Re: Access denied for OpenProcess(PROCESS_DUP_HANDLE) in service

From: Paul Carter (
Date: 07/20/05

  • Next message: Rich Schaefer: "microsoft.web.services2.dll Key error when decrypting with Private key from local store"
    Date: 20 Jul 2005 11:06:13 -0700

    Pavel Lebedinsky [MSFT] wrote:
    > "Paul Carter" wrote:
    > > My code works fine if the client app is also running as the same user,
    > > but fails if it is another user. Does the administrator account not
    > > have the rights to make the OpenProcess() call on any process? If not,
    > > it appears that I need to modify the DACL to give the account this
    > > right. Or is there a better way?
    > Processes running as regular users typically give access to the user
    > account and System only. If you want to open them as administrator
    > you have to enable SeDebugPrivilege before calling OpenProcess.
    > But even this is probably not necessary in your case - see below.
    > > In the older posts I found searching, the posters seem to be attempting
    > > to execute DuplicateHandler() in the client process. Isn't it better to
    > > run this in the service code (security wise) or am I missing something?
    > The usual pattern for this is the client makes a request to the service,
    > the service impersonates the client, calls OpenProcess (it doesn't need
    > SeDebugPrivilege for this because it's impersonating the client), then
    > duplicates the handle into the client process.
    > --
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.

    Thanks for your reply!

    However, if I am reading the docs correctly ImpersonateLoggedOnUser()
    (and others) require the SeImpersonatePrivilege which is only supported
    on the server versions of Windows. Is this correct?

    To give more background:
    The basic problem is that the app reads data from a SCSI hard disk in a
    proprietary format. The data is not even organized as flat files.
    Currently, the app does this by opening up the disk using CreateFile
    and " \\.\PHYSICALDRIVEx" This works great but requires administrative
    access. The user wants the app to work without admin access. We have
    been unable to find a simple privilege to give a user to open the disk
    in raw mode other that to make the user an admin. So, we are
    investigating having a service run as administrator to open the disk
    and duplicate the handle to give to the client app running with normal
    user rights.

    The current app is running on Windows 2000/XP workstation. The user
    does not want to move to a server version of Windows. If we can't use
    ImpersonateXXX() API, can anyone point us to another solution? Would
    giving the service process the PROCESS_DUP_HANDLE right on the client
    process work?

    Is there a good online reference/tutorial for the Windows security API?
    At the moment, we are a little overwhelmed by it.


    Paul Carter

  • Next message: Rich Schaefer: "microsoft.web.services2.dll Key error when decrypting with Private key from local store"