility mode. The best is to list all the environmental variables after running cmd.exe (using the set command) and comparing it to the output of the set command that you set in your bat file
I want to write an app to test whether a Windows machine is responding correctly to RDP (Remote Desktop) - i.e. to check if the machine not only allows the connection, but is also responding normally, and is not hung or otherwise responding abnormally.
Is there a library or utility that I can use to do this? My searches turned up full RDC clients, but I'm hoping there's something out there at least offers an API for testing. I would most like to use Java or a scripting language to do this, but I'm open to suggestions.
You can find some good answers in this question: Programmatically create and launch and RDP session (without gui)
Because RDP is a constantly evolving proprietary protocol, i'm guessing there isn't some simple open-source code you can take and use. This leaves us with two possible paths to follow:
Use Microsoft RDP ActiveX control (on Windows)
Launch mstsc.exe and send keyboard events to it (also on Windows, using your favorite language)
For the second option, I suggest AutoHotkey. It is perfect for automating windows programs and comes with a powerful library. It also has a strong comunity behind it so you can find lots of useful scripts on the internet. I use it to control winamp (like 'i hate this song! delete it and move to next')(well, technically 'move to the next song and delete the previous' because you can't delete the file while in use but you get the idea). If you choose this path, i can help you with the script.
Found this on Experts Exchange:
use Net::Telnet ();
$t = new Net::Telnet (Timeout => 10, Prompt => '', Port >= 3389);
if($t->open("computer.name.or.ip")) {
print "Connect successful\n";
}
else {
print "Could not connect\n";
}
The idea was to attempt a connection and if it can't connect within 'x' amount of seconds, assume it isn't going to work. Gets a bit more complicated if you're trying to see if a login for a specific user works or not, but this should at least get you started.
NOTE: As pointed out in the comments, the original solution left out the RDP port, so I included that in this...