Re: Access denied for OpenProcess(PROCESS_DUP_HANDLE) in service

From: Paul Carter (pacman128_at_gmail.com)
Date: 07/20/05

  • Next message: Rich Schaefer: "microsoft.web.services2.dll Key error when decrypting with Private key from local store"
    Date: 20 Jul 2005 11:06:13 -0700
    
    

    Pavel Lebedinsky [MSFT] wrote:
    > "Paul Carter" wrote:
    >
    > > My code works fine if the client app is also running as the same user,
    > > but fails if it is another user. Does the administrator account not
    > > have the rights to make the OpenProcess() call on any process? If not,
    > > it appears that I need to modify the DACL to give the account this
    > > right. Or is there a better way?
    >
    > Processes running as regular users typically give access to the user
    > account and System only. If you want to open them as administrator
    > you have to enable SeDebugPrivilege before calling OpenProcess.
    > But even this is probably not necessary in your case - see below.
    >
    > > In the older posts I found searching, the posters seem to be attempting
    > > to execute DuplicateHandler() in the client process. Isn't it better to
    > > run this in the service code (security wise) or am I missing something?
    >
    > The usual pattern for this is the client makes a request to the service,
    > the service impersonates the client, calls OpenProcess (it doesn't need
    > SeDebugPrivilege for this because it's impersonating the client), then
    > duplicates the handle into the client process.
    >
    > --
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.

    Thanks for your reply!

    However, if I am reading the docs correctly ImpersonateLoggedOnUser()
    (and others) require the SeImpersonatePrivilege which is only supported
    on the server versions of Windows. Is this correct?

    To give more background:
    The basic problem is that the app reads data from a SCSI hard disk in a
    proprietary format. The data is not even organized as flat files.
    Currently, the app does this by opening up the disk using CreateFile
    and " \\.\PHYSICALDRIVEx" This works great but requires administrative
    access. The user wants the app to work without admin access. We have
    been unable to find a simple privilege to give a user to open the disk
    in raw mode other that to make the user an admin. So, we are
    investigating having a service run as administrator to open the disk
    and duplicate the handle to give to the client app running with normal
    user rights.

    The current app is running on Windows 2000/XP workstation. The user
    does not want to move to a server version of Windows. If we can't use
    ImpersonateXXX() API, can anyone point us to another solution? Would
    giving the service process the PROCESS_DUP_HANDLE right on the client
    process work?

    Is there a good online reference/tutorial for the Windows security API?
    At the moment, we are a little overwhelmed by it.

    Thanks!

    --
    Paul Carter
    

  • Next message: Rich Schaefer: "microsoft.web.services2.dll Key error when decrypting with Private key from local store"

    Relevant Pages

    • Re: How to find out the max bandwidth on the client side?
      ... I want to use it do I need to have Windows systems on both ends ... In your app make a function that sends some large amount of data to a ... save results in your app's configuration data (you get: out max bandwidth ... I have to write a C/C++ client application on windows that runs in the ...
      (microsoft.public.win32.programmer.networks)
    • Re: Subscript out of range, obvious?
      ... All your client apps could declare that logging object WithEvents ... that they all get an event notification when your master app posts ... My master app is trying ... I copied this error handler from my existing code. ...
      (microsoft.public.vb.general.discussion)
    • Re: Subscript out of range, obvious?
      ... All your client apps could declare that logging object WithEvents ... that they all get an event notification when your master app posts ... My master app is trying ... I copied this error handler from my existing code. ...
      (microsoft.public.vb.general.discussion)
    • Re: Subscript out of range, obvious?
      ... All your client apps could declare that logging object WithEvents ... that they all get an event notification when your master app posts ... My master app is trying ... I copied this error handler from my existing code. ...
      (microsoft.public.vb.general.discussion)
    • Re: SBS2008 / Vista x64 clients - cant join domain using wizard
      ... Many organizations use disk image cloning to perform mass rollouts of Windows. ... This technique involves copying the disks of a fully installed and configured Windows computer onto the disk drives of other computers. ... All the other clients were ghosted with Acronis snap deploy from the first client before the client was added to the domain. ...
      (microsoft.public.windows.server.sbs)