Re: CreateProcessWithLogonW fails in custom GINA

From: Yu Chen [MS] (yuchen_at_online.microsoft.com)
Date: 08/16/04

• Next message: Peter Hesse: "GINA on Windows 2000 - WlxWkstaLockedSAS ignored"
• Previous message: Eugene Mayevski: "Re: Importing PEM private keys"
• In reply to: Mike P.: "CreateProcessWithLogonW fails in custom GINA"
• Next in thread: Mike P.: "Re: CreateProcessWithLogonW fails in custom GINA"
• Reply: Mike P.: "Re: CreateProcessWithLogonW fails in custom GINA"
• Reply: Mike P.: "Re: CreateProcessWithLogonW fails in custom GINA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 16 Aug 2004 10:17:36 -0700

This is a known issue in Windows Server 2003 and XPSP2 - the
CreateProcessWithLogonW API is changed to better handle the new process' use
of desktop by utilizing "Logon Sid" in the caller's token. However the local
system token (under which your GINA is running) doesn't have a "Logon sid"
so the API failed when caller is local system.

You can use LogonUser and CreateProcessAsUser to achieve the same thing.

-- 
Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Mike P." <Mike P.@discussions.microsoft.com> wrote in message
news:CCABCFA4-814A-4AC5-900E-A831B43A1A3B@microsoft.com...
> I am using a custom GINA which calls CreateProcessWithLogonW when machine
is
> logged off and idle to update software from a network location. The user
> credentials it submits to the API are in the local administrators group
and
> can read network resources. Before service pack 2 this worked fine. Now it
> fails with error 5 (access denied).

---

• Next message: Peter Hesse: "GINA on Windows 2000 - WlxWkstaLockedSAS ignored"
• Previous message: Eugene Mayevski: "Re: Importing PEM private keys"
• In reply to: Mike P.: "CreateProcessWithLogonW fails in custom GINA"
• Next in thread: Mike P.: "Re: CreateProcessWithLogonW fails in custom GINA"
• Reply: Mike P.: "Re: CreateProcessWithLogonW fails in custom GINA"
• Reply: Mike P.: "Re: CreateProcessWithLogonW fails in custom GINA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: CreateProcessWithLogonW fails in custom GINA ... > CreateProcessWithLogonW API is changed to better handle the new process' use ... > so the API failed when caller is local system. ... The process runs successfully, but no GUI. ... (microsoft.public.platformsdk.security) Re: CreateProcessWithLogonW fails in custom GINA ... > CreateProcessWithLogonW API is changed to better handle the new process' use ... > so the API failed when caller is local system. ... > You can use LogonUser and CreateProcessAsUser to achieve the same thing. ... (microsoft.public.platformsdk.security) Re: CreateProcessWithLogonW on Server 2003 ... That's a known issue in Windows Server 2003 - the CreateProcessWithLogonW ... API is changed to better handle the new process' use of desktop by utilizing ... "Logon Sid" in the caller's token. ... However the local system token (under ... (microsoft.public.platformsdk.security) Start a Process as Another User from Visual Basic ... "CreateProcessWithLogonW" API for 2000 and XP. ... Regards, ... Nuno ... (microsoft.public.vb.winapi) Re: Modifying A Pixel in a Pictures color ... BTW, very nice site Mike. ... then you won't be able to use the VB picture box anyway ... >> and you'll have to use the various API methods. ... (microsoft.public.vb.general.discussion)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.platformsdk.security  > 2004-08