Re: IIS7 : SetWindowsHookEx fails with Access Is Denied
- From: "Leo Violette" <lviolette@xxxxxxxxxx>
- Date: Wed, 2 Jul 2008 19:17:43 -0700
Ooops. One last detail:
SetWindowsHookEx does not fail with Access Is Denied if I run in IIS 5 isolation mode.
I'd rather not have that property enabled if I can avoid it.
"Leo Violette" <lviolette@xxxxxxxxxx> wrote in message news:71E037FE-E5FC-4594-8366-AA46ED00B2BA@xxxxxxxxxxxxxxxx
SUMMARY/OVERVIEW:
From the C# back-end, we are instantiating an Out-of-proc COM object. That COM object constructs an active X control to process some requests in it before returning data back to the C# back-end. We've modified the active X control to not put up any modal dialogs (hoping this would allow us to use it). And the processing the active X control does do does not require any human interaction as everything is specified through parameter passing.
CODE THAT FAILS:
In the Out of Proc COM object, we have code like the following to construct the active X control. This code is executed when the C# back-end instantiates us and passes us a command to process.
RECT rect = { 0, 0, 0, 0 };
HWND hWndParent = NULL;
// create the parent window
pwndParent = new CAxWindow2;
if( pwndParent )
{
// ID_TAXCONTROL = 1 (used for Active X Event Sync
// I'm a little concernted about calling GetDeskopWindow() here. I'd rather not have a parent window or create my own parent.
hWndParent = pwndParent->Create( ::GetDesktopWindow(), rect, 0, WS_CHILD, ID_TAXCONTROL );
if( hWndParent )
{
// create the ActiveX tax control.
// Here is where it's failing! Refer to FAILURE DETAILS after code snippet.
hRet = pwndParent->CreateControl( L"MyActiveX.MyControl.1", NULL, NULL );
if( SUCCEEDED(hRet) )
{
LPUNKNOWN lpTaxCtrlUnk = NULL;
// QI for tax control's IUnknown needed below
hRet = pwndParent->QueryControl( &lpTaxCtrlUnk );
....
FAILEURE DETAILS:
This code is failing executing the pwndParent->CreateControl(...) line.
The ActiveX control uses MFC windows. Deep in CreateControl, a message reflector window is created for MFC and a call to SetWindowsHookEx(WH_CBT,...) is made in WinCore.cpp::AfxHookWindowCreate. This call returns Access is denied.
If I construct the out-of-proc com object using a test application not running IIS, this code completes without problem and we are able to construct the ActiveX control and programatically interact with it.
TECHNICAL DETAILS:
When I use SysInternals::ProcessExplorer to look at my Out-Of-Proc COM process, using the same user, but running under IIS vs test app, I see the following differences in my security flags (there are many other flags, but these are the differences):
Success (123 user from Test app)
Logon SID (S-1-5-5-0-44401)
NT AUTHORITY\INTERACTIVE
Failure (123 user from IIS instantiated process)
Logon SID(S-1-5-5-0-74366)
NT AUTHORITY\BATCH
Any ideas if BATCH or the Logon SID is my problem here? And, if so, any thoughts on how I can change them. Either from IIS configuration or from COM configuration, or perhaps doing LogonUser/ImpersonateLoggedOnUser API?
Leo.
.
- References:
- IIS7 : SetWindowsHookEx fails with Access Is Denied
- From: Leo Violette
- IIS7 : SetWindowsHookEx fails with Access Is Denied
- Prev by Date: IIS7 : SetWindowsHookEx fails with Access Is Denied
- Next by Date: Re: Kerberos - Multi-domain SPN problem
- Previous by thread: IIS7 : SetWindowsHookEx fails with Access Is Denied
- Next by thread: Re: Kerberos - Multi-domain SPN problem
- Index(es):
Relevant Pages
|
